Given time, resources, and motivation, a cracker can break into
nearly any system. At the end of the day, all of the security
procedures and technologies currently available cannot guarantee
that any systems are safe from intrusion. Routers help secure
gateways to the Internet. Firewalls help secure the edge of the
network. Virtual Private Networks safely pass data in an encrypted
stream. Intrusion detection systems warn you of malicious activity.
However, the success of each of these technologies is dependent
upon a number of variables, including:
Given the dynamic state of data systems and technologies,
securing corporate resources can be quite complex. Due to this
complexity, it is often difficult to find expert resources for all
of your systems. While it is possible to have personnel
knowledgeable in many areas of information security at a high
level, it is difficult to retain staff who are experts in more than
a few subject areas. This is mainly because each subject area of
information security requires constant attention and focus.
Information security does not stand still.
Suppose that you administer an enterprise network. Such networks
are commonly comprised of operating systems, applications, servers,
network monitors, firewalls, intrusion detection systems, and more.
Now imagine trying to keep current with each of these. Given the
complexity of today's software and networking environments,
exploits and bugs are a certainty. Keeping current with patches and
updates for an entire network can prove to be a daunting task in a
large organization with heterogeneous systems.
Combine the expertise requirements with the task of keeping
current, and it is inevitable that adverse incidents occur, systems
are breached, data is corrupted, and service is interrupted.
To augment security technologies and aid in protecting systems,
networks, and data, you must think like a cracker and gauge the
security of your systems by checking for weaknesses. Preventative
vulnerability assessments against your own systems and network
resources can reveal potential issues that can be addressed before
a cracker exploits it.
A vulnerability assessment is an internal audit of your network
and system security; the results of which indicate the
confidentiality, integrity, and availability of your network (as
explained in Section 1.1.4
Standardizing Security). Typically, vulnerability
assessment starts with a reconnaissance phase, during which
important data regarding the target systems and resources is
gathered. This phase leads to the system readiness phase, whereby
the target is essentially checked for all known vulnerabilities.
The readiness phase culminates in the reporting phase, where the
findings are classified into categories of high, medium, and low
risk; and methods for improving the security (or mitigating the
risk of vulnerability) of the target are discussed.
If you were to perform a vulnerability assessment of your home,
you would likely check each door to your home to see if they are
closed and locked. You would also check every window, making sure
that they closed completely and latch correctly. This same concept
applies to systems, networks, and electronic data. Malicious users
are the thieves and vandals of your data. Focus on their tools,
mentality, and motivations, and you can then react swiftly to their