I recently had the opportunity to see how well AlgoSec’s Firewall Analyzer performs in a real-world security assessment. Long story short, Firewall Analyzer found a weak password on an Internet-facing firewall that would’ve gone undetected otherwise. A traditional vulnerability scanner didn’t find it nor did two different Web vulnerability scanners. Nothing was uncovered via manual analysis either.
Only AlgoSec’s Firewall Analyzer found the weakness…no doubt a flaw that would’ve been exploited eventually.
Folks, information security is about piecing things together. We’re never going to find it all but we darn sure need to use every means possible to check for flaws from every possible angle. Underscope your assessments and you’re screwed – at best you’re living a delusional world. Case in point, I just reviewed a vulnerability assessment report that looked at every single external and internal IP address belonging to a business but not a single marketing site, e-commerce application or intranet portal was tested. And everything checked out “OK”. The result that the executives saw was Low Risk Overall.
Just like I tweeted about today regarding what Qualys finds in vulnerability scans versus much of the “free” and commercial competition (there’s no comparison)…I honestly believe that some big data breaches that have already occurred and have yet to happen will be related to using the wrong tools…or not enough tools…that combined with people not testing all the systems that matter. People aren’t looking at the whole picture.
I know, you can’t rely on tools alone but by golly you’d better make sure you’re not only looking at everything that matters but you’re also using the best tools possible when doing your security testing. Here’s a new bit I wrote that covers this very subject:
Good Web Security Tools and Why They Matter
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”