When discussing vulnerability assessment, it's essential to start off with an example. It concerns a certain manufacturing company which took pride in its state-of-the-art information security infrastructure. The company's IT security team ensured that they not only blocked outsiders, but also maintained privacy from nosy colleagues by implementing inter-department firewalls. But when Vivek Ramachandran, along with his team of security experts from IT security consultant MIEL, examined the company's IT setup during a vulnerability assessment exercise, they discovered that the security team had missed a vital spot. "The main router connecting IT infrastructure to the Internet maintained a default password provided by the vendor, thus making it easy for any attacker to target their systems," recalls Ramachandran, a senior consultant with MIEL.
Modern ammunition that fails just before the start of a war is of no use. With ever-evolving threats and hackers continuously on the prowl, one question should often be asked when considering vulnerability assessment mechanisms: 'Is our setup protected enough?'
There are multiple signs that point towards the need for a vulnerability assessment exercise. For example, there are chances that the number of hits to your website increases dramatically at certain times despite adequate safeguards. Or you find that someone in the organization has access to data which not required for his job function. These tell-tale signs indicate a revisit of security and privacy settings in your systems.
Blackhat hackers use various methods to exploit vulnerabilities in the system. Metasploit, for example, is a common penetration-testing tool used by hackers. Yet, Ramachandran is of the opinion that several CISOs are not even aware of this tool's existence. With the use of methods like pivoting— where blackhat hackers break into a weak point of the network and use that component as the staging area to break in further—hackers bypass the perimeter IDS and IPS and enter straight into the system.
"Weakness may lie at the application level, the operating system and server level, or at the networks," says Sanjeev Sreedharan, VP, soft engineering, Cleartrip.com. Periodic audits, vulnerability assessments and continuous education of the security staff are methods CISOs can adopt to build a fortress against malice. While the CISO may have to call in experts to conduct a more in-depth audit to understand finer details, it always helps to be informed and look for the signs to thwart intruders.
Vulnerability assessment tests
The frequency of conducting a vulnerability assessment at the three levels mentioned by Sreedharan depends on your application or network component's criticality. At Eclerx, Sachin Vaidya, associate principal, explains that his team not only conducts quarterly tests, but also checks for vulnerabilities before a new deployment or after making any changes to the existing code. Depending on application criticality, the respective vulnerability assessment test's frequency is scheduled in the range of three to six months.
Sreedharan is equally careful. In February 2010, he added a 'routing capability' to the flight searches on Cleartrip.com. As a result, users who want to search for flight listings between (say) Mumbai and Bengaluru are now able to see flights that come with one or two stops before reaching the destination; this gives the users greater options to choose from. Sreedharan's internal IT team wrote scripts to test for exceptions such as session hijacking, cross scripting and parameter manipulation (to name a few) before he finally released the application for customers.
Black box and white box testing can help uncover vulnerabilities at various levels. Vulnerability assessment tests on the application, servers and networks can easily be done in-house. There are several open source and proprietary tools which can be used to do a vulnerability assessment. "Nessus, Snort and Honeypot are some of the vulnerability assessment tools used to scan our networks," says Sreedharan. A tool like Nessus, for example, can be used to scan the IT setup for vulnerabilities.
Though any threat to the confidentiality, integrity and availability of data is bad, measures can be taken to minimize the effects of a malicious attack. For example, if a hacker manages to break into a certain application server, but is unable to break into the critical database server containing classified data, the damage is much less.
This brings us to the need for a threat model. A threat model helps organizations to understand what needs more attention than others, and to plan their security strategy accordingly. Once a complete understanding of the setup is gained, it will be easier to allocate security budgets depending on the business' security needs.
Threat modeling is a conceptual look at the problem. A logical diagrammatic representation of the present setup's design gives the CISO an idea of vulnerabilities, access provided, and other information. It helps the security team to prioritize and focus on the most critical areas.
For example, if a blackhat hacker breaks into the system, but is only able to lay his hands on data that is perhaps available in the public domain, the risk is not significant enough for the CISO to spend time and resources on it. (It was after looking at the threat model of their client's IT setup that MIEL decided to test the perimeter router for a vulnerability assessment.)
Once the weak points of an IT setup are known, these can be further examined using statistical methods to uncover any anomalies. For example, audit companies such as PricewaterhouseCoopers can help detect threats through methods like correlation, simulation and trend analysis. Rajagopalan Nair G, the additional general manager of IT for Federal Bank, employs experts to analyze logs from various components, and patterns are then compared for any exceptions that may raise concerns about security.
While it is helpful to hire external support to tackle a security problem, a lot of measures can be taken within the organization to prevent security breaches. For example, continuous education about vulnerability assessment and management is one of these measures.
However, trusting your consultant completely on the vulnerability assessment front is not a great idea. Ramachandran believes that several CISOs often give a clean slate to the consultant, and ask for his opinion about where the internal security team has gone wrong. While this is the easy way out, it's not recommended that a company completely trust outsiders with its security or with vulnerability assessment.