Network security assessments are one of the most critical exercises performed for minimizing business risks. Your time is limited. You’ve got pressure from management to get things done. There’s so much to do and not enough time to do it. Yet, network security assessments are not something to take lightly. At a minimum, make sure you’re not making the following mistakes:
1. Believing you can get by without understanding fundamentals of TCP/IP
From subnet addressing to routing to common network protocols such as SMTP, FTP, and SNMP, the more you know about the TCP/IP stack and how it interacts with the OSI Model the better off you’ll be. Even software development knowledge you have can help tremendously. I wouldn’t feel comfortable testing nor stating that I’ve adequately performed my tests without understanding these network and computer basics.
2. Believing you’ll find all critical issues with automated scanners
I can’t imagine working without good vulnerability scanners. That said these tools are likely not going help you find things such as network protocol anomalies, sensitive information being exposed on improperly configured network shares, and lack of whole disk encryption on laptops – all of which impact your overall network security.
3. Believing that testing the obvious systems will uncover just what you need to know
You’ll certainly want to test servers, workstations, databases, and applications but you need to dig deeper. If something has a URL or IP address, it’s fair game for attack and can create business risks. You’ll want to focus on your most critical systems first but once you branch out to all of your systems, you’ll likely uncover an entirely new set of vulnerabilities.
4. Believing you’ll find every network flaw
Many people assume they’ll run some scans and poke around a bit and uncover every single flaw on their networks. It doesn’t work that way. There’s not enough time or skill available to find everything in a fixed project. New vulnerabilities emerge every day as well. This is why it’s critical to perform network security assessments on a periodic and consistent basis year after year.
Always remember that network security assessments are both an art and a science.