For the purposes of this post, external network delta testing refers to the act of running network mapping and automated vulnerability scanning over a set of hosts at a consistent interval of time. An example of this may be performing automated assessments and network mapping every business quarter over an organization’s external IP space.
Performing ongoing delta tests of an external environment can provide an organization with several key benefits:
These benefits provide a better perspective of an organization’s attack surface as it relates to their Internet-facing security posture.
Initial testing to set a baseline is required in order for an organization to know where they started. This enables the ability to gauge changes to the organizational security posture, and what current strategies are working or need to be modified.
The importance of external network delta testing is rooted in how data from these tests are used to make decisions within an organization. If the information from delta testing is not reviewed and used, then it will be no more effective at improving security than no testing at all. However, if after each test the data is observed and compared against the previous tests, it is possible to identify where potential problems exist.
Such problems may include new network devices that show up during network mapping, which may indicate malicious activity or a service that was not properly documented. Another serious issue that may be uncovered is gaps in a patch management solution which would leave systems open to newer attacks. In addition to Cigital’s advice on the matter (to know your network and monitor for any changes that may indicate risk), organizations such as SANS have put device and software inventory at the top of the required Critical Security Controls (CSC 1 and CSC 2). Additionally, they also recommend Continuous Vulnerability Assessment and Remediation (CSC 4).
Cigital’s assessment experience reveals that some of the largest infrastructure risks to an organization have stemmed from missing security updates to systems. Patching is a crucial step in minimizing risk and alleviating much of the threat from external attackers.
The ability for an organization to know the current state of their environment is important when trying to make decisions that concern infrastructure. Having an up-to-date network map allows individuals within the organization to easily view what systems are currently in production and the status of their risk to the network. This information can help build a more secure environment by providing the data to make better decisions and apply the least-functionality to shrink their attack surface. This supports ongoing discussions about which services are required, and which can be disabled to reduce organizational risk.
Continued automated testing helps organizations to improve security, reduce risk, and compare current results to historical data in order to determine how their security posture has improved over time. This allows organizations to determine the effectiveness of current strategies or alter paths where necessary.
Multiple services, such as shodan.io, continuously index the Internet and create a searchable index of the results. This opens all organizations with an external Internet presence to being indexed and easily searchable for common vulnerabilities and high value target systems. It is very beneficial for an organization to scan their own systems regularly so that they are receiving the same information regularly that attackers have access to.
Justin Soderberg is a senior security consultant at Synopsys. He has been involved with a wide variety of clients, spanning SMBs and large enterprises, working on a variety of security activities including vulnerability assessments, network penetration tests, and source code reviews. Justin specializes in network security, and looks forward to growing his capabilities in this area. In addition to network security, he is particularly interested in wireless security and red teaming.