You've followed all the security best practices. You've patched every server. You've hardened every application. You've trained your users in the fine art of security consciousness.
Then your company's data is somehow exposed. Now what?
In a perfect world, a vulnerability assessment would be run, then penetration tests and then remediation. Further, each of these actions would be performed by a different organization.
Why? I think it's important to separate vulnerability assessment, penetration testing and remediation into three distinct segments, run by three different organizations. This helps avoid any possible conflict of interest and ensures the best results.
Going with a vendor or consultant that specializes in vulnerability assessment, another that specializes in pen testing and a third that specializes in remediation is sure to be more effective than going with an organization that pretends to specialize in all three.
And going with three separate entities is a way to prevent any one such company from using not the best products and solutions, but the ones that its partners gave it the best deal on.
Dividing these tasks almost certainly adds time and complexity—not to mention cost—to the ultimate security solution. However, with three sets of independent security consultants checking on your site and on each other, the chances of a motivated hacker finding a hole in your systems is greatly reduced. Labs Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.
July 24, 2007
http://www.eweek.com/article2/0,1759,2162169,00.asp?kc=EWRSS03129TX1K0000614
留言列表
