Given the time, resources, and motivation, a cracker can break into nearly any system. At the end of the day, all the security procedures and technologies currently available cannot guarantee that your systems are safe from intrusion. Routers can help to secure your gateways to the Internet. Firewalls help secure the edge of the network. Virtual Private Networks can safely pass your data in an encrypted stream. Intrusion detection systems have the potential to warn you of malicious activity. However, the success of each of these technologies is dependent upon a number of variables, including:
The expertise of the staff responsible for configuring, monitoring, and maintaining the technologies
The ability to patch and update services and kernels quickly and efficiently
The ability of those responsible to keep constant vigilance over the network.
Given the dynamic state of data systems and technologies, securing your corporate resources can be quite complex. Because of this complexity, it may be difficult to find expert resources for all of your systems. While it is possible to have personnel knowledgeable in many areas of information security at a high level, it is difficult to retain staff who are experts in more than a few subject areas. This is mainly because each subject area of Information Security requires constant attention and focus. Information security does not stand still.
Suppose you administer an enterprise network. Such networks are commonly comprised of operating systems, applications, firewalls, intrusion detection systems, and more. Now imagine trying to keep current on every one of these. Given the complexity of today's software and networking environments, exploits and bugs are a certainty. Keeping current with patches and updates for an entire network can prove to be a daunting task in a complex organization with heterogeneous systems.
Combine the expertise requirements with the task of keeping current, and it is inevitable that adverse incidents occur, systems are breached, data is corrupted, and service is interrupted.
To augment security technologies and aid in protecting systems, networks, and data, think like a cracker and gauge the security of systems by checking for weaknesses. Preventative vulnerability assessments against your own systems and network resources can reveal potential issues that can be addressed before a cracker finds it.
A vulnerability assessment is similar to an internal inquiry of your network and system security; the results of which indicate the confidentiality, integrity, and availability (as explained in the Section called Standardizing Security in Chapter 1). A vulnerability assessment will typically start with an information gathering phase during which important data regarding the target will be gathered. This phase will lead to the actual checking phase, whereby the target is essentially checked for all known vulnerabilities. The checking phase culminates in the reporting phase, where the findings are classified into categories of high, medium, and low risk; and methods for improving the security (decreasing the level of vulnerability) of the target are discussed.
If you were to perform a vulnerability assessment of your home, you would likely check each door to your home to see if they are shut and locked correctly. You would also check every window, making sure that they shut completely and latch correctly. This same concept applies to systems, networks, and electronic data. The process of checking for weaknesses is the same. Only the targets are different. Malicious users are the thieves and vandals of your data. Focus on their tools, mentality, and motivations, and you will begin to think like them.