Audit, Security Assessments, Penetration testing and its little sister vulnerability scanning are useful tools to get an idea of the weaknesses in your network. It is important enough for standards such as PCI-DSS, ISO/IEC 27001, SOX and others to insist on it and many governments around the world insist on it for their agencies. So we’ll give people a hand and help you the report.
How can we do that? Easily, we are all individuals, but we all are red inside, have a head, arms, legs, fingers and toes, although the numbers may vary. Likewise, networks have firewalls, routers, switches, servers, desktops, networking staff and let us not forget users. So not surprisingly, the issues you come across when doing assessments are remarkably similar from organisation to organisation. The degree of the issue may vary, but you will find many of them every organisation.
Why is that? Hands up those of you who love documentation and can honestly say yours is all up to date and accurate? Hands up those of you who have all the staff you need, the budget, senior management support, Oh and no users, if you have all of this, then well done. For the rest of us the world is not quite that rosy, which is why every network has security issues and many of them are the same for everyone.
No doubt for some of these your response will be, “well duh”, but you’d be surprised how many organisations have these issues. So let us start the report.
That will do from me for now. All of the above we see over and over and over again. If you have some to add let me know, ideally you’ve seen them in a number of organisations and they are on the "why don't they just fix it list".
Mark H - Shearwater
Feb 15th 2008
1 decade ago