boom beach hacking.jpg
Fighting Fire with Fire: Automated Network Vulnerability Assessment
By responding to automated hacker attacks with automated vulnerability assessment, IT groups level the battlefield. In so doing, they take proactive steps to protect their networks, customers, data assets, and business continuity.

Not too long ago, most hacker attacks targeted high-profile organisations such as banks and governments. Times have changed, and now every Internet-connected network is vulnerable, whether it has thousands of IP addresses or just one. Why? Automated tools make it easier to quickly identify and exploit network exposures, so more people can become hackers. And theyre doing more damage because the new generation of threats is self-replicating and more virulent than ever.

As a result, prevention has become a top priority for IT groups of all sizes. For companies with global e-commerce operations, for example, protecting Internet-facing devices is crucial for business continuity. And for companies that maintain confidential customer or patient data online, its essential to protect privacy, prevent fraud such as identity theft, and safeguard research data from destruction or manipulation by hackers.

But with limited staff resources, how can IT groups prevent network attacks without diverting resources from other projects? Increasingly, the answer is vulnerability assessment, the process of identifying network and device vulnerabilities before hackers can exploit them. And since hackers rely increasingly on automation, companies can fight fire with fire by automating their vulnerability assessment process.
The Four Pillars of Network Security
Vulnerability assessment complements the three other major approaches to network security: intrusion detection systems (IDS), firewalls, and virus detection. The latter three approaches detect attacks while or after they occur. For optimum network security, companies also need a proactive approach: identifying network and device vulnerabilities before infection from viruses can occur, and before damaging network attacks take place. Vulnerability and risk assessment services are a key component of an end-to-end security solution, says Upesh Patel, manager of the OPSEC alliance for firewall leader Check Point Software Technologies.

Companies that perform vulnerability assessment typically scan new systems before theyre attached to the network, after software is installed or reconfigured and at regular intervals thereafter. When a vulnerability is detected, the company corrects it and then performs another scan to confirm that the vulnerability is gone.

Vulnerability assessment works hand in hand with intrusion detection systems. The vulnerability assessment identifies potential vulnerabilities before they can be exploited, and the intrusion detection system notifies the company when anomalous activity has occurred. The two approaches are synergistic: vulnerability assessment enables IT to identify and close obvious holes so that the intrusion detection system has fewer places to check.
Comparing Approaches to Vulnerability Assessment
Companies can choose from several approaches to vulnerability assessment: manual testing using software-based products, consultants penetration testing, and externally hosted solutions. With the latter approach, also called Managed Vulnerability Assessment (MVA), scans are conducted by Web-based servers that are hosted and maintained by a third party. Companies enter a user ID and password on a browser to initiate a scan, which is conducted automatically, either at a pre-scheduled time or on-demand. The scan simulates a hackers perspective, probing a network for known vulnerabilities and looking through firewalls to assess any device visible to the Internet. All vulnerabilities discovered are reported via e-mail immediately following the scan. The most valuable services rank the vulnerabilities by priority and even provide links to tested remedies.

MVA offers clear cost and security advantages over the other methods of vulnerability assessment. For instance, manually-operated toolsets require dedicated personnel to run the scanners-a labour-intensive and expensive proposition for companies with numerous externally-facing servers. To manually scan a single server can easily take one to two hours of a security specialists time, twice a month. For an e-commerce company with more than 100 servers, the resource burden would add up to 400 hours a month, or two full-time people. Tower Records reported that before it adopted automated vulnerability assessment, manually scanning each new server required from 3 to 20 hours, depending on whether the configuration was standard or custom. By taking advantage of an automated vulnerability assessment solution, Tower can now pre-schedule scans to run unattended at any time of the day or night. Thus, automation dramatically reduces resource costs, freeing IT staff to focus on other security projects.

Another notable drawback of manually-operated toolsets is their lack of objectivity because the company itself runs the tools and sets the parameters. Assessing your own networks security is like trying to proofread your own report, notes Kevin Ertell, director of online operations for Tower Records. Its clearly more effective to outsource vulnerability assessment to an outside, disinterested party.

