Practical Aspects of Vulnerability Assessment and Penetration Testing. (Operational Risk Management)

By Lanz, Joel | The RMA Journal, February 2003 | Go to article overview

Practical Aspects of Vulnerability Assessment and Penetration Testing. (Operational Risk Management)


Lanz, Joel, The RMA Journal


Failure to manage security, improper configuration of technology assets, excessive trust or privileges, and insufficient monitoring activities are the main culprits that allow unauthorized penetration of data. Joel Lanz examines the relative strengths of vulnerability assessment tests and penetration tests.

The enactment of the Sarbanes-Oxley Act of 2002 requires that CEOs and CFOs be responsible for establishing and maintaining internal controls to ensure they are notified of material information. To ensure compliance with both traditional and recently enacted regulations, many banks are reviewing their information integrity and data protection strategies as well as their processes. The penetration test, the traditional favorite of executive management and board members, is an independent test used to simulate the probable actions of unauthorized users (both external and internal to the bank) to infiltrate technology systems and the confidential data they hold.

Many executives, however, are challenged by the concepts of vulnerability assessments and penetration tests. The terms not only are confusing to those not familiar with the technology aspects of each, but also are frequently used interchangeably by consultants performing the testing. It's difficult to appropriately supervise the external testers to ensure minimal productivity disruptions from high-risk penetration activities and to prevent the testers from gaining access to privileged information. Adding to the confusion is the lack of generally accepted penetration testing standards, which can cause decision makers to rely on poor or incorrect testing procedures. The buyer and user of these services also can be challenged by incorrect assumptions relating to the purpose and use of vulnerability assessments and penetration tests.

Common Exposures Provide Unauthorized Access Opportunities

A jointly issued report from the FBI and the SANS Institute (Top 20 List) (1) identified the most commonly exploited vulnerabilities in two popular technology environments--UNIX and Windows. The report found that "the majority of the successful attacks on operating systems come from only a few software vulnerabilities...[and are] attributed to the fact that attackers are opportunistic, take the easiest and most convenient route, and exploit the best-known flaws with the most effective and widely available attack tools." (2) Analysis of the causes of items appearing in the Top 20 List, as well as prominent security texts and studies, (3) identify four conditions that facilitate successful attacks.

1. Failure to manage security. In his classic text on management, Peter Drucker identified five basics for managers: setting objectives, organization, communication, measurement, and development of people. (4) Unfortunately, when it comes to managing security, many managers do not adhere to Drucker's advice.

While some organizations implement a combination of policies, procedures, and guidelines, these are typically generic and do not assign accountability to departments and individuals. This results in the failure to effectively communicate security responsibilities to individuals and to hold them accountable for their actions. A classic example of this failure is the security exposure that exists with transferred or terminated employees. Most corporate policies are specific as to who may approve access privileges for specific individuals, but these same policies do not address the manager's responsibility to adjust a subordinate's access privileges as the latter's job responsibilities change. Seldom are these managers punished for subjecting the organization to the increased risk.

Weak, easily guessed passwords are another symptom of poor management involvement with security. Many managers do not leverage readily available software features to enforce an appropriate password policy nor do they educate subordinates on the importance of using passwords (5) that minimize invasion opportunities or the ability to guess the word.

The rest of this article is only available to active members of Questia

Sign up now for a free, 1-day trial and receive full access to:

  • Questia's entire collection
  • Automatic bibliography creation
  • More helpful research tools like notes, citations, and highlights
  • Ad-free environment

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

Practical Aspects of Vulnerability Assessment and Penetration Testing. (Operational Risk Management)
Settings

Settings

Typeface
Text size Smaller Larger
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Full screen

matching results for page

Cited passage

Style
Citations are available only to our active members.
Sign up now to cite pages or passages in MLA, APA and Chicago citation styles.

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

"Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited passage

Welcome to the new Questia Reader

The Questia Reader has been updated to provide you with an even better online reading experience.  It is now 100% Responsive, which means you can read our books and articles on any sized device you wish.  All of your favorite tools like notes, highlights, and citations are still here, but the way you select text has been updated to be easier to use, especially on touchscreen devices.  Here's how:

1. Click or tap the first word you want to select.
2. Click or tap the last word you want to select.

OK, got it!

Thanks for trying Questia!

Please continue trying out our research tools, but please note, full functionality is available only to our active members.

Your work will be lost once you leave this Web page.

For full access in an ad-free environment, sign up now for a FREE, 1-day trial.

Already a member? Log in now.