Making the wrong choices in your security testing can wreak havoc on your work, possibly even your career. In this chapter, I discuss ten potential pitfalls to be keenly aware of when performing your security assessment work.

Not Getting Prior Approval

Getting documented approval in advance, such as an e-mail, an internal memo, or a formal contract for your ethical hacking efforts — whether it’s from management or from your client — is an absolute must. It’s your “Get Out of Jail Free” card.

Allow no exceptions here — especially when you’re doing work for clients: Make sure you get a signed copy of this document for your files to make sure you’re protected.

Assuming You Can Find All Vulnerabilities During Your Tests

So many security vulnerabilities exist — known and unknown — that you won’t find them all during your testing. Don’t make any guarantees that you’ll find all the security vulnerabilities in a system. You’ll be starting something that you can’t finish.

Stick to the following tenets:

• Be realistic.
• Use good tools.
• Get to know your systems and practice honing your techniques.

I cover each of these in various depths in Chapters 5 through 16.

Assuming You Can Eliminate All Security Vulnerabilities

When it comes to networks, computers, and applications, 100 percent, ironclad security is not attainable. You can’t possibly prevent all security vulnerabilities, but you’ll do fine if you uncover the low-hanging fruit that creates most of the risk and accomplish these tasks:

• Follow solid practices — the security essentials that have been around for decades.
• Patch and harden your systems.
• Apply reasonable security countermeasures where you can based on your budget and your business needs.

Many chapters, such as the operating system chapters in Part IV, cover these areas. It’s also important to remember that you’ll have unplanned costs. You may find lots of security problems and will need the budget to plug the holes. Perhaps you now have a due care problem on your hands and have to fix the issues uncovered. This is why you need to approach information security from a risk perspective and have all the right people on board.

Performing Tests Only Once

Security assessments are a mere snapshot of your overall state of security. New threats and vulnerabilities surface continually, so you must perform these tests periodically and consistently to make sure you keep up with the latest security defenses for your systems. Develop both short- and long-term plans for carrying out your security tests over the next few months and next few years.

Thinking You Know It All

Even though some in the field of IT would beg to differ, no one working in IT or information security knows everything about this subject. Keeping up with all the software versions, hardware models, and emerging technologies, not to mention the associated security threats and vulnerabilities, is impossible. True IT and information security professionals know their limitations — that is, they know what they don’t know. However, they do know where to get answers through the myriad of online resources such as from those I’ve listed in the Appendix.

Running Your Tests Without Looking at Things from a Hacker’s Viewpoint

Think about how a malicious outsider or rogue insider can attack your network and computers. Get a fresh perspective and try to think outside the proverbial box about how systems can be taken offline, information can be stolen, and so forth.

Study criminal and hacker behaviors and common hack attacks so you know what to test for. I’m continually blogging about this subject at http://securityonwheels.com/blog. Check out the Appendix for other trusted resources that can help you in this area.

Not Testing the Right Systems

Focus on the systems and information that matter most. You can hack away all day at a standalone desktop running Windows XP or at a training room printer with nothing of value, but does that do any good? Probably not. But you never know. Your biggest risks might be on the seemingly least critical system. Focus on what’s urgent and important.

Not Using the Right Tools

Without the right tools for the task, getting anything done without driving yourself nuts is impossible. It’s no different than working around the house, on your car, or in your garden. Good tools are an absolute must. Download the free and trial-version tools I mention throughout this book and in the Appendix. Buy commercial tools when you can — they’re usually worth every penny. No one security tool does it all, though.

Building your toolbox and getting to know your tools well will save you gobs of effort, you’ll impress others with your results, and you’ll help minimize your business’s risks.

Pounding Production Systems at the Wrong Time

One of the best ways to tick off your manager or lose your client’s trust is to run security tests against production systems when everyone is using them. This is especially true for those running older, more feeble operating systems and applications. If you try to test systems at the wrong time, expect that the critical ones may be negatively impacted at the absolute worst moment. Make sure you know the best time to perform your testing. It might be in the middle of the night. (I never said information security testing was easy!) This might be reason to justify using security tools and other supporting utilities that can help automate certain tasks, such as vulnerability scanners that allow you to run scans at a certain time.

Outsourcing Testing and Not Staying Involved

Outsourcing is great, but you must stay involved throughout the entire process. Don’t hand over the reins of your security testing to a third-party consultant or a managed service provider without following up and staying on top of what’s taking place. You won’t be doing your manager or clients any favors by staying out of the third-party vendors’ hair. Get in their hair, unless of course, it’s a bald person like me. But you know what I mean. You cannot outsource accountability, so stay in touch!