December 29, 2009, 8:53 AM — by James E. Gaskin - All networks have vulnerabilities, but how do you find them? By using networkd vulnerability assessment (NVA) tools to look at every IP address on your network and test the service or device using that address. Even more important, you need assessment tools that work from the outside in, so you can test your network the way the hackers will. By using regular assessments, you can shut all the openings in your network before the hackers find them.
Jesper Jurcenoks, CTO of NetVigilance, maker of network vulnerability assessment software, says regular NVA use gives you the most important security information: what's on your system, and what your systems look like to hackers. Let's look first at common myths about NVA.
One myth is that all you need is a port scanner, but those scanners don't actively probe the service at that port for security compliance. Other myths are that you don't need NVA if you have anti-virus protection, or an intrusion detection system. While both of those are necessary tools, they lessen the impact of a breach or tell you a breach has occurred, but do not help you prevent breaches. Netstat, for instance, is a handy utility, but shows ports from the inside, not the outside, and firewalls muddy the netstat results.
Jurcenoks sits on several of the PCI (Payment Card Industry) security panels, and works with e-commerce sites and others who take credit cards. The problem he sees most often is "scoping." A company with 20 servers really locks down the server with the credit card database, but pays less attention to the other 19 servers. Whether the company is lazy, overworked, or misinformed, they leave themselves vulnerable. Once a hacker gets into one machine, the other 19 will be soon breached.
PCI reports indicate companies with millions of credit card records to protect are doing a pretty good job. Those companies with hundreds of thousands of records, however, have a way to go to reach an adequate level of security. Jurcenoks recently served on a PCI task force that developed new guidelines, which will be released soon.
Service and server testing sometimes leaves more holes if admins aren't careful about cleaning up properly. NVA tests often find servers and services left open and insecure after a test has finished. Proxy servers can enhance security, but not if you leave port 8080 open in both directions, leaving the port open from the outside.
Cross-site scripting remains a huge problem for Web sites everywhere. Even Java-based image containers have been exploited by hackers. The exploits are getting more and more obscure. Jurcenoks believes page 1 of "Cross-site Scripting for Dummies" (were there such a book) has been handled well, but few people are fixing what's on page 2.