Subscribe by Email

Your email:

Most Popular Posts

Browse by Tag

Posts by Month

The "RISKY BUSINESS" Blog

Current Articles | RSS Feed RSS Feed

Why Information Security and Trust are Different

Posted by John Verry on Fri, May 08, 2009 @ 01:12 PM
  | Share on Twitter Twitter | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon |  Share On Technorati Technorati | Submit to Reddit reddit 

It wouldn't be a stretch to say that Windows 2000 and all the Windows Iterations before it were insecure by default and that Windows 2003 and forward are secure by default.  So why is it that Windows 2003 may make your environment more secure while at the same time it makes your environment less trustworthy?

I believe there are two predominant reasons:

  1. As we become more confident in Windows security we become less vigilant in our due diligence to validate that Windows is actually operating as intended.
  2. Even when we are vigilant, a network penetration test, the defacto "gold standard" for substantiative testing that an environment as a whole is operating is intended is no longer sufficient.

Windows 2003 is significantly more secure by default than Windows 2000, however, it is not immune to less than optimal configuration and vulnerability patch management issues.  Further, there are often other "less important" (and likely less secure) older platforms, network devices, or older applications that may denigrate the security (and trustworthiness) of the environment as a whole.  So Trust the environment, but remain diligent and verify by appropriate activities.

That segues directly to point two, the "appropriate" activities have changed. As an environment becomes more technically secure there is an implicit and incorrect assumption that the probability that it will be "hacked" definitely goes down.  In fact, I would argue that if the attacker is intentioned, that it does not go down at all.  An intentioned attacker will just alter his attack vector to seek the "new" weakest link (e.g., Social Engineering).   There is an old adage that professionals don't hack systems they hack people (think Kevin Mitnick).

So as your environment grows more secure the tests that you use to measure its security/trustworthiness need to change as well. Many of our more risk averse clients are adding social engineering and/or physical penetration testing into their "verify" activities.  Should you?

Our “slidepaper” on Network Vulnerability Assessment: Key Decision Points, will help broaden your knowledge on VAPT. Find this and more on our Penetration Testing resource page.

Tags: , , , , ,

COMMENTS

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics