Internet Security Testing Overview
The internet security testing market has grown greatly with a number of organisations in the industry offering a range of services differing widely in terms of the benefits, cost and quality of the service. There are many factors that influence the need for internet security testing of a service or facility, and many variables contribute to the outcome of a test.
It is important to get a balanced view of the risk, value and justification of the internet security testing process, the need for testing may be as a result of a regulatory requirement or it may be as a result of an independent risk assessment.
An important consideration is that the results of internet security testing are aimed toward providing an independent unbiased view of the security stance and posture of the systems being tested; the outcome should be an objective and useful input into the security procedures.
The testing process should not be seen as either obstructive or attempting to find security shortfalls to lay blame or fault on the teams responsible for designing, building or maintaining the systems in question. An open and informative test will require the assistance and co-operation of many people beyond those actually involved in the commissioning of the internet security test.
A properly executed internet security test provides clients with evidence of any vulnerabilities and the extent to which it may be possible to gain access too or disclose information assets from the boundary of the system. They also give a baseline for remedial action to enhance the information protection strategy.
The internet security testing process can be described in many ways, it could be called a penetration test, security review, vulnerability assessment or security audit. The title applied to the internet security testing process has little impact on the fundamental methods of testing used during an engagement.
One of the first steps to be considered during the scoping requirements phase is to decide the rules of engagement and the operating method to be used during the internet security test to satisfy the technical requirements and business goals of the test. An internet security test can be part of a full security assessment but is often performed as an independent function.
Internet Security Testing Mechanics
The mechanics of the internet security testing process involves an active analysis of the system for any potential vulnerabilities that may result from improper system configuration, known system or software flaws or from operational weaknesses in process or technical operation.
Any security issues that are found in the duration of an internet security test should be documented together with an assessment of the impact and a recommendation for either a technical solution or risk mitigation.
An internet security test simulates a hostile attack against a clients systems to find specific vulnerabilities and to expose methods that may be implemented to gain access to a system. Any identified vulnerabilities discovered and abused by a malicious individual whether they be an internal or external threat could pose a risk to the integrity of the system.
Experienced security consultants who are tasked with completing internet security tests attempt to gain access to information assets and resources by leveraging any vulnerabilities in systems from either an internal or external perspective depending on the requirements of the tests and the operating environment.
In order to offer a level of assurance to the client that the internet security test has been performed effectively the following guidance should be considered to form the baseline for a comprehensive security assessment.
The internet security test should be conducted thoroughly and include all necessary channels. It is important that the posture of the test complies to any applicable regulation and policy, and the results should be measurable against the scoped requirements. The report should contain results that are consistent and repeatable and the results should only contain facts derived from the testing process.
It should always be appreciated that there is an element of risk associated with the internet security testing activity, especially to systems tested in a live environment. Although this risk is mitigated by the use of experienced professional internet security testers, it can never be fully eliminated.
These are many types of internet security test covering areas such as networks, communication services and applications, the fundamental processes involved in an internet security test can be broken down as scanning, vulnerability identification, attempted exploitation and reporting. The degree to which these processes are performed is dependent on the scoping and requirements of the individual test along with the time assigned to the testing process and reporting phases.
Internet Security Testing Elements
- Compliance Testing: This can be considered as internet security testing to comply with a set of general policies, these may take the form of government legislation, industry regulation or organisational policy.
- Scoping: The scope of an internet security test should be clearly defined before testing commences and forms part of the agreement against which the internet security testing service is to be performed.
- Test Plan: Frequently forms part of the bid process and includes the time-scales and resources necessary to complete the technical and business goals of the test.
- Testing Process: As the main element of the internet security testing service, this is when the real testing of the service or facility is performed and takes place against the goals and any constraints specified in the scoping process.
- Reporting: The results reporting is the key deliverable of any internet security test, this ultimately is what the client is paying for. The report templates should be consistent and give all relevant information gained during the testing process along with appropriate recommendations for any improvements.
Internet Security Testing Assurance
Performing regular internet security tests is an integral factor in ensuring that a system is maintaining a high level of security in line with corporate requirements. Regular testing provides the management team with a view of the security of their systems and provides the technical team with tailored advice to help in improving the effectiveness of the overall security and protection of the systems under their control.
Many organisations are unaware of the extent of their security exposure, and are unable to judge the capacity and resources that the technical team would need to address the issue. An internet security test provides an outline of the current security stance and identifies exposure so the client can put in place an action plan to mitigate the threat of attack and any potential consequences.
Security should be examined regularly to account for new trends in attack techniques and tools. An unbiased internet security test can help clients to focus their security resources where they are needed most.
The tools and techniques used when performing an internet security test are dependent on the type of test required and the time-scales associated with performing the test.
Using a mix of automated assessment tools for vulnerability scanning and mapping in combination with hands-on manual testing, a knowledge focussed method provides clients with a best-of-breed testing service that will find risks and issues obtained from potentially non-obvious vectors and attack paths.
Indimon Internet Services
Internet security tests require certain key elements to give clients useful results. Indimon Internet Services ensures that the testing phase covers the full threat spectrum by using a robust and reliable testing methodology combined with a comprehensive tool-set and a creative approach. Indimon Internet Services provides an effective internet security testing service with the knowledge and experience to offer a competitive and capable service for clients.
The reports produced deliver business value by providing clear unambiguous results that address both the technical and business goals of the client. Indimon Internet Services strives to produce tailored and pragmatic recommendations based on the real risks associated with any identified vulnerabilities.
A key attribute of Indimon Internet Services is in providing a comprehensive, independent, vendor neutral internet security testing service offering advice on security issues without the constraints of tailoring recommendations toward any specific market supplier or product offering.