Practical Security Infrastructure Testing

By Author: creswebs
Total Articles: 72
Comment this article

When building and deploying new security infrastructure, the moment eventually arrives where you have to connect your new system to the Internet. This is the moment of truth, where you expose your carefully crafted infrastructure to hackers, crackers, phishers and script kiddies who are always to exploit someone else’ mistakes.
Before you get to this point, you want to have tested the security of you deployment very carefully, and this often gets overlooked in project planning. Many a project has stalled because the business would not approve connecting an untested build to the Internet, and it was not possible to perform effective testing without having the infrastructure connected to the Internet. Consideration should be given to security testing as early as possible in the design phase of the project: who will do the testing, and what sort of access and connectivity will they need? How can that access and connectivity be provisioned without exposing the new deployment to the Internet at large?
TestLogistics (www.testlogistics.net) recommends that the first phase of security testing be conducted in house, ...
... using static testing techniques to ensure that the design and configuration of the new infrastructure complies with the organisation’s security policy, and to establish a working baseline. This work can be started very early in the project, and should ideally be commenced before the detailed design is signed off and before equipment is purchased. Regular review phases will ensure that there is no unapproved “drift” from the baseline.
Melodie Neal (Principal Consultant with TestLogistics, and a Certified Internet Systems Security Professional) recommends that the second phase of security infrastructure testing should be white box style internal testing, conducted from within the network where the new infrastructure resides. In this phase the testers should be given access to the systems either as trusted users, or as attackers who have already breached the defences. The goal in this phase is to uncover vulnerabilities that could be exploited, and to understand the extent of the damage that a successful attack could cause.
External testing should initially be mimicked using a harness to emulate access from the Internet. This type of harness can often be provisioned using a low-end router to provide connectivity for the testers to the “outside” of the infrastructure. Testing in this phase should include a mix of positive and negative testing, to ensure that traffic and transactions that should pass and succeed do so, and that all other traffic is blocked, and that appropriate logging is in place.
Formal penetration testing should always be performed by a third party. A third party is more likely to spot deficiencies that the people who have worked on building the infrastructure. If a third party is engaged to perform internal testing, that work should be completed and the results analysed – and any defects remediated – before external testing proceeds. Both internal and external testing should be re-executed on a regular basis, in line with the organisation’s security policy.
About TestLogistics
TestLogistics is a leading provider of Testing Logistics Solutions (including Test Environments Management, Test Data Management, Harnessing and Test Lab Operations), Technical Testing Solutions (i.e. Performance Testing, Infrastructure, Security, SOA & Test Automation) & Senior Test Consulting Strategy. TestLogistics provide top tier organisations with a range of services which enable significant improvements on quality, delivery and overall value.

a href=http://www.testlogistics.net/"">Test Data Management