The Importance of Assessment Services and Penetration Testing

By Tom Schmidt

How relevant is penetration testing to today's network operators? Gartner security analyst Joe Pescatore recently spelled out what's at stake, in an interview with ServerWatch:

"Previously, companies needed to do vulnerability scanning on their network before attackers did, but since attackers have moved from vulnerability scanning to fairly targeted penetration testing, companies now need to carry out penetration testing before the attackers do."

That's especially the case when it comes to protecting today's 3G wireless and IP network infrastructure. But while an operator is likely to understand the importance of security as a requirement, it's not typically approached as a core competency. Read on to learn how the current threat environment makes assessment services and penetration testing essential for network operators seeking to ensure that their infrastructure investment is protected.

The scope of the problem
How does today's threat environment actually impact network operators? According to research, 212,101 new malicious code threats were detected in the first six months of 2007. This is a 185% increase over the previous period when 74,482 new threats were detected and a 318% increase over the first half of 2006. This brings the total amount of threats identified to 622,500 as of the end of June 2007. This means that more than one-third of all malicious code threats currently detected were created in the first six months of 2007.

Not only are such threats increasing, but malicious code writers are taking greater pains to avoid detection. In fact, attackers have developed numerous evasion mechanisms. Moreover, even when detected, the threats tenaciously resist removal.

At the same time, some malicious code programs are being designed specifically to expose confidential information stored on an infected computer. These threats may expose sensitive data such as system information, confidential files and documents or logon credentials. Threats to confidential information are a particular concern because of their potential for use in criminal activities.

In the first six months of 2007, threats to confidential information made up 65% of potential infections by the top 50 malicious code samples studied. That’s an increase from 53% in the second half of 2006.

Another worrisome development: the ongoing and widespread proliferation of bots, which telecom carriers continue to wage war against. Bots are programs that are covertly installed on a user's machine in order to allow an unauthorized user to control the computer remotely. They're frequently used to harvest confidential information from compromised computers, which can lead to identity theft. Bots can also be used to distribute spam and phishing attacks, as well as spyware, adware and misleading applications.

Researchers observed 5,029,309 distinct bot-infected computers during the first half of 2007, a decrease from the last six months of 2006. The decrease is likely due to a number of reasons, the primary one likely being a change in bot attack methods. For example, the lifespan of the average bot-infected computer is currently just four days.

Finally, consider the results of a recent survey by IBM. The survey, conducted among more than 65 carriers worldwide, found that while a majority of telecom carriers plan on rolling out next-generation network architecture in the next five years, less than half of them say they have strategies in place to protect their NGNs. That suggests carriers are focused on upgrading their services first, then upgrading security as they go.

The need to be proactive
With today's 3G wireless and IP network infrastructure susceptible to a number of new vulnerabilities and risks, it is essential that network operators proactively approach this infrastructure and its related elements with a security-centric mindset.

Through 3G and IP core network penetration testing and security assessment services, operators can receive an assessment of core components, a review of the MPLS network, and insight into other operational vulnerabilities. This testing includes:

• Security review methodology The methodology should be based upon years of experience in network administration, penetration testing, integration engineering, incident forensics and incident response. Each review is designed to identify and demonstrate network, system and application vulnerabilities that could enable external or internal unauthorized access to occur.

• Security Assessment Services Current vulnerabilities should be detected; policies and practices that could enable vulnerabilities to be exploited should be analyzed; and clearly defined, phased recommendations for improvement should be provided.

• Testing goals and objectives This phase helps operators understand the technical exposure that exists from multiple entry points into the network as well as the potential impact. The testing service allows them to measure and identify exposure from end users, roaming partners and rogue employees.

Consultants provide lifecycle programs for securing the application development process, including:

• Application Development Lifecycle Review Provides recommendations for establishing secure application development processes. The service identifies security practices already in place and suggests improvements that can be made to ensure that security is appropriately addressed in all phases of the application development life cycle.

• Application Design Assessment Evaluates the security controls implemented within an application to provide an understanding of potential security risks. The service offers organizations guidance on how best to apply their resources to address application security issues so applications may better satisfy their business needs.

• Application Code Review Provides expert review of source code for security-critical components to help identify, prioritize and remediate potentially exploitable security vulnerabilities. Application security experts offer coding best practices and suggest improvements to the development process to help reduce vulnerabilities and improve security.

• Application Penetration Test Evaluates the security of applications and provides specific, prioritized remediation guidance for application security vulnerabilities. By helping identify and eliminate security vulnerabilities in applications prior to deployment, the tests help organizations reduce patching efforts, mitigate the risks associated with applications and demonstrate due diligence.

Conclusion
Pen testing and security assessment services bring a security-centric focus and deep understanding of the technical exposure that exists in today’s 3G wireless and IP network infrastructure. They're also essential for evaluating the security of the operations environment against best practices.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.