Finally, manually-operated products generally scan only those servers running a particular operating system, and scaling requires the purchase of additional hardware and software and requires more bandwidth. Whats more, licensing agreements can be prohibitively expensive.

Hiring outside consultants to perform penetration testing overcomes the lack of objectivity of internal testing, but introduces other problems. One is expense, which limits most companies to annual, quarterly, or monthly security audits. Limited scans pose a major problem because new vulnerabilities are discovered at an average rate of 30 per week. Therefore, even though the penetration reports are very detailed, they have a fleeting shelf life: they are valid only until a single change is made to the network or any system, or until new threats arise. This means that enterprises pay vast sums of money for tests that might remain valid only for hours. With MVA, in contrast, companies can conduct an unlimited number of assessments-daily, if required-at a fraction of the cost of one penetration test.

Automated, Web-Based Services
With automated, Web-based vulnerability assessment, costs plummet even while security and scalability soar. The cost benefits are especially compelling. For one, companies dont need to purchase and maintain specialised hardware or software. And, unlike services that restrict companies to a fixed number of scans each month for the subscription price, Web-based delivery means companies can initiate an unlimited number of scans for the same price as one. Generally, the service is priced based on the number of IP addresses scanned, not the number of scans. The freedom to run a scan whenever needed means that after IT professionals have applied a remedy to a vulnerability, they can immediately run another scan to confirm that the vulnerability has been eliminated.

Automated vulnerability assessment also reduces the time and expense of researching new vulnerabilities and their remedies. Because Web-based vulnerability assessment services rely on a centrally-maintained, up-to-date database of known vulnerabilities and fixes (the QualysGuard KnowledgeBase contains more than 1,700), IT groups dont need to train experts on each of their operating systems and applications. This benefit is particularly compelling for companies with heterogeneous networks-increasingly prevalent in todays era of mergers and acquisitions.

Finally, a Web-based MVA service enables companies to scale effortlessly; scanning a Class B or Class C network requires no more effort than scanning a single IP address. Either extreme requires nothing more than a few clicks on a Web interface. No additional capital expenditure for hardware or software is required. The company simply adjusts its service agreement to include new IP addresses.

Beyond Cost Savings
More important than cutting costs and reducing IT staff burden, automated MVA offers better protection against network threats. Because scans are run against a comprehensive database of known threats and their remedies, companies protect their vital information assets more thoroughly, ensuring their organisations ability to sustain business continuity. Companies gain the assurance that all scans include the latest threats, and need not worry about installing new software every time a new threat is discovered.

By proactively protecting network and confidential data, automated MVA helps companies comply with UK regulatory requirements related to network security and privacy. The Turnbull Report on Internal Control, intended for the directors of UK incorporated listed companies, states that the board of directors is obligated to consider the nature and extent of the risks facing the company. Specifically, the board must determine, Are the significant internal and external operational, financial, compliance and other risks identified and assessed on an ongoing basis? Automated MVA helps companies answer yes.

Similarly, MVA facilitates compliance with the Data Protection Act of 1999, directed at any company that processes personal data. Principle #7 of the Data Protection Act states, Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The Act further states that standard risk assessment and risk management techniques involve identifying potential threats to the system, the vulnerability of the system to those threats and the counter-measures to put in place to reduce and manage the risk...One question the data controller should ask is whether there is protection against corruption by viruses or other forms of intrusion. Again, automated MVA addresses the requirement.

Be Vulnerable No More
By protecting their networks from hacker attacks and viruses, companies not only protect their revenues, they also maintain the public image and customer confidence at the heart of their reputation. Getting started requires little up-front expense or planning. Certain hosted MVA services require only that the company provide a list of IP addresses and device names. After receiving a user ID and password, the company can use the Web-based interface to initiate an unlimited number of scans, any time of the day. Results and recommended remedies are delivered immediately.

Automating vulnerability assessment enables security professionals to more effectively respond to hackers automated attack methods, proactively protecting their organisations from network intrusions that can jeopardise data assets, business continuity, and corporate reputations.
Name
Email
Comment
Or visit this link or this one