Practical Security Infrastructure Testing

Practical Security Infrastructure Testing

Before you get to this point, you want to have tested the security of you deployment very carefully, and this often gets overlooked in project planning. Many a project has stalled because the business would not approve connecting an untested build to the Internet, and it was not possible to perform effective testing without having the infrastructure connected to the Internet. Consideration should be given to security testing as early as possible in the design phase of the project: who will do the testing, and what sort of access and connectivity will they need? How can that access and connectivity be provisioned without exposing the new deployment to the Internet at large?

TestLogistics recommends that the first phase of security testing be conducted in house, using static testing techniques to ensure that the design and configuration of the new infrastructure complies with the organisation's security policy, and to establish a working baseline. This work can be started very early in the project, and should ideally be commenced before the detailed design is signed off and before equipment is purchased. Regular review phases will ensure that there is no unapproved "drift" from the baseline.

Melodie Neal (Principal Consultant with TestLogistics, and a Certified Internet Systems Security Professional) recommends that the second phase of security infrastructure testing should be white box style internal testing, conducted from within the network where the new infrastructure resides. In this phase the testers should be given access to the systems either as trusted users, or as attackers who have already breached the defences. The goal in this phase is to uncover vulnerabilities that could be exploited, and to understand the extent of the damage that a successful attack could cause.

External testing should initially be mimicked using a harness to emulate access from the Internet. This type of harness can often be provisioned using a low-end router to provide connectivity for the testers to the "outside" of the infrastructure. Testing in this phase should include a mix of positive and negative testing, to ensure that traffic and transactions that should pass and succeed do so, and that all other traffic is blocked, and that appropriate logging is in place.

Formal penetration testing should always be performed by a third party. A third party is more likely to spot deficiencies that the people who have worked on building the infrastructure. If a third party is engaged to perform internal testing, that work should be completed and the results analysed and any defects remediated before external testing proceeds. Both internal and external testing should be re-executed on a regular basis, in line with the organisation's security policy.

POST COMMENT

Security guide Server Security: Don't Get Pwned By Hackers! Makita Cordless Drill: Best-known for Usefulness, Security and Overall performance PC Security 2009 Removal Instruction - How to Remove PC Security 2009 Quickly Colocation Web Hosting Security Storing Colocation Web Hosting Provides Security My Top Ten Essential Plugins For WordPress Blogs Performance, Results and Security A Best Way to Remove the Win 7 Security 2011 Virus What Options are Available for Gaining a Degree in Security? Utah Security: What You Need To Know About Motion Sensors Apartment Security: The Benefits Far Out Weigh the Costs Providing PC Security Today Suitable Materials for Heavy Duty Hinges and Security Hinges