Anthony Ricigliano Business Blog

While most companies have several security defenses in place to guard against threats, such as firewalls and antiviral software, a very important question is still left on the table: Exactly how effective are these measures? Although it is a deceptively simple question, every company must find their own answer to this essential question. Without this critical information, your organization could be left wide open to incoming threats because of unknown vulnerabilities. Let’s investigate a few ways to effectively evaluate your organization’s data security:Penetration TestsA penetration test, or pentest, is basically an attempt to hack into the system from outside the network. This simulated attack analyzes the system for any potential vulnerability points that could result from configuration problems, hardware or software defects, or poor operational procedures. A penetration test will typically look for vulnerable points not only from outside attackers, but also from the inside. If an employee can view unauthorized data, it can be just as dangerous as allowing a hacker to gain access. Penetration tests can be classified as either Black Box, the tester knows nothing about the system, or White Box, the tester has complete knowledge about the system infrastructure. Of course, some installations have used modified rules and referred to it as Grey Box testing. Every system that connects to the internet or allows access from any other external source should use penetration testing on a regular basis.Network Discovery AssessmentsA network discovery assessment analyzes your network’s infrastructure to identify every device that is connected to your network and search for configuration weaknesses. By clearly identifying each machine within a continuous IP address range, the system engineers can detect any new or unexpected devices that are connected to the network. While an unknown machine usually occurs because an incorrect IP address was assigned or a cabling error was made, a network discovery assessment will also point out any truly unauthorized computer, such as a hacker, that is connecting to your company’s network.Network SniffingA network sniffer can be either a hardware device or a piece of software that intercepts and logs traffic passing over a network in order to capture information about each packet’s final destination. Some network sniffers have the ability to generate errors within the system to test for the ability to handle error conditions. Depending on the capabilities of the individual network sniffer, it can be configured in the following ways:• Wired Broadcast LANs – A network sniffer can monitor traffic traveling across either the entire network or on specific parts of the network from one machine. To minimize a potential bottleneck, ARP spoofing or monitoring ports can be used.• Wireless LANs – A network sniffer can monitor the traffic on one specific channel.• Promiscuous Mode – If the network sniffer supports this feature, the network adapter can be set to promiscuous mode to allow the sniffer to monitor multicast traffic sent to a group of machines that the adapter is listening to.• Monitor Mode – This is a step up from promiscuous mode. It allows the sniffer to process everything that it could in promiscuous mode plus packets for other service sets.In terms of information security, network sniffers provide value by detecting network intruders, discovering network misuse by internal and external users, and isolating exploited systems. On the other side of the coin, hackers can use network sniffers to learn information to effect a network intrusion and to collect passwords or other sensitive information.Checking Password SecurityBecause most users will choose a password that’s easy to remember, instead of one that’s hard to guess, password security is critical to overall information technology security. After all, once a hacker has a valid user id and password, much of the system is readily available. Passwords should be encrypted within the system, and rules should be put into place to reflect the potential security risk of an individual system. If the risk is low, it might be enough to require the user to create an eight-byte password with at least one character and one number that expires at 30 days. At the other end of the spectrum, the password should expire every week and require the user to use a mix of upper case, lower case, numeric, and special characters while restricting the use of any word found in a standard dictionary and consecutive keyboard characters.Checking Wireless SecurityWireless access is a growing trend in today’s business world, but it comes with huge risks for security vulnerabilities. As long as a hacker is within the zone of your company’s wireless signals, they can connect to your system and attempt to login. If a wireless network adapter isn’t configured properly, it can leave the door wide open to attacks, and the hacker may be able to get in with a simple admin/password sign on. In addition to securing each known wireless access point, the network should be searched for unauthorized wireless ports that may have been leftover from testing, set up by accident, or created with malicious intentions.Anthony Ricigliano

Even the most innovative computer system accomplishes nothing without an application to run. However, the programs that make up any application can make the enterprise vulnerable to either internal or external security risks. Implementing solid software security assurance (SSA) plans allow organizations to protect their financial resources and intellectual property while minimizing potential business interruptions.

The SSA Plan
An effective SSA plan mitigates the risk of malicious code, security vulnerabilities, and code defects without standing in the way of creating and implementing programs and applications that function as intended. The best methodology builds security protocols into the application throughout the entire lifecycle.

Creating a Comprehensive SSA Plan
A comprehensive SSA plan starts with the original system concept and continues until the end of the application’s useful life. Here is a list of components to include in any comprehensive SSA plan:
• Training – Every member of the development team should be trained in information security.
• Defining Requirements – Security requirements should be defined during the requirements-definition stage of the application lifecycle and refined as deficiencies are found.
• Design – As the system is designed, potential vulnerabilities should be identified and accounted for.
• Coding – At this point, programmers should use the secure coding practices that they learned during training, but the final code should also be reviewed by another team member and scanned by automated tools.
• Code Handling – Only authorized users should be able to either view or modify code. Separation of duties requires that programmers are not allowed to deploy their own code changes.
• Testing – This can include both internal and external testing to make sure all vulnerable points were identified and handled.
• Documentation – Software documentation should include any explicit security measures.
• Readiness Testing – Prior to final deployment, all modules should be reevaluated for security gaps.
• Response, Evaluation, and Feedback – Any detected vulnerabilities should be evaluated and reported to the developers for correction.
• Maintenance – As the software security industry identifies new issues and methodologies, existing code should be updated to integrate new measures with existing systems.

Automated SSA Tools for the Web
An effective SSA plan uses a mix of team and third-party reviews as well as automated tools to minimize the possibility of missing vulnerable code. While these practices should be implemented for every system, web applications present a higher level of risk than any other type of software. Here are a few of the most popular SSA tools for the web:
• Nitko
• Paros Proxy
• WebScarab
• WebInspect
• Rational AppScan
• N-Stealth

Measuring SSA Effectiveness
Measurement plays a key role in the SSA process. Implementing and using this type of methodology isn’t a cheap endeavor. However, it’s worth ever penny if your resources are protected from security threats. The following items should be measured for further evaluation:
• How well and how often are security objectives met?
• Are processes and controls functioning as expected?
• Did the requirements stage or review process miss any potential vulnerabilities?
• How soon were any security gaps identified? How quickly were gaps closed?

SSA Best Practices
To create an effective SSA plan, keep these best practices in mind:
• Incorporate security measures throughout the entire application development lifecycle.
• Security requirements should be clearly defined and documented.
• Code should be available for review by other team members and third-party auditors.
• Third-party vendors should be required to provide their source code for vulnerability scanning.
• Every program change should be reviewed by a member of the security team in addition to scanned by an automated tool to minimize security risks.

Integrating secure coding techniques into both in-house software development and application procurement is more critical than ever. Hackers and corporate thieves are working overtime to exploit any potential system weaknesses to steal information or disrupt operations.

Anthony Ricigliano