Protecting Your Server – How to Test Your Protection Level

Posted on June 8, 2012 by Nikhil P Naik

 In order to determine whether your server is protected, you’ll want to see how effective your server is at repelling attacks. There are two main routes you can follow to do this: vulnerability scanning and penetration testing. Both have potential ramifications. Let’s take a look at them.

Vulnerability scanning

This involves the use of automated programs to scan for common loopholes. Such programs are commonly available, and fairly low-impact. If a loophole is flagged, it is up to the administrator to manually close it – usually by patching or applying security updates. Because it’s relatively low-impact, vulnerability scanning should be performed a few times a month (or even more frequently), and the log files consistently reviewed. However, don’t be lulled in to a false sense of security: these are automatic programs, and don’t have the wile or expertise of a human attacker. To safeguard against that, you can deploy.

Penetration testing

A more high-risk, but equally critical security testing method, penetration testing involves employing individuals with relevant expertise to identify major weaknesses in your system. This adds the ‘human factor’ – even a small weakness can provide wide-ranging access and potentially lead to catastrophic compromise.

Because this is more labour-intensive (it involves employing people) and the labour involved is high-expense (high expertise coupled with very stringent requirements for trustworthiness), penetration testing is deployed less regularly than vulnerability scanning – but you should still be aiming for at least once a year.

 

Because it’s potentially very high-impact, there are a few things to take in to account when deploying penetration testing:

  • Make sure you have a good backup of the server before testing. ‘Hacking’ a system like this – and it is hacking – can corrupt the integrity of critical system files, possibly rendering your server inoperable (in fact, some security systems rely on this, sacrificing functionality for security).
  • Do the testing with the server offline, or with a backup server. Some attacks (such as ‘Denial-of-Service’ (DoS) attacks) attempt to overwhelm the server with requests for information, forcing it to abandon security concerns to administer to the requirements of its perceived ‘users’. This means the server is going to be unaccessible for a period. If you can’t afford downtime, maintain an accurate copy server exclusively for penetration testing. However, this leads to a potential problem.
  • Be aware that this is not the real thing. Hackers are skilled in different ways, and your test subjects may go about compromising your data in a very different way to real-life attackers. Also, bear in mind that if you’re penetration testing using a copy server, it’s not the real thing. There are always often undetectable differences between backup servers and the real thing – and that difference could decide between secure and not secure. For best practice, treat it as if it were the real thing (like an effective fire drill).
  • If your server is full of sensitive information (such as a school system or bank database), you won’t want your employed penetration testers viewing it. IN that case, you’ll not only have to make a copy of the server, but populate it with false information. Again, this removes you from the reality of the scenario (and that’s the point of the test) – but these things are unavoidable, and this is the most effective testing methodology employed.

So, vulnerability scanning and penetration testing should be employed in tandem to regularly test server security. Hopefully, you’ll then be able to measure the results against the ‘work’ factor to determine if you’ve invested appropriately in protecting your data. To make such comparisons, and for general server security best practice, you’ll need to maintain rich and consistent logs of activity on your server – and that’s going to be our next area for investigation.

Image source

About Nikhil P Naik

Nikhil Naik has finished his graduation in the field of IT and is currently mastering at the University of South Florida. He also loves watching cricket, listening to music and travelling. Twitter Handle - @buzz_nikhil.

Leave a Comment

*