Thread Options
|
#248097 - 09/23/04 02:55 PM
Vulnerbility Assesment vs. Penetration Testing
|
Anonymous
Unregistered
|
Hi,
We are an OCC regulated bank and OCC requires us to do a testing of our network yearly. I was reading about conducting a vulnerbility assessment of our network verses conducting a penetration testing. As I understand it, testing the vulnerbility of our network is a little less involved and a little less expensive than a penetration test. Does anyone know which one OCC suggests or requires? Or does anyone have any experience with this requirement? Any feedback would be greatly appreciated. Have a great day!
|
Return to Top
|
|
|
|
#248098 - 09/24/04 12:47 AM
Re: Vulnerbility Assesment vs. Penetration Testing
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
The FFIEC's Information Security booklet, which is part of the FFIEC's 12-booklet update to the former Information Technology Handbook, can provide you with an excellent distinction between a vulnerability assessment versus a penetration test.
In short, the vulnerability assessment may include as part of the overall assessment a penetration test. The vulnerability assessment is basically looking at the complete picture -- i.e., policies, administrative framework, scope of protection responsibilities of assigned individuals, board and audit committee supervision and involvement, and the overall technology and information governance model. Penetration testing, on the other hand, is more specific in scope and intent. Dialing into modems and network-connected appliances, and using war-dialer devices, are all part of a penetration test. The penetration test is more specifically directed at testing access into the network from the outside world, whereas the vulnerability assessment takes into consideration the administrative and program weaknesses that could directly or indirectly contribute to a poorly protected outside-facing network.
|
Return to Top
|
|
|
|
#248099 - 09/28/04 02:29 AM
Re: Vulnerbility Assesment vs. Penetration Testing
|
Anonymous
Unregistered
|
You should also look at systematic testing via a third party approach. What good does an annual test do you when your external environment changes at least a few times a year? To stay "third party" we use web page to constantly monitor our network. All we do is login to a web site and pull reports, they do all the rest. It's also VERY afforable. No where near the cost of pentest!
|
Return to Top
|
|
|
|
#248100 - 09/28/04 01:41 PM
Re: Vulnerbility Assesment vs. Penetration Testing
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Anon,
Elaina inquired about the difference in scope of the two assessment models. Your allegiance, I will presume, is toward conducting a network-specific review, and conducting this review remotely. This would not be a full-scale vunerability assessment; this would only constitute a limited test of potential network penetration.
Too often, network professionals who came of age in IT after the mainframe world somehow think that a full-scale audit or assessment of an enterprise can be conducted from a remote location. From my PC at home I cannot possibly do justice to the term "audit" or "risk assessment" by calling several attempts at dialing into your server a "vulnerability assessment". Examiners and auditors can conduct limited off-site reviews from remote locations, but even they have to come on site once in awhile to get a feel for management, to review files, to conduct physical inspections, etc., and this is why a vulnerability assessment that would also include a physical inspection of physical safeguards must also include more than just a network assessment -- which for all we know could be conducted by a consultant sitting in his/her kitchen or garage.
Bankers shouldn't be fooled by those vendors who want to conduct "penetration tests" and "network assessments" from remote locations only, and who want to perform very little on-site work. Any vendor who says they can do everything from a remote location, or who does not provide a detailed, easily understood statement of work should raise a big red flag.
|
Return to Top
|
|
|
|
#248101 - 10/07/04 04:58 PM
Re: Vulnerbility Assesment vs. Penetration Testing
|
Anonymous
Unregistered
|
I echo the comments of Jay-Risk - vulnerability assessment covers a lot more than penetration testing. Think of penetration testing as one technique for identifying vulnerabilities, but remember that there are many others. As with most security issues, the best response probably involves combining techniques. Where technical vulnerabilities are concerned, you might like to consider using host-based and network-based scanners to detect how platforms measure up to a pre-defined security baseline on a regular basis and to consider performing penetration tests to complement this on a periodic basis. Its also worth considering implementing services like these as a security architecture, see for example: http://www.infosecwriters.com/text_resources/pdf/IT_Security_Services.pdfWhatever techniques you decide to use, remember that the hard part is not in the detection, its in resolving the issue afterwards. For me, handling vulnerabilities involves recognising what is really a vulnerability for you (i.e. what are you prepared to put up with and what constitutes an unacceptable risk - this will probably be defined in terms of a security baseline) and correcting unacceptable vulnerabilities once you have found them (this may sound obvious, but correcting some vulnerabilities can result in applications not working any more, which implies negotiations with vendors, long-term planning etc.). Good luck whatever you decide. Steve Purser.
|
Return to Top
|
|
|
|
#248102 - 10/11/04 02:38 PM
Re: Vulnerbility Assesment vs. Penetration Testing
|
New Poster
Joined: Feb 2004
Posts: 5
|
Quote:
The FFIEC's Information Security booklet, which is part of the FFIEC's 12-booklet update to the former Information Technology Handbook, can provide you with an excellent distinction between a vulnerability assessment versus a penetration test.
Right, and here is another useful FFIEC resource:
Risk Assessment Tools And Practices For Information System Security http://www.ffiec.gov/ffiecinfobase/resources/info_sec/fdi-fil-68-99-risk_assessment_tools_and_practices.pdf
which specifically discusses these two types of testing:
---------------------------------------------------------- Vulnerability assessment tools generally involve running scans on a system to proactively detect known vulnerabilities such as security flaws and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system.
Penetration analysis involves an independent party (internal or external) testing an institution's information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. ---------------------------------------------------------- (end quote)
A vulnerability assessment can be extremely useful in revealing security exposures. From the perspective that a vulnerability scan is mostly passive, the additional information provided by a pen test should be balanced against the possible disruption to operations.
|
Return to Top
|
|
|
|
#248103 - 01/10/05 07:58 PM
Re: Vulnerbility Assesment vs. Penetration Testing
|
New Poster
Joined: Jan 2005
Posts: 5
Santa Barbara, CA
|
I guess this is as delayed a response as you could get, but having just signed up for this site, Im enjoying looking up old threads.
At Redspin we specialize in auditing bank security, mostly on a network level, but our work extends into the bank walls as well. I agree that for a full and complete vulnerability assessment, it is necessary to get into the doors of the bank. In our field, this would be an "Internal" IT Audit, or Internal Risk Assessment. If a customer orders an external assessment, this does not indicate that we should go into the bank and do a risk assessment. Because an external assessment is just that: EXTERNAL. We do everything and more than your "above-average" hacker can do without walking into your bank.
The other type of service is the Internal audit. Having read a few threads on this topic, it is very interesting the type of things that can be discovered about a bank that just cannot be justified through external audits. A funny incident at our firm was once when one of our employees conducting an audit simply approached a bank teller, told her that he was working in the IT department and needed to check some information about her computer. She agreed, and our guy began on the computer. PASSWORD! What a great tool in the computer world, right? Wrong. We noticed that a few computers actually had their username/passwords written down on post-it notes on their monitors. This lady did not, but when asked for her password, she freely gave it to this "IT" bank employee whom she had never met.
Whether conducting an internal, or external assessment, it is important to realize that although your network can withstand a network penetration test, the employees inside must also have the competence to not allow thiefs from penetrating inside the physical brance. AND VICE-A-VERSA.
_________________________
Keepin' It Real -- Safe
|
Return to Top
|
|
|
|
|
|