Reality check

When you've allocated your scarce resources to implement the most effective, balanced mix of insurance, security procedures and technology that you can afford, to understand the residual risk you face — and there always is some residual risk — it's time to test your security.

A comprehensive test must include:

Network topology analysis. Review of policies, practices and procedures. Vulnerability assessment. Technological penetration testing. Social engineering penetration testing. A network topology analysis helps you understand the actual, as opposed to planned, topology of your networks. It identifies unsuspected gateways in your subnetworks and compartments that can provide an insider with access to information you thought was available only to a select group. It also locates the modems that aren't supposed to be there, but that provide remote access into your systems by bypassing firewalls and other access controls. One analysis of a large network identified more than a hundred modems that were either built into workstations or had been brought in by employees who wanted to check their e-mail or favorite Web sites without having to deal with firewall filters.

A complete review of policies, practices and standard operating procedures is inexpensive and can turn up a variety of weaknesses that can cost you dearly in disclosure and misuse of trade secrets, in an inability to prosecute hackers or insiders abusing their access privileges, and even get you in legal trouble for monitoring your own systems.

A vulnerability assessment is a look at the infrastructure before an attack to detect weaknesses. It's like turning off the lights in a room to check for light leaking in from the outside. It gives you the chance to make sure all the patches for known flaws that should have been implemented actually have been. It also checks the password file to ensure that your people haven't chosen weak, easily recoverable passwords.

Technical penetration testing means hacking your own systems. It involves trying to break in from the outside. A good test uses the tools and methods that hackers use to break in, but even the best test is normally limited in time and scope, unlike the real hackers who can take as much time as they want and try as many paths into your systems as they can find.

Don't forget social engineering. Attacks by fraudulent users work surprisingly well and can provide the attacker with a great deal of information that facilitates later technical attacks on your systems. Your countermeasure is training and awareness programs at all levels of the organiz-ation.

You can, of course, perform these tests using your own resources, and you should. But just as you don't rely on the accounting department to certify that the books are correct without periodic outside audits, you shouldn't overlook the necessity for a test of the security of your IT infrastructure by outside, objective security auditors.

Ryan is an attorney, businessman and member of the George Washington University faculty.