There’s always a point in every IT professional’s career where he thinks he has everything figured out. We can get so caught up in our ways that we often overlook the fact that there are so many things we do on a daily basis that can be improved. This is especially true for network security and, specifically, network security assessments. You can’t afford to get stuck in your old ways if you’re going to adapt to the flow of changes in IT and business. You can make some great improvements in the security of your network if you’re willing to tweak your approach.
One thing that stands out to me is that so many people get caught up in the minutiae when performing network security assessments. They try to look for every flaw on every system. When they realize they may not have found enough, they’ll use another vulnerability scanner or take a different approach. They chase things down this or that rabbit hole and, in the end, have accomplished hardly anything of value. You must respect the law of diminishing returns and focus on what counts the most.
The good news is, you don’t need to look at everything – especially at first. But you do need to look at all the right things, namely your most critical network systems. This will likely include your servers (file, database, and application) and at least a cross-section of your workstations. You’ll also want to test network infrastructure systems including your firewall(s), router(s), and a cross-section of your Ethernet switches and VoIP systems.
You have to look for the flaws that are most common and can create the most harm. These efforts should focus around weak passwords, missing patches (OS and third-party software), and default system configurations – some of the most widespread and most exploited vulnerabilities according to studies such as the Verizon Data Breach Investigations Report. No matter what we have thrown at us from a networks security perspective, there’s nothing really new. Knowing what we now know, there’s no reason to have these basic flaws on any network system. The bottom line is, a properly-scoped security assessment is critical. It’s one of the best ways to set yourself, management, and the business up for success.
Another thing you can do to improve your network assessments is to perform authenticated scans of your OSs, databases, and applications. Unauthenticated or "logged-out" scanning is easier and requires much less time but authenticated scanning is going to show you the real picture of where things stand and what can be exploited when a user does something out of line. I typically find the most detrimental vulnerabilities inside the network as a trusted user. You don’t necessarily need to perform authenticated scans every time but you need to be doing them periodically.
Once your scans are complete and you’ve performed any follow-up findings validation or manual analysis, be sure to report your findings to the proper individuals in management, IT, development, or outside parties as needed. It sounds a bit obvious, but it happens, and when it does, it gives others yet another reason to not treat security as a serious business issue. Finally, another common sense recommendation that deserves attention because it’s also taken for granted: make sure you – or the appropriate parties – follow up on your assessment findings and ensure the issues are either resolved or determined to be acceptable risks by management.
Every network security assessment you do will present unique experiences and learning opportunities
You'll learn which tools work and which ones merely cause frustration. You'll learn the appropriate approaches and techniques. You'll become better information security professional if you have an open mind and aren't merely going through the motions to earn a paycheck. Do what it takes to get better – there’s always room for improvement.