Practical Aspects of Vulnerability Assessment and Penetration Testing. (Operational Risk Management)

Article excerpt

Failure to manage security, improper configuration of technology assets, excessive trust or privileges, and insufficient monitoring activities are the main culprits that allow unauthorized penetration of data. Joel Lanz examines the relative strengths of vulnerability assessment tests and penetration tests.

The enactment of the Sarbanes-Oxley Act of 2002 requires that CEOs and CFOs be responsible for establishing and maintaining internal controls to ensure they are notified of material information. To ensure compliance with both traditional and recently enacted regulations, many banks are reviewing their information integrity and data protection strategies as well as their processes. The penetration test, the traditional favorite of executive management and board members, is an independent test used to simulate the probable actions of unauthorized users (both external and internal to the bank) to infiltrate technology systems and the confidential data they hold.

Many executives, however, are challenged by the concepts of vulnerability assessments and penetration tests. The terms not only are confusing to those not familiar with the technology aspects of each, but also are frequently used interchangeably by consultants performing the testing. It's difficult to appropriately supervise the external testers to ensure minimal productivity disruptions from high-risk penetration activities and to prevent the testers from gaining access to privileged information. Adding to the confusion is the lack of generally accepted penetration testing standards, which can cause decision makers to rely on poor or incorrect testing procedures. The buyer and user of these services also can be challenged by incorrect assumptions relating to the purpose and use of vulnerability assessments and penetration tests.

Common Exposures Provide Unauthorized Access Opportunities

A jointly issued report from the FBI and the SANS Institute (Top 20 List) (1) identified the most commonly exploited vulnerabilities in two popular technology environments--UNIX and Windows. The report found that "the majority of the successful attacks on operating systems come from only a few software vulnerabilities...[and are] attributed to the fact that attackers are opportunistic, take the easiest and most convenient route, and exploit the best-known flaws with the most effective and widely available attack tools." (2) Analysis of the causes of items appearing in the Top 20 List, as well as prominent security texts and studies, (3) identify four conditions that facilitate successful attacks.

1. Failure to manage security. In his classic text on management, Peter Drucker identified five basics for managers: setting objectives, organization, communication, measurement, and development of people. (4) Unfortunately, when it comes to managing security, many managers do not adhere to Drucker's advice.

While some organizations implement a combination of policies, procedures, and guidelines, these are typically generic and do not assign accountability to departments and individuals. This results in the failure to effectively communicate security responsibilities to individuals and to hold them accountable for their actions. A classic example of this failure is the security exposure that exists with transferred or terminated employees. Most corporate policies are specific as to who may approve access privileges for specific individuals, but these same policies do not address the manager's responsibility to adjust a subordinate's access privileges as the latter's job responsibilities change. Seldom are these managers punished for subjecting the organization to the increased risk.

Weak, easily guessed passwords are another symptom of poor management involvement with security. Many managers do not leverage readily available software features to enforce an appropriate password policy nor do they educate subordinates on the importance of using passwords (5) that minimize invasion opportunities or the ability to guess the word. …