VULNERABILITY ASSESSMENTS
THE CHALLENGES OF VULNERABILITY ASSESSMENTS
Network vulnerability assessments are widely recognized as a crucial component of network security and a key component of any overall Network Security Assessment Service. Vulnerability Assessments are performed to determine the actual security posture of a network environment. They are designed to explore whether or not a malicious attacker can affect the confidentiality, availability, or integrity of information or attack network elements in any form of Denial of Service (DoS) attack. These questions have been historically answered by performing vulnerability assessments in a proactive manner — attempting to identify vulnerabilities in a network before hackers do, allowing corrective action to be taken to mitigate any problems before they are potentially exploited.
Since networks are incredibly dynamic, it has long been recognized that vulnerability assessments should be performed periodically, either by internal audit teams or by external consulting organizations or both.
Challenge No. 1 — To Protect the Organization Assets in Dynamic Networks and Heterogeneous Environment
Vulnerability assessments need a high level of expertise to correctly determine not just the range of vulnerabilities present in a network, but specifically, those vulnerabilities that put the enterprise at risk, and what level of risk is present. In order to correctly identify security weaknesses within a network environment, the security assessment team must accurately and comprehensively discover, enumerate, and assess complex, heterogeneous networks in dynamic environments.IT departments today find themselves in the unenviable position of managing increasingly heterogeneous environments. That‘s a problem when the time between the announcement of vulnerability and the appearance of code designed to exploit that vulnerability has shrunk from months to days. Most enterprise infrastructures today consist of multiple devices, operating systems, and applications that have diverse security and availability requirements. Hence enterprises have to rely on fragmented, multivendor solutions to provide everything from intrusion prevention and policy compliance to patch management, high availability, backup, and data recovery. Such a strategy involves deploying and supporting an array of independent products and services. It can be complicated, time consuming, and costly from an administrative standpoint, making it a major drain on IT productivity. It‘s also impractical given today‘s threat environment, in which malicious code capable of exposing confidential information is increasing dramatically.
Challenge No. 2 — The Organization’s Security Team
In this heterogeneous environment, the security team must have current, broad, and deep technical expertise in a myriad of technologies. What is required to perform vulnerability assessments in this environment?
In brief, the NSAS must simulate the capabilities of knowledgeable malicious attackers. Simulating these capabilities in a controlled and trusted environment requires specialized knowledge and tools, both of which are extremely sparse and expensive in today‘s IT environment. There are only just over 40,000 Certified Information Systems Security Professionals (CISSPs) worldwide, but fewer
engineers are qualified to perform NSAS and vulnerability assessments.
While there are a growing number of tools, use of these by no expert personnel will typically produce a large printout with many listed vulnerabilities. Not all of these are likely to be critical for a specific network, and may result in excessive effort and expense to correct. This is where the expertise and assessment against the real network environment is necessary.The shortage of qualified personnel is compounded by the fact that security is alarmingly dynamic — the knowledge and software that was last used to successfully test your network may now obsolete due to newly discovered vulnerabilities.Maintaining the appropriate level of technical competency in vulnerability testing requires a multidisciplinary team well versed in the countless hardware and software combinations used in today‘s networks. Additionally, the security assessment team must monitor the plethora of mailing lists, news groups, and hacker web sites devoted to exploiting security vulnerabilities. Very few organizations can afford to dedicate the necessary resources to effectively perform these monitoring tasks.
For all but the largest of security assessment organizations, attracting and retaining a qualified security team is almost impossible. Maintaining current software and assessment techniques and methodologies is equally difficult due to limited resources. This often explains why so many organizations currently use third party consultants and software tools to assist with NSAS operations, a trend that is growing everyday as networks and assessment technology becomes even more complex.
Challenge No. 3 — Regulatory Compliance
As the regulatory compliance landscape becomes steadily more complex, the risks associated with noncompliance grow more costly. Organizations — and more importantly — network security administrators — are increasingly are required to provide compliance to a variety of legislation. CEOs increasingly sign statements based on their security administrators‘ assessments, affirming to regulatory bodies, that the security of their networks and the information retained with in them, meets minimum standards.
