- Email: [email protected]
Report highlights
Information Security Technical Report, Vol. 2, No. 3 (1997) 2-7
Report Highlights Security Issues in Today’s Corporate Network, John Shewood. Page 8 One of the most important issues to be addressed in any discussion on the security of corporate networks is: what do we really mean by the term ‘network security’? There are widely differing views on this, many of which appear to be based upon poor understanding of what type of security the network can provide, and perhaps more importantly, what type of security it cannot provide.
we will always be spending a lot of time and money on inefficient tactical solutions, and always ‘fire-fighting’ the poor results that they often deliver.
Commercial Use of Cryptography in the Shell Companies, Nick Mansfield. Page 18 .
upon our definition of what ‘network security’ really means, the major issues and goals for securing our corporate network can be expressed as six principles: Based
2. Network resource integrity protection ??
2. Network connectivity control
3. Network domain bounda y control 4. Network management application security 5. Network resilience 6. Network entity accountability
authentication
and
Each of the six principles of the network security strategy outlined above also maps directly onto a network ‘security service’, and each security service’must be provided by suitable ‘security mechanisms’. These mechanisms are implemented as technical solutions in the form of technologies and products. Whatever we may say about developing long-term security strategies, we all need to manage the security of our networks and distributed applications now. However, if we never develop the strategic approach,
2
??
The growth of the Internet provides potential business opportunities for Shell companies. These include accelerating the orderly flow of business and financial transactions. Public Internet projections of 200 million users and trillions of dollars of business by 1999 also means it may become a major marketplace for international business. A major feature for Shell companies is the potential transition from paper-based documents and files to legally binding electronic documents and files on open networks. This change cannot take place without full confidence in the security. There is an obstacle: no international trusted business infrastructure currently exists within which to assure security of electronic information. Shell companies will not be able to tap the full potential of the economic and social power of electronic commerce without a trusted business infrastructure first being in place. Trust is built requirements: ??
??
on three
basic
security
strangers communicating over open, insecure public networks must be assured of each other’s identities, enterprises must be assured their business partners cannot retract or deny what they communicate, and
0167-4048/97/$17.00
0 1997, Elsevier Science Ltd
Report
??
??
??
all parties must be assured that their messages cannot be altered or read by electronic intruders.
The explosive growth of the Internet combined with globalization of world markets has pushed these requirements to the centre stage. Use of cryptographic technology can fulfil these basic security requirements. Shell Information Services is developing and promoting the responsible use of cryptography in Shell companies. Plans are being made to introduce X.509~3 digital certificate services to authenticate electronic commerce users, support secure E-mail services and protect the confidentiality of Shell company information and network resources. Shell Information Services is actively co-operating with national authorities to minimize the obstacles and costs of deploying cryptography to support Shell companies’ global businesses.
Should TTPs be Licensed?, John Walker. Page 21 Industry is taking giant steps towards electronic commerce. Almost daily one will hear of yet another business service being offered electronically. The big question for some is the issue of security, and many believe that it has been solved. A typical answer to this question is a mistaken belief that cryptography is a panacea. But let us assume that you have overcome the above difficulties, you have got the technology in place, you trust your supplier or have the ability to scrutinize their claims, you understand security and have implemented the crypt0 properly, and you are using +56 bit keys.
Information
Security Technical
Report, Vol. 2, No. 3
Highlights
“How do I get someone’s public key?” and “How do I know the public key is genuine?“. The answer is that you don’t know, unless of course you can get someone else to vouch for it, and this is where Certification Authorities or Trusted Third Parties come in, whereby they can issue certificates to vouch for the public keys of individuals. This is not the end of the story, because by now the security bug will have taken hold and you will now ask yourself “How can I trust the CA/TTP?“. This is where licensing can help. It may not solve all the cryptography problems but it’s certainly a good starting point. As the CA/TTP market develops there will be more and more organizations from all over the world offering such services. How can you tell a competent TTP from an incompetent one? Licensing will help to protect those who don’t know any better, and of course as a bonus, it will also help better protect those who do know.
Network Security: Anything But Bulletproof, Christopher W. Klaus. Page 28 Know your enemy: it’s the first rule of battle. But when the corporate network is under siege, net managers need to know their weaknesses. Whether it’s source porting and source routing or spoofing and stealth scanning, Internet intruders have a wide array of weapons for breaking through the soft spots. More and more net managers are setting up firewalls as the first line of defence against intruders. And with good reason: properly deployed, the firewall is an extremely effective security tool, whether it’s being used to control access from the Internet or to protect sensitive data on internal networks.
3
Report Highlights
Source porting and source routing are just two areas of weakness. One of the most common firewall designs is the application proxy, which prevents traffic from passing directly between external and internal networks. Instead, a client on one side of the firewall establishes a circuit with the firewall, which in turn establishes a second circuit to the server on the other side, acting on the client’s behalf.
connecting this is a major though possibly unreasonable concern. History shows us corporate proprietary that more including government information, classified material, has been stolen via floppy disk than via firewall. Firewalls are not a defence system against espionage or traitors within the organization. Keeping outsiders on the outside is the purpose for which they are most suited.
