Eight reasons to plan out your security testing

Performing a vulnerability assessment on your Windows networks is already a complicated process. Security is always an urgent matter and the urge with testing is to get to it right away to find and fix vulnerabilities. But if you're going to do things right, you absolutely, positively have to plan out your security testing strategies and work in a methodical fashion.

Imagine if software developers didn't use a basic plan/design/develop/test/deploy/maintain methodology (okay, some don't, but that's another discussion) -- or, think about what would happen if bridge engineers or building architects just threw their stuff together in a hurry. Think they'd be effective? Think they'd stay in business!? Well, the same goes for security vulnerability testing. You've got to have a plan if you're going to be successful. You can't just wing it and hope that you will catch everything and any security problems will go away. Here are 8 reasons why:

  1. You'll inevitably forget one or more systems or applications to test (i.e. old file servers, random Web apps and databases, etc.) or not know how to approach a specific system (with authentication, without authentication, etc.) and then You'll have to go back and plan things out easily wasting double the time it would've taken otherwise.
  2. Not getting proper approval from management or the project sponsor can backfire -- big time -- making everyone involved look bad.
  3. The time management

    Requires Free Membership to View

  1. and achievement experts have found that for every one minute we plan, we can save five minutes in execution -- what more needs to be said?
  2. Everyone won't be on the same page and everyone's expectations won't be set. When this happens, the impact of any problems you come across (system crashes is a common one that comes to mind) will be much greater. You'll also have a lot more explaining to do.
  3. More on this topic

    Testing Group Policy security

    Guide to penetration testing

    View Kevin Beaver's webcast on network vulnerability assessment

    Guide to network security

  4. There can be delays in your ability to use the commercial tools you're expecting to use. This has happened to me on more than one occasion where I think my license is current or I know I've got to update it and think it'll only take a short period of time to renew. Waiting until the last minute has delayed my testing -- by days on a couple of occasions -- because the vendors have not always been responsive in getting me updated licenses. Those vendor client acquisition/accounts receivable shortcomings now become your problems.
  5. You'll undoubtedly run your tests at the wrong time. There's never a really ideal time to test for security vulnerabilities, but if you don't plan out your time and dates, you'll likely run into conflicts with batch jobs, high traffic volume, backups running, etc. which can not only delay your tests but also cause systems to crash.
  6. Vital resources you often need in IT, project management, product management, executive sponsors, etc. may not be there to help answer questions, explain how systems work, and help in other capacities you'll undoubtedly need when rooting through your systems.
  7. A part of the planning process is to actually have a set testing methodology (i.e. reconnaissance, enumeration, finding vulnerabilities, exploiting any weaknesses, reporting on your findings, and following up to ensure the holes are plugged. You can use, in part, something as high-level as the ISO/IEC 17799:2005 framework. I recommend you check out two other resources as well – 1) the OCTAVE methodology and 2) the Open Source Security Testing Methodology Manual (OSSTMM).

If you ask yourself what is it you're going to do, how you're going to go about doing it and then prioritize your tasks to make sure you're focusing on the urgent and important areas, you'll use your time wisely and really start seeing positive results in your security testing.

This tip originally appeared on SearchWindowsSecurity.com.

About the author:
Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

This was first published in March 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.