Vulnerability assessments and exploitation, like so many other areas of technology, have progressed from being understood by a few elite practitioners to being automated for the masses.
Each day information security professionals are releasing new software or improving on existing software to make identifying and exploiting network vulnerabilities easier. Unfortunately, these automated tools have produced a “there’s an app for that” attitude toward information security. Many business owners and managers believe that an automated tool can determine if their network is secure, which is ridiculous. Information security encompasses not only vulnerability scanning and exploitation but risk management, user management, and other business processes. No automated tool can identify vulnerabilities in business processes – only a qualified information security professional can do that.
Vulnerability scanners are designed to identify specific issues in network services, operating systems, web applications and software but cannot identify vulnerabilities in the underlying vulnerability management and configuration management processes. Exploitation frameworks, like Metasploit and Core Impact, can exploit a machine but have no ability to determine the value of the data on the compromised machine or the affect the loss of that data would have on the business. In other words when it comes to information security there is not an app for that.
What Should an Information Security Assessment Look Like?
Many IT service companies use automated tools to identify and exploit network vulnerabilities, and then provide a report that is nothing more than a rewording of the output from the tools. In contrast, a thorough information security assessment will include automated vulnerability scanning but will go further and identify the root causes of the vulnerabilities, which typically include: ineffective access controls, ineffective security update management, and poor configuration management. A thorough assessment will also include exploitation but will again go further and identify the types and value of the data accessible on exploited machines. In other words, a proper information security assessment identifies vulnerabilities in and recommends changes to business processes. It attempts to identify the sickness and not only the symptoms.
Who Should Perform an Information Security Assessment?
Information security assessments should only be performed by qualified information security professionals. Unfortunately, the “there’s an app for that” attitude, the constant push by certification bodies to certify more people, and the prevalence of automated tools make it easy for anyone to hold themselves out as an information security professional. A true professional is identified not only by his or her certifications, but by his or her body of work as well: what contributions has she made to the information security community or at what conferences has he spoken? These tell the true story of an information security professional’s abilities.
Whether a business chooses to keep its information security program completely in house or outsource portions of the program, it must recognize that information security is a complex problem and can only be solved by competent security professionals providing thorough information security assessments. When it comes to information security there is not an app for that.
Stephen Haywood is a Security Analyst at Sword & Shield Enterprise Security. He has over ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional (CISSP), Offensive Security Certified Professional (OSCP), and GIAC Penetration Tester (GPEN). His blog is www.averagesecurityguy.info. Follow him on Twitter @averagesecguy.