It’s clear that firewalls alone don’t do enough to secure corporate nets. Most security authorities also recommend the use of authentication and encryption services as well. Trouble is, even these security schemes aren’t a complete solution.
In configuring a firewall, the major design decisions with respect to security are often already dictated by corporate or organizational policy; specifically, a decision must be made as to whether security is more important than ease-ofuse, or vice versa. There are two basic approaches that summarize the conflict:
Of course, net managers would like nothing better than to close every security loophole. Unfortunately, it’s not really practical to patch all the holes at once. So the next best thing to do is realize that not all vulnerabilities put machines in immediate danger. There are some weaknesses that can be classified as medium - or low-risk, with the acceptability of leaving these weaknesses open for exploitation depend on a risk assessment of your site.
Thinking About Firewalls V2.0: Beyond Perimeter Security, Marcus J. Ranum. Page 33 ??
4
The rationale for installing a firewall is almost always to protect a private network against intrusion. In most cases, the purpose of the firewall is to prevent unauthorized users from accessing computing resources on a private network, and sometimes to prevent unnoticed and unauthorized export of proprietary information. In some cases, export of information is not considered important, but for many corporations that are
??
??
That which is not expressly permitted is prohibited. That which is not expressly prohibited is permitted.
In discussing firewalls there is often confusion of terminology since firewalls all differ slightly in implementation if not in purpose. Various discussions on Usenet and the firewalls mailing list indicate that the term ‘firewall’ is used to describe just about any inter-network security scheme. A good definition for ‘firewall’ is a system or combination of systems that performs access control and provides some degree of security between networks. There are a few observations worth making about firewalls at a very general level. Firstly, a firewall is a leverage-increasing device from a network management point of view. Rather than looking at it as “all eggs in one basket”, it can also be viewed as a trustworthy basket, and a single point from which a very important security system can be controlled. The size of the
Information
Security Technical
Report, Vol. 2, No. 3
Report Highlights
zone of risk is crucial to the design; if it is small, security can be maintained and controlled easily, but if security is compromised, the damage can be more severe. The ideal would be to have such strong host-based security that a firewall would be redundant. Systems administration costs and a hard dose of reality prevents this ideal from being obtainable.
Strategic Security For IP Networks, Marcus J. Ranum. Page 46 Everyone gets caught between a rock and a hard place: net managers tend to live there - especially when it comes to network security. If they’re too lax, they’re asking for trouble. If they clamp down too tight, core business processes start to bog down. Striking the right balance means mastering an array of (at times) arcane technologies - firewalls, encryption software, secure Web servers, and virtual network perimeters (to name just a few). Access-control devices are the first line of defence for corporate networks. Although they can be based on radically different technologies, they all solve the same essential problem: limiting access to network resources. More specifically, these products selectively permit or deny access based on a specific characteristic, like an II’ address, phone number, or password.
mechanisms must all work together seamlessly. That’s a tough task. And chances of success are greatly improved by avoiding proprietary application program interfaces (APIs), techniques, and architectures - unless one vendor can clearly resolve all or nearly all security issues. ??
The final step is to tie in the remote sites through the encrypting routers or firewalls. If this gear supports filters, take advantage of them to permit access to a limited set of services. Log-in access can be further controlled by using a token authentication system like SecurID from Security Dynamics.
Windows NT Security, Ian White. Page 53 This article describes the underlying Windows NT security model and provides best practice advice on how Windows NT may be implemented within an organization securely. In addition this article also discusses how the system has evolved to meet recent security-related attacks and what potential weaknesses still remain.
Even though they solve the same type of problems, access-control devices aren’t mutually exclusive. Many organizations mix encrypting routers with conventional firewalls. The routers support interoffice communications; the firewalls protect the customer access networks.
Windows NT is a complex multi-tasking multi-threading 32-bit operating system that shares some similarities with traditional mainframe operating systems. There is a strict isolation between user applications, between applications and the NT kernel functions and also between applications and the underlying computer hardware. With the exception of the COM ports and the diskette drive, all access to hardware functions must be performed through a defined set of system calls.
Picking the right pieces is just the beginning: effective security means that Web servers, firewalls, transaction
The Windows NT operating system is object-orientated. Resources such as files, folders, ports, printers and processes are
Information
Security Technical
Report, Vol. 2, No. 3
5
Report Highlights
defined as discrete objects with their own security attributes. A subject may be granted access to an object if they have the required levels of permissions, privileges and capabilities. When considering the security of a Windows NT system an important consideration is whether to allow external connections to the system. If such connections are permitted then which network services and protocols should be supported? As a general rule, only those protocols and services actually required should be installed. For example, only install support for IPX if you intend to connect to a network that currently uses this protocol. In conclusion, Windows NT provides a comprehensive set of security facilities that currently require a high level of understanding and competence to configure into a secure production environment. Looking to the future the increased usage of facilities for implementing global registry changes and the increasing number of security-related add-on packages to assist with administration and auditing should help reduce the current dependency upon highly skilled technicians. This in turn should lead to a wider acceptance that Windows NT can provide a secure environment for business critical applications.
