The Security Vulnerability Assessment for Information Technology
Information technology officers conduct security vulnerability assessments to find specific holes or vulnerabilities in computer and network systems. Penetration audits are specially formatted vulnerability assessments designed to simulate an outside attack, while "white-box" testing assumes knowledge of internal systems and software to find more vulnerabilities. Vulnerability discovery is a critical step in overall system security as it provides guidance and specific focus for security personnel.
-
History
-
Simple tinkering by inquisitive researchers in the 1970s marked the informal beginning of security vulnerability assessments. Since then, specialized teams of information security officers, such as the FBI's CART (Computer Analysis and Response Team), have worked to research and fix security holes in modern-day computer systems. Virtually every major software and hardware development company employs security personnel that regularly vet products for bugs and improper design. Security vulnerability assessments discover and fix as many flaws as possible before hackers can use them for malicious ends.
Significance
-
As the first and most important step of the security response life cycle, the vulnerability assessment or penetration test gives security personnel specific tasks to protect the organization from attack. A vulnerability assessment that fails to discover flaws is an invitation to a successful attack. Successful vulnerability assessments pave the way for a drastic reduction in attack potential.
Types
-
Companies often employ outside testing firms to simulate an attack from the outside, called "black-box" testing. Black-box tests are quick and effective ways to find common vulnerabilities in network systems, especially for websites and databases. Software development companies opt for more thorough and time intensive "white-box" testing, which involves a careful inspection of the system--both hardware and software. In the defense industry, the National Security Agency's information assurance division conducts both black-box and white-box testing for large-scale contractors.
Misconceptions
-
The objective of vulnerability assessments is to find as many security holes as possible, reducing the potential for a successful attack. However, it is impossible to find every single vulnerability in a system as something as innocuous as a variable of the wrong type or an open port can be exploited by a clever attacker. Security vulnerability audits are not the end-all of a security program, rather a beginning point for security controls. As systems evolve and security demands grow, vulnerability assessments remain important, but not infallible parts of a well-rounded security program.
Time Frame
-
Information technology administrators conduct regular penetration tests and vulnerability assessments to stay ahead of newly discovered vulnerabilities. Vulnerability assessments should be conducted before the integration and upgrade of any major computer system and then at regular intervals--at least annually. As part of a continual culture of security, system administrators must be attentive to the results of each vulnerability assessment. Since quick vulnerability assessments discover major or already published vulnerabilities, each time a security advisory or patch comes out, information technology personnel should conduct a new audit.
-
Related Searches
References
Resources
- Photo Credit computer image by blaine stiger from Fotolia.com
