You know you need to be testing the security of your Windows environment -- but which route should you take?
Some people claim security audits are the only way to go. Others opt for vulnerability scans. Then there are those who say penetration testing is the best method. And to further muddy the water, many people use all three of these terms interchangeably.
While there is no right or wrong way, the type of security testing you choose will dramatically impact your test results -- and ultimately the security of your Windows servers. When choosing a method, it's important to look at the big picture and ask yourself – and your security committee -- "What are we really trying to accomplish?"
You may only need a security review that provides a short-term benefit, as in the case of an auditor. On the other hand, you may be looking to integrate security testing over the long haul as part of your overall business risk management process.
In other words, do you simply want to adhere to basic compliance regulations, or do you want to truly dive in and see how your systems hold up against threats?
Only you can answer these questions.
Different tests yield different results
In a nutshell, security audits hit the technical and operational high points; vulnerability assessments dig deeper on technical issues; and penetration testing, while highly focused, won't always provide the full picture of where everything stands.
The variations between the three testing types are shown in Figure 1.
While there's nothing wrong with combining the best of all three types of testing, ethical hacking may provide the most value and be the overall the best approach.
Ethical hacking is the methodology of testing your systems – using good hacking tools and a malicious mindset – to bring out the worst in your systems so you can plug the holes before they are exploited. By combining vulnerability scanning with penetration testing, ethical hacking enables you to not only find the vulnerabilities that count, but also shows you the impact each weakness has on your environment.
In regards to Windows security, ethical hacking extracts both technical and operational issues that may have been overlooked, as shown in Figure 2.
Performing ethical hacking tests on a periodic but consistent basis is guaranteed to find the issues that really matter with your Windows servers.
ABOUT THE AUTHOR
Kevin Beaver is an independent information security consultant, author, and speaker with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments. Kevin has written five books including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance(Auerbach). He can be reached at kbeaver @ principlelogic.com.
This was first published in February 2010