Setting up security guidelines alone will not ensure
your company is secure. The key to implementing them successfully
is to test them, says Tim Ecott.
As a security consultant I welcome the emergence of best
practice guidelines for security implementations and congratulate
those businesses which are following them
successfully.
However, our experience is starting to show that businesses are
becoming complacent and failing to test the resolve of their
security measures.
Following security guidelines when implementing, for example, a
wireless network, is paramount. The importance of measures such as
virtual private networks, firewalls, encryption technology and
strong security policies should also not be underestimated.
Most businesses fall down (70% is an estimate) because they fail to
test their security once it is in place. Security threats are
continuously evolving and protective measures must be upgraded and
adjusted to reflect this.
Expanding on the example of a wireless network, the failure to do a
penetration test before deployment means that many businesses will
be "live" without actually knowing whether or not their wireless
network is vulnerable.
In some cases it can be months before testing is carried out, in
others it is just after an attack, and in the most extreme cases it
does not happen at all.
Penetration testing forms an integral part of any effective
security strategy, be it an automated process or a high-level
assault on a company's infrastructure.
It is widely accepted that a firewall plays an important role in
filtering network traffic and that it must be configured and
monitored correctly.
Simply connecting a firewall to the network and expecting your
infrastructure to be secure is a little foolish, to say the least,
and this same realisation needs to be made with wireless
networks.
But how does a business know if they have followed and applied best
practice guidelines effectively if they have not carried out tests
to prove their network can withstand potential attacks?
How does a business know that what was secure six months ago is
secure now? Even if guidelines such as BS7799 are followed, the
only way of knowing is to test systems regularly. Without
penetration tests, it is impossible to assess the quality and
effectiveness of your security.
What do you think?
Do you test your IT security regularly?
Tell us in an e-mail >>
ComputerWeekly.com reserves the right to edit and publish
answers on the website. Please state if your answer is not for
publication.
Tim Ecott is a managing consultant at
Integralis