Security Intrusion Testing
Intrusion/Penetration Testing and Vulnerability
Some organizations engage a consultant or security
firm to perform a "penetration test" to determine the
security of their organization's network and its Internet connection.
At ESTec Systems' Security division, we believe
that penetration testing is valuable - but it is not the proper
tool to begin with. The usual simple penetration test does not provide
sufficient analysis of the potential problems that a business or
organization might face.
The first tool for identifying system vulnerabilities
is a "vulnerability audit".
A vulnerability audit is composed of some of
the components of an intrusion or penetration test, but an auditor
can undertake a myriad of other important tests to identify all
vulnerabilities potentially exploitable by intruders.
Vulnerability testing even looks for potential
exposures that might become important some time in the future, in
addition to existing "holes" in a client's protection
for data. To do this, the auditor looks at the outer configuration
of the systems (e.g. Internet and firewall strategies) and the internal
configuration, including personnel and policies.
Candid specialists tell their clients for security
examination that intrusion or penetration testing should be done
only after a comprehensive vulnerability audit has been completed
and the problem areas cleaned up. This reversal need not increase
costs noticeably, and is bound to improve your knowledge of the
measures protecting data - or leaving it vulnerable.
After the vulnerability audit and the correcting
of the problems it uncovers, a penetration test may then be performed.
That will identify areas where the intrusion detection systems still
need improvement. Security experts agree: Every attempted penetration
should be identified by your intrusion detection systems and then
reported to the security management inside the organization. One
hole can make a very leaky boat, even a newly refurbished one. Vulnerability
auditing comes first, intrusion testing second.