news / tech talk

Security Testing

by Lee LeClair
12/15/2006
As seen in Inside Tucson Business

As more and more businesses use technology to provide services to their customers or employees online, their security officers become more nervous. Processing financial transactions or sensitive privacy data is becoming normal but often the internal system implementers are not as experienced at securing these types of systems on a network exposed to the world. One way to alleviate some of these concerns is to obtain security audit services from a reputable company.

Security audit companies provide a range of services that can include threat and risk assessments, policy reviews, physical security assessment, implementation evaluations, and penetration testing.

Threat and risk assessment is the process of determining what threats exist to your company and what risks your company is facing. Vulnerabilities and risks are a part of life and we deal with them every day. We can do this because our experiences have taught us how. However, in the world of computers and the network, most people are not familiar with what is possible and probable and therefore do not understand what risks their business faces or how to deal with them. A good threat assessment will outline in understandable terms, what threats and risks our business faces as we automate various functions. In addition, a risk assessment will lay out the severity of various risks and some alternatives to mitigate those risks.

Policy reviews ensure first that we have security policies for key areas. If employees are unaware of what is acceptable, then they may accidentally cause problems that your business is responsible for. For legal and common sense reasons, it pays to have clear policies and to make sure that employees are customers are aware of them and have acknowledged them.

Physical security is often forgotten these days as businesses grapple with various online technology threats. Physical security, however, is still the foundation of cyber-security. If someone can physically spend sufficient time with your automation equipment, they can typically bypass most electronic security measures. Or they can just take the asset and work on it at home. Identify and secure your critical assets using locked doors, video surveillance, logged access, etc.

Implementation evaluations basically check that your infrastructure has been installed and configured the way you expected. Infrastructure designs often change during the installation process or are never actually completed. Later, these evaluations determine if anything has changed since the last check. Periodic evaluations of implemented systems verify configuration management.

Penetration testing is similar to an implementation evaluation but typically more active and risky. Whereas implementation evaluations are usually performed with some non-intrusive testing and examination of equipment configurations, penetration testing typically applies more intrusive testing tools. These are used to probe and test various production network and computer systems to determine if there are any weak spots. Penetration testing is usually performed on external equipment exposed to the Internet but can also be applied to internal systems to determine if assets are vulnerable to insider attacks. While these types of tests provide the most “real world” results, they are risky in that they can cause real world problems like causing server crashes or network traffic saturation.

As your business becomes more automated, consider developing a team to examine your network or outsourcing to a company you trust to do it. It’s important to really know your IT systems if your business is running on it. In fact, the Sarbanes-Oxley law requires some degree of it from publicly traded US companies. It’s important to know your situation so you can deal with the risk; you’ll never eliminate all the risks in life, but you can educate yourself on how to deal with it in an informed way.

Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business