In my experience, security isn't foremost in the mind of most small business owners until it is violated. Proactive network security measures hardly ever get the attention and commitment they deserve, yet in almost every case an ounce of prevention is worth a pound – or much more – of cure. But prevention isn't nearly as exciting as fixing a problem once it happens. I say it's time to make prevention sexy again.
Proactive network security should be the norm rather than the exception, and to understand why, think about the risks: What would happen if your network or PCs went down for hours? Days? The answer could range from inaccessible files to a near-complete business standstill.
But downtime is peanuts; try assigning a value in pounds sterling for the loss of a proprietary business secret which is leaked to the competition.
Not everyone can be, or wants to be, a security expert. Many network security consultants will conduct an initial vulnerability assessment for free in the hopes that you'll hire them to fix the problems they report. A helpful consultant will work with you to understand your business and then provide a prioritised list of recommendations for securing your network and computers. Each vulnerability should be listed individually along with an explanation of potential consequences if it's not addressed. With this information, you can make educated decisions about the steps to be taken to secure your business.
A network security audit follows nearly the same methodology as an attack. First, the attacker scans the network to determine IP addressing of networks and hosts. An attacker would start from the outside and work his way in by uncovering IP addresses from DNS queries. You've got a head start because you already know your IP addressing scheme; it's just a matter of conducting a quick scan (also called a sweep) to determine which IP addresses are in use.
Second, the attacker probes your devices and hosts to identify potentially vulnerable services. You can use bulk TCP, UDP and ICMP network scans to determine which network services – for example HTTP, FTP, SMTP – are running and may be open to attack. These scans tell you which services are running on which machine, as well as how firewalls and security solutions are configured to allow traffic. This step typically yields a list of IP addresses, device names, and open ports.
Here, attackers investigate more deeply any potential vulnerabilities they have identified. So if your auditor finds, for example, a workstation running a web server, he might suggest shutting it down as a precaution. If there is a legitimate use for the server, you need to research known vulnerabilities. This can be a time-consuming task; new vulnerabilities are uncovered and patched almost daily. Fortunately, most vulnerability assessment solutions these days automate this process and will provide links to information and patch downloads.
At this point, an attacker would exploit any vulnerabilities and directly circumvent your security mechanisms. In the case of an audit, that’s not necessary, of course. If steps one, two, and three yield positive results, you can assume that a determined attacker could execute a successful attack. Vulnerabilities should be patched, or services disabled, before an attack can occur.
For the purposes of an audit, go back and assign a business value and priority to each vulnerability. This helps sharpen your focus, and can also help you explain the significance of your security tasks to staff.
Tools of the trade
There are many ways to go through the audit. I like to use a combination of free and commercial tools. The best known free network scanning tools are Nmap and Nessus. Of those two, Nmap is easier to install and use, but Nessus has better reporting. Also check out McAfee's SuperScan network scanning tool.
Commercial tools I like include GFI LANguard and the eEye 1505 Security Management Appliance. If you're willing to spend the money, in return you'll get more information about each vulnerability and its remediation – not to mention more polished interfaces, more capabilities, and better reporting.