Policy considerations
If you choose to make vulnerability and penetration testing an important part of your business’s information risk management program, you need to have a documented security testing policy. Such a policy outlines who’s doing the testing, the general type of testing that’s performed, and how often the testing takes place. Specific procedures for carrying out your security tests could outline the methodologies I cover in this book. You should also consider creating security standards documented along with your policy that outline the specific security testing tools used and the specific people performing the testing. You could establish standard testing dates, such as once per quarter for external systems and biannual tests for internal systems — whatever works for your business.
Compliance and regulatory concerns
Your own internal policies may dictate how management views security testing, but you also need to consider the state, federal, and international laws and regulations that affect your business. In particular, the Digital Millennium Copyright Act (DMCA) sends chills down the spines of legitimate researchers. See www.eff.org/issues/dmca for everything that the DMCA has to offer.
Many federal laws and regulations in the United States — such as the Health Insurance Portability and Accountability Act (HIPAA) and the associated Health Information Technology for Economic and Clinical Health (HITECH) Act, Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) requirements, and the Payment Card Industry Data Security Standard (PCI DSS) — require strong security controls and consistent security assessments. There’s also the Cybersecurity Maturity Model Certification (CMMC). CMMC is a follow-on to NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This certification is intended to ensure that the U.S. Department of Defense’s (DoD’s) Defense Industrial Base (DIB) of suppliers/contractors are adequately protecting the DOD’s information assets.
Related international laws —such as the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s General Data Protection Regulation (GDPR), and Japan’s Personal Information Protection Act (JPIPA) — are no different. Incorporating your security tests into these compliance requirements is a great way to meet state and federal regulations and to beef up your overall information security and privacy program.
Understanding the Need to Hack Your Own Systems
To catch a thief, you must think like a thief. That adage is the basis of vulnerability and penetration testing. Knowing your enemy is critical. The law of averages works against security. With the increased number of hackers and their expanding knowledge and the growing number of system vulnerabilities and other unknowns, all computer systems and applications are likely to be hacked or compromised somehow. Protecting your systems from the bad guys —not just addressing general security best practices — is critical. When you know hacker tricks, you find out how vulnerable your systems really are and can take the necessary steps to make them secure.
Hacking preys on weak security practices and both disclosed and undisclosed vulnerabilities. More and more research, such as the annual Verizon Data Breach Investigations Report (www.verizon.com/business/resources/reports/dbir/), shows that long-standing, known vulnerabilities are continually being targeted. Firewalls, advanced endpoint security, security incident and event management (SIEM), and other fancy (and expensive) security technologies often create a false feeling of safety. Attacking your own systems to discover vulnerabilities — especially the low-hanging fruit that gets so many people into trouble — helps you go beyond security products to make them even more secure. Vulnerability and penetration testing is a proven method for greatly hardening your systems from attack. If you don’t identify weaknesses, it’s only a matter of time before the vulnerabilities are exploited.
As hackers expand their knowledge, so should you. You must think like them and work like them to protect your systems from them. As a security professional, you must know the activities that the bad guys carry out, as well as how to stop their efforts. Knowing what to look for and how to use that information helps you thwart their efforts.
Anticipating all the possible vulnerabilities you’ll have in your systems and business processes is impossible. You certainly can’t plan for all types of attacks — especially the unknown ones. But the more combinations you try and the more often you test whole systems instead of individual units, the better your chances are of discovering vulnerabilities that affect your information systems in their entirety.
Don’t take your security testing too far, though; hardening your systems from unlikely (or even less likely) attacks makes little sense and will probably get in the way of doing business.
Prioritize your systems so that you can focus your efforts on what matters.
Test your systems in a nondestructive fashion.
Enumerate vulnerabilities and, if necessary, prove to management that business risks exist.
Apply results to address the vulnerabilities and better secure your systems.
Understanding the Dangers Your Systems Face
It’s one thing to know generally that your systems are under fire from hackers around the world and malicious users around the office; it’s another to understand specific potential attacks against your systems. This section discusses some well-known attacks but is by no means a comprehensive listing.
Many security vulnerabilities aren’t critical by themselves, but exploiting several vulnerabilities at the same time can take its toll on a system or network environment. A default Windows operating system (OS) configuration, a weak SQL Server administrator password, or a mission-critical workstation running on a wireless network may not be a major security concern by itself. But someone who exploits all three of these vulnerabilities simultaneously could enable unauthorized remote access and disclose sensitive information (among other things).
Vulnerabilities and attacks have grown enormously in recent years because of virtualization, cloud computing, and even social media. These three things alone add immeasurable complexity to your environment. On top of that, with the new ways of the
