|< Day Day Up >|
What Vulnerability Testing Doesn't Find
While vulnerability testing is a valuable tool in your security arsenal, you shouldn't think of it as a silver bullet. There are still situations and areas that a vulnerability testing program won't help you with. You have to develop additional systems and procedures to lessen your exposure in these areas. The following include security issues that won't be found by vulnerability testing.
Logic errors are security holes that involve faulty programming logic inside a program. These are generally undiscovered or unpatched bugs where the program does not perform as it was supposed to, for example, a Web login page that doesn't authenticate properly or one that allows users to get more privileges than they should have. Well-known logic errors in major programs might be included in the Nessus vulnerability tests, but most of them are too obscure to be noticed except by a dedicated hacker.
Vulnerability testers rely on published reports of vulnerabilities. Usually once a vulnerability is announced, an add-on or plug-in for the system is written. With open source programs, this might take only a few days. However, during that time there may be a window of vulnerability because your scanner won't be finding that security hole if it exists. Of course, you could quickly write your own tests using NASL while you wait for the official one to come out.
Vulnerability testing programs typically only address published commercial and open source programs. If you have a program that was developed for internal use only, a vulnerability tester probably won't test anything on it. If it uses standard protocols or subprograms such as HTTP, FTP, or SQL, then some of the tests may apply. There are additional programs specially designed to test code for its security that you should run on these applications. The good news is that with an open source vulnerability tester like Nessus, you can write tests custom designed for your in-house application.
All the testing in the world won't help you if you have poor or nonexistent security policies for your employees. As demonstrated in the sidebar, hackers denied technical means to gain access to your network can revert to social engineering, that is, trying to talk someone into giving them access. This can be surprisingly easy, because the hacker takes advantage of the basic human nature of people generally wanting to help others, especially people perceived as fellow employees. There is only one way to combat this kind of hacking, and it doesn't involve any technical systems. Having good security policies, educating employees about them, and enforcing them will lessen your exposure to these kinds of attacks.
Attacks That Are in Progress or Already Happened
Vulnerability testing only shows you potential security holes in your system; it won't tell if those holes have been exploited or alert you if an attack is taking place. (Catching attacks as they happen is the realm of intrusion detection systems and is covered in Chapter 7.) Programs like Nessus are purely preventative in nature, and they are effective only if you take action to fix problems when they are found. Vulnerability scanners won't fix them for you, although Nessus is very helpful in giving you detailed instructions on how to fix any issues found. And as Ben Franklin said, "An ounce of prevention is worth a pound of cure."
|< Day Day Up >|