Part 3 policy review the final part of penetration

Info icon This preview shows pages 8–9. Sign up to view the full content.

View Full Document Right Arrow Icon
PART 3 - POLICY REVIEW The final part of penetration testing is a review of the corporate security policy review. This part, the least time consuming, involves comparing the company's or organization's access and use policy with actual observed behavior in the systems. The access and use policy may not accurately reflect system access and use procedures and habits. System and network security is like radioactive materials in storage that tend to decay over time. The more users, systems, and administrators in the system, the shorter the security half-life. Network security is not an implement-and-forget concept; it must be monitored and maintained over time. If the client organization's access and acceptable use policy is outdated or is inadequate, we encourage the client to modify it to match existing practices and procedures. If existing security practices and procedures are inadequate, we likewise encourage the client to explore and implement alternatives. CONCLUSION In this paper we have argued for the need for a systematic methodology to guide firewall testing, describing the methodology we use when we perform this activity for clients. We do not intend to suggest that others follow this methodology verbatim, but encourage others to closely scrutinize each step to determine whether or not to add procedures to their own firewall testing procedures. Most importantly, we strongly encourage everyone to use some kind of carefully planned, detailed methodology for firewall testing, and reiterate our concern about the too frequent use of non-methodical approaches. We seldom perform all the procedures we have presented, however, because most clients desire a “quick and dirty” picture of the effectiveness of their firewall(s). We have in fact most frequently performed the first part of the three parts we describe as a complete firewall testing procedure. Should resources permit, performing a more complete test that includes all procedures described in the paper is more advantageous from the standpoint of security. At this point the following intriguing question logically emerges---which is better, to perform several small-scale tests at regular intervals (e.g., three times per year), or one complete test once a year? The answer depends largely upon both the specific needs of the organization and the degree to which change control procedures are used. If an organization sets up a firewall securely and carefully follows change control procedures (such that the ramifications for security of each change in the organization’s network are anticipated and controlled), an initial in-depth test followed by small-scale tests at regular intervals is more appropriate. If an organization does not use careful change control procedures for its network, regular in-depth tests are more appropriate. Perhaps the most important point is that regardless of other considerations, regular firewall testing is much more valuable than occasional testing; the former provides timely feedback concerning the ability of the firewall to meet its requirements.
Image of page 8

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern