Tip

Security testing: Finding the best method for your Windows servers

You know you need to be testing the security of your Windows environment -- but which route should you take?

Some people claim security audits are the only way to go. Others opt for vulnerability scans. Then there are those who say penetration testing is the best method. And to further muddy the water, many people use all three of these terms interchangeably.

While there is no right or wrong way, the type of security testing you choose will dramatically impact your test results -- and ultimately the security of your Windows servers. When choosing a method, it's important to look at the big picture and ask yourself – and your security committee -- "What are we really trying to accomplish?"

    Requires Free Membership to View

You may only need a security review that provides a short-term benefit, as in the case of an auditor. On the other hand, you may be looking to integrate security testing over the long haul as part of your overall business risk management process.

In other words, do you simply want to adhere to basic compliance regulations, or do you want to truly dive in and see how your systems hold up against threats?

Only you can answer these questions.

Different tests yield different results

In a nutshell, security audits hit the technical and operational high points; vulnerability assessments dig deeper on technical issues; and penetration testing, while highly focused, won't always provide the full picture of where everything stands.

The variations between the three testing types are shown in Figure 1.

Figure 1: Comparing the different types of security testing (click to enlarge)

While there's nothing wrong with combining the best of all three types of testing, ethical hacking may provide the most value and be the overall the best approach.

Ethical hacking is the methodology of testing your systems – using good hacking tools and a malicious mindset – to bring out the worst in your systems so you can plug the holes before they are exploited. By combining vulnerability scanning with penetration testing, ethical hacking enables you to not only find the vulnerabilities that count, but also shows you the impact each weakness has on your environment.

In regards to Windows security, ethical hacking extracts both technical and operational issues that may have been overlooked, as shown in Figure 2.

Figure 2: Using ethical hacking to find the best of the worst in your Windows servers (click to enlarge)

Performing ethical hacking tests on a periodic but consistent basis is guaranteed to find the issues that really matter with your Windows servers.

ABOUT THE AUTHOR
Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and  The Practical Guide to HIPAA Privacy and Security Compliance(Auerbach). He can be reached at kbeaver @ principlelogic.com.

This was first published in February 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.