Hi,

We are an OCC regulated bank and OCC requires us to do a testing of our network yearly. I was reading about conducting a vulnerbility assessment of our network verses conducting a penetration testing. As I understand it, testing the vulnerbility of our network is a little less involved and a little less expensive than a penetration test. Does anyone know which one OCC suggests or requires? Or does anyone have any experience with this requirement? Any feedback would be greatly appreciated. Have a great day!

The FFIEC's Information Security booklet, which is part of the FFIEC's 12-booklet update to the former Information Technology Handbook, can provide you with an excellent distinction between a vulnerability assessment versus a penetration test.

In short, the vulnerability assessment may include as part of the overall assessment a penetration test. The vulnerability assessment is basically looking at the complete picture -- i.e., policies, administrative framework, scope of protection responsibilities of assigned individuals, board and audit committee supervision and involvement, and the overall technology and information governance model. Penetration testing, on the other hand, is more specific in scope and intent. Dialing into modems and network-connected appliances, and using war-dialer devices, are all part of a penetration test. The penetration test is more specifically directed at testing access into the network from the outside world, whereas the vulnerability assessment takes into consideration the administrative and program weaknesses that could directly or indirectly contribute to a poorly protected outside-facing network.

You should also look at systematic testing via a third party approach. What good does an annual test do you when your external environment changes at least a few times a year? To stay "third party" we use web page to constantly monitor our network. All we do is login to a web site and pull reports, they do all the rest. It's also VERY afforable. No where near the cost of pentest!

Anon,

Elaina inquired about the difference in scope of the two assessment models. Your allegiance, I will presume, is toward conducting a network-specific review, and conducting this review remotely. This would not be a full-scale vunerability assessment; this would only constitute a limited test of potential network penetration.

Too often, network professionals who came of age in IT after the mainframe world somehow think that a full-scale audit or assessment of an enterprise can be conducted from a remote location. From my PC at home I cannot possibly do justice to the term "audit" or "risk assessment" by calling several attempts at dialing into your server a "vulnerability assessment". Examiners and auditors can conduct limited off-site reviews from remote locations, but even they have to come on site once in awhile to get a feel for management, to review files, to conduct physical inspections, etc., and this is why a vulnerability assessment that would also include a physical inspection of physical safeguards must also include more than just a network assessment -- which for all we know could be conducted by a consultant sitting in his/her kitchen or garage.

Bankers shouldn't be fooled by those vendors who want to conduct "penetration tests" and "network assessments" from remote locations only, and who want to perform very little on-site work. Any vendor who says they can do everything from a remote location, or who does not provide a detailed, easily understood statement of work should raise a big red flag.

I echo the comments of Jay-Risk - vulnerability assessment covers a lot more than penetration testing. Think of penetration testing as one technique for identifying vulnerabilities, but remember that there are many others.

As with most security issues, the best response probably involves combining techniques. Where technical vulnerabilities are concerned, you might like to consider using host-based and network-based scanners to detect how platforms measure up to a pre-defined security baseline on a regular basis and to consider performing penetration tests to complement this on a periodic basis. Its also worth considering implementing services like these as a security architecture, see for example:

http://www.infosecwriters.com/text_resources/pdf/IT_Security_Services.pdf

Whatever techniques you decide to use, remember that the hard part is not in the detection, its in resolving the issue afterwards.

For me, handling vulnerabilities involves recognising what is really a vulnerability for you (i.e. what are you prepared to put up with and what constitutes an unacceptable risk - this will probably be defined in terms of a security baseline) and correcting unacceptable vulnerabilities once you have found them (this may sound obvious, but correcting some vulnerabilities can result in applications not working any more, which implies negotiations with vendors, long-term planning etc.).

Good luck whatever you decide.

Steve Purser.

I guess this is as delayed a response as you could get, but having just signed up for this site, Im enjoying looking up old threads.

At Redspin we specialize in auditing bank security, mostly on a network level, but our work extends into the bank walls as well. I agree that for a full and complete vulnerability assessment, it is necessary to get into the doors of the bank. In our field, this would be an "Internal" IT Audit, or Internal Risk Assessment. If a customer orders an external assessment, this does not indicate that we should go into the bank and do a risk assessment. Because an external assessment is just that: EXTERNAL. We do everything and more than your "above-average" hacker can do without walking into your bank.

The other type of service is the Internal audit. Having read a few threads on this topic, it is very interesting the type of things that can be discovered about a bank that just cannot be justified through external audits. A funny incident at our firm was once when one of our employees conducting an audit simply approached a bank teller, told her that he was working in the IT department and needed to check some information about her computer. She agreed, and our guy began on the computer. PASSWORD! What a great tool in the computer world, right? Wrong. We noticed that a few computers actually had their username/passwords written down on post-it notes on their monitors. This lady did not, but when asked for her password, she freely gave it to this "IT" bank employee whom she had never met.

Whether conducting an internal, or external assessment, it is important to realize that although your network can withstand a network penetration test, the employees inside must also have the competence to not allow thiefs from penetrating inside the physical brance. AND VICE-A-VERSA.