This page contains a Flash digital edition of a book.
TRY THIS PROACTIVE By Lance Naismith B


y now, everyone recognizes the movie cliché in which a pimply-faced boy sits in front of his computer and joy- fully hacks into a company’s corporate network to steal data or to wreak havoc. Unfortunately, this happens in real life more frequently than not these days and for those companies that do get hacked, it is not as thrilling as it may seem on the big screen.


Most home and small business com- puter users are aware of password pre- cautions and the use of firewalls, malware and anti-virus software. In addition to these precautions, however, companies may want to improve the protection of their sensitive data by adopting additional proactive measures in the form of pene- tration testing (pentests). By performing pentests, companies can see where their security holes are and thus what they need to do to fix those holes.


“Penetration tests demonstrate what access can be gained, and what informa- tion may be obtained by the probing of a dedicated entity,” says Eldon Sprickerhoff, founding partner of eSentire, a security consulting and monitoring services firm based in Cambridge, Ont. “This can in- clude sensitive [corporate or personal] in- formation and inappropriate credentials. The methods by which this information was obtained are generally divulged after the penetration test is completed.” He adds that pentests should not be confused with “vulnerability scans,” which in some cases can be performed by the company itself, whereas pentests are typically conducted by a third-party service provider.


According to industry experts, there are three levels of pentests that can be done with varying degrees of cost, complexity,


28 SECURITY MATTERS • NOVEMBER/DECEMBER 2010


By conducting penetration tests, companies can see where their security holes are — and hopefully fix them before any security breach occurs


services in Burlington, Ont., adds that unlike pentests conducted in the United Kingdom, in Canada and U.S.A. it is un- regulated and therefore, important to choose a service provider with a verifiable reputation. You should, he asserts, “meet with the testers and ensure that you are comfort- able with their methodology and how they will treat your data.” They need to be as secure with your data as you are, he adds. Pentests are not without peril though. Milos Stojadinovic, a security consultant with Net Cyclops Inc. (NCI), warns that al- though penetration testers try to minimize the impact to company networks, “reper- cussions to company networks are never completely mitigated.”


skill level and depth of analysis: 1) Black Box is performed with zero knowledge of the target organization and is usually the most costly and real-world pertinent; 2) Grey Box, the testers work with limited or partial knowledge of the organization (e.g., IP address ranges, key targets); and 3) White Box, testers are given full informa- tion disclosure in advance.


“Some manner of grey box testing is the methodology most usually chosen due to the trade-off between depth of analysis and associated cost,” says Sprickerhoff. Before proceeding with a pentest, many companies have already performed a risk assessment of their IT system and the potential threats looming against them. Choosing a company to conduct the pen- test is next and it is recommended that the first choice is not the company that in- stalled your IT system, primarily due to a perceived conflict of interest.


Sprickerhoff advises a company to check with its peer group within its spe- cific business vertical and to seek recom- mendations from them.


Robert Beggs, president of Digital De- fence, a provider of information security


Attacks, he adds, that are known to be destructive or prone to causing denial of service are typically only performed with authorization by the client. To reduce this risk, Stephen Northcutt, president of the SANS Technology Institute, recommends companies make sure that all teams in- volved in mitigating and dealing with net- work attacks are reachable by cell phone in the event of a crash or network failure. With pentests, similar to any other secu- rity precaution taken, companies must ask themselves just how secure do they want to be. “A penetration test cannot identify and remediate all possible vulnerabilities,” warns Stojadinovic, “however, they can and often do identify most vulnerabilities that are highly prone to attack.”


Lance Naismith is a freelance writer in Oakville, Ont.


SOURCES Digital Defence • www.digitaldefence.ca eSentire • www.esentire.com NCI • www.nci.ca SANS Institute •www.sans.org


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32