Resources > Articles > Vulnerability Testing

Vulnerability Testing

Keyno Hanna

by Keyno Hanna

One of the things that most people have a problem with is others critiquing them. For the most part, we don't like the fact that people are looking at us with the intent of finding things that are wrong with us; chinks in our amour. Therefore Vulnerability Testing is, for the most part, unpopular. Vulnerability Testing performs tests with the intent of finding things that are wrong with your business' security. Most of us dislike tests, so why is it necessary? Only by having regular and timely Vulnerability Testing performed can you ensure that your company's critical data and reputation are safeguarded from illegal access.

There are two broad areas for testing. Vulnerability tests can be done on the inside of your network infrastructure or on the outside of your network from the Internet. In our discourse, let's consider the two types and classify them as Intranet for internal scanning and Internet for external scanning.

I will start with Internet vulnerability testing as this is perhaps the one that most businesses are concerned with. All networks should be protected from Internet intruders with some kind of firewall. A firewall in simplest terms is a device or software that can allow traffic to go in and out of your network with rules that govern what comes in and what goes out.

Vulnerability testing on your firewall is important because you need to know if there are any 'holes' that allow access from unauthorized sources like hackers. A hacker in this sense is an individual that longs to gain access to your information system and take control of it. They can inject a virus (malicious code) that can wipe your disks clean, or perhaps there is sensitive information that may be worth something to them that they can obtain and leverage for their own benefit. Or, just for tricks, they may deface your website.

Vulnerability Testing will scan your "external" wall and identify weaknesses in your security. There are different types of scans that can be done. One of the things that is normally included is a port scan to identify open TCP (Transmission Control Protocol) ports and UDP (User Datagram Protocol) ports. A probe is then conducted to gather all data on available or listening services/applications (for example your email server or firewall). From here, the Vulnerability Testing will identify potential attack points and provide to you a summary of vulnerabilities which need to be addressed.

To some people, Intranet vulnerability scanning is the more eccentric of the two. One belief is that if a network is protected from the outside then everything is fine. The first thing I will say to that is: 'so what if the network is protected from the outside'? When it comes to IT, you have to take the strategy of "defense in depth". This is the use of multiple security techniques which helps mitigates the risk of one defense being compromised.

For example, you need a defense against viruses and also against weaknesses in your Operating System. You protect yourself against these by deploying Anti-Virus software and by downloading the necessary patches from your Operating System vendor. Yet you also need defense from many other types of risks, such as social engineering. Social engineering is the process of obtaining sensitive information by deceiving legitimate users. For example a social engineer may be able to obtain a user's password through various methods and use that password for uncensored activities. To tackle social engineering, Vulnerability Testing can discover if weak, non-expiring or blank passwords exist on your network.

The tools that are used to perform intranet scanning are different from the ones used to conduct internet scanning. Most of the intranet scanning tools must be run as software on a network computer. Others are scanner appliances that can be connected to your physical infrastructure with, for example, a web interface for viewing results. In general, different scans need to be run to identify both intranet and internet vulnerabilities.

What steps are in place in your infrastructure to test for vulnerabilities? Do you rely on trust? Testing is more important. If knowing is half the battle, then fixing is the other half. Vulnerability testing without remediation is incomplete. Now I don't want it to seem like a witch hunt where everything becomes a huge issue; some discretion is necessary. External vulnerabilities in most cases should be tackled first; however any vulnerability that has a big red flag attached should be an urgent priority.

To provide feedback on this column, please email makingITwork@providencetg.com

About the Author:

Keyno Hanna is a Technical Analyst at Providence Technology Group. He possesses a Bachelor of Mathematics & Computer Science and is a Microsoft Certified Systems Engineer (2003) with 7 years work experience in the Information Technology industry. Providence Technology Group is one of the Bahamas' leading IT firms, specializing in Networking Solutions, Consulting & Advisory Services and Software Solutions

Solutions Centre

  • Am A-frame sign with the WiFi logo on it.
  • A row of paper dolls with one breaking loose and running away.
  • Birdseye view of a rowing team.
  • A single mailbox in a snow covered plain.
  • A detail shot of red rotary phone.
  • ECG display showing heartbeat waves.
  • Two Aspirins
  • A computer engulfed in flames.
  • The Trojan Horse
  • A snail on the road.
  • Networked grid of red blocks.
  • Seedling plant in a pot.

Resources Centre

Providence’s team is now all Microsoft Certified - April 2009
News

All of the technical team is now Microsoft Certified and we have the most up to date certifications in the Bahamas. Go team! Read More >>

New promotions at Providence Technology Group - January 2009
News

Providence Technology Group is proud to announce the promotion of two of its management team, Georgette Robinson-Sands and Caroline Moncur... Read More >>

Windows Vista
Article

Microsoft’s first major operating system upgrade in 5 years, Windows Vista, was launched to retail consumers in January 2007... Read More >>

Firewalls - A Necessity for all Businesses
Article

The majority of people use the internet on a regular basis, even if it is only to play numbers! The chances are then that... Read More >>

Remote Network Monitoring & Management
Article

One of the key determinants of an organisation’s success is the performance, availability and security of their IT infrastructure... Read More >>

Featured Clients