No matter how tightly you secure your network, how strictly you enforce your security policy, or how much money you've spent on your firewall, hackers and crackers know plenty of obscure nooks and crannies through which to gain access to your system.
Hire the enemy
If you knew where these holes were hidden, you could target your security solution in no time. Thankfully, there are a few ways to find the cracks, plus some ASPs out there that can help you do it. Amit Yoran, CEO of Riptech, an information security service provider, notes the difference between penetration testing and security scanning. Whereas penetration testing involves an actual person trying to break into your network to find out if a vulnerability exists, Yoran explains, security scanning is an automated approach that identifies weaknesses in a particular system or across a large network.
Yoran describes penetration testing as more of an art form, wherein a human tester who understands the complexities and interrelationships that exist in the network will attempt to gain entry. "A common technique might be to break into one system and then use that system to attack other posts on the network," he explains. "Typical automated scanning tools don't understand these concepts and are much more direct." In other words, although penetration testing may be more accurate, security scanning is cheaper and easier to reuse for all areas of your network. The scanning tools don't actually break in to your system, they simply identify where a break-in can occur. While a one-time penetration test may be a good response to a specific threat, a periodic security scan is still a more efficient way to monitor your network and keep the bad guys out.
Where to look
Interested in running a security scan or hiring someone to run some penetration tests? Obviously, looking in the yellow pages under Rent-a-Hacker isn't the best approach to hiring such a service; rather, you should hire a trustworthy company. Major security companies such as Riptech, Internet Security Systems, UUNet, Network Associates, and NetSolve are just a few trusted names that offer this type of service on an ASP basis; that is, they host applications that work over the Internet to test your security. The ASP in question uses any number of automated tools to test your network for vulnerability to every attack in the book and issues you an easy-to-understand report. Many of these ASPs also repair the holes they discover.
Brute force not an option
Of course, ASPs can't do everything. Some do not attempt denial of service attacks or brute force checks because these types of attacks actually attempt to shut down the target system. "Most automated and manual techniques have the capability of identifying denial of service attacks without mounting them," says Yoran. "If [Riptech] determines that a particular operating system is running and what service packs or patches have been applied, we can identify the vulnerability without actually launching the attack."
UUNet takes another approach with its SecureSweep intrusion scanning service, which it offers as part of its managed firewall service. In keeping with the fox-guarding-the-henhouse school of outsourced security management, UUNet doesn't actually perform intrusion scans itself. Instead, UUNet outsources to 12 different companies to do the monthly scans, using a different company every month. This adds many more unaffiliated watchdogs--a very thorough approach.
When you're dealing with security, choose a company you know you can trust. And unless you have an in-house security expert, you'll need a service that can find vulnerabilities and close them up as well. The price will vary based on the services and reports you need and the size of your network, but a basic scan may be as inexpensive as US$100. Penetration testing costs more, since it requires a human's time and effort. Often, security scanning is one component of an entire security management outsourcing package, where your entire security environment (including firewall) is managed by an ASP.
All in the timing
Not sure how often you should hire these online hackers? Security experts recommend conducting a security scan at least once every quarter and undertaking a full-scale audit annually.