Unix networking in this day and age is predominately, although not exclusively, based on the TCP/IP protocol suite. These TCP/IP protocols are used as the foundation of the corporate network. Although reference may be made to other transport layer protocols (e.g. UDP rather than TCP) this article is intended primarily to provide an overview of the implementation of security within such a TCP/IP network. Successful network-based attacks against Unix systems result from a variety of vulnerabilities, the most common of which are: Poorly managed passwords. Abuse of mechanisms.
Exploiting spoofing.
facilities
and
existing
mechanisms
by
Software bugs. User errors, including exploitation social engineering attacks.
by
In terms of network security these vulnerabilities exist within the context of the three main functional areas of: ??
??
??
6
allowed
e.g. readable
Poorly designed services that either perform insufficient authentication, or, none at all.
Unix Network Security, Roy McNamarra. Page 66 This article discusses common vulnerabilities associated with Unix networking and how attackers could exploit these vulnerabilities. Having identified a range of vulnerabilities it then details some of the configurations and countermeasures that can be used to secure a host against them.
accounts,
Account Management Trust Relationships Application Access
The Relevance Of Penetration Testing To Corporate Network Security, Gary Hardy. Page 80 ??
Penetration testing, tiger team testing and generally the whole subject of attacking systems has been a controversial area for
Information
Security Technical
Report, Vol. 2, No. 3
Report Highlights
some time. There have been arguments for and against such techniques ranging from them being potentially very dangerous through to them being unnecessary when there are easier ways to identify weak controls. ??
??
??
The term penetration testing covers a wide range of tests and techniques which generally are designed to test for security the network vulnerabilities in environment. In some situations they are similar to emulating the activities of a hacker, by probing and searching for ways to circumvent or bypass controls and searching for weak points in the target organization’s electronic communications perimeter. Penetration tests should generate in addition to the actual test results themselves, a vulnerability assessment of the network that has been examined, usually a great deal of interesting and revealing information about the network itself, and conclusions about the adequacy of the controls that are in place. This kind of activity should only really be performed by trained and knowledgeable
Information
Security Technical
Report, Vol. 2, No. 3
staff, with appropriate planning and disciplines, and the results need to be communicated and often interpreted so that management and technical staff can usefully understand the process and findings. ??
??
There are many ways of approaching penetration tests. The following describes some of the alternatives: ??
Blind or With Knowledge?
??
Unannounced or Pre-Planned?
??
Remote or On-Site?
??
Structured or Ad-Hoc?
??
Fixed Plan or Iterative?
??
Stand-alone or part of Wider Review?
??
Manual or Automated?
Penetration testing is definitely a valuable technique that is gaining in popularity. To do it properly requires specialist skills and techniques, which will often be obtained by the use of outside consultants. To do it properly also requires the controlled use of effective tools. Care needs to be taken to avoid damage or misleading results.
7
Report Highlights Security Issues in Today’s Corporate Network, John Shewood. Page 8 One of the most important issues to be addressed in any discussion on the security of corporate networks is: what do we really mean by the term ‘network security’? There are widely differing views on this, many of which appear to be based upon poor understanding of what type of security the network can provide, and perhaps more importantly, what type of security it cannot provide.
we will always be spending a lot of time and money on inefficient tactical solutions, and always ‘fire-fighting’ the poor results that they often deliver.
Commercial Use of Cryptography in the Shell Companies, Nick Mansfield. Page 18 .
upon our definition of what ‘network security’ really means, the major issues and goals for securing our corporate network can be expressed as six principles: Based
2. Network resource integrity protection ??
2. Network connectivity control
3. Network domain bounda y control 4. Network management application security 5. Network resilience 6. Network entity accountability
authentication
and
Each of the six principles of the network security strategy outlined above also maps directly onto a network ‘security service’, and each security service’must be provided by suitable ‘security mechanisms’. These mechanisms are implemented as technical solutions in the form of technologies and products. Whatever we may say about developing long-term security strategies, we all need to manage the security of our networks and distributed applications now. However, if we never develop the strategic approach,
2
??
The growth of the Internet provides potential business opportunities for Shell companies. These include accelerating the orderly flow of business and financial transactions. Public Internet projections of 200 million users and trillions of dollars of business by 1999 also means it may become a major marketplace for international business. A major feature for Shell companies is the potential transition from paper-based documents and files to legally binding electronic documents and files on open networks. This change cannot take place without full confidence in the security. There is an obstacle: no international trusted business infrastructure currently exists within which to assure security of electronic information. Shell companies will not be able to tap the full potential of the economic and social power of electronic commerce without a trusted business infrastructure first being in place. Trust is built requirements: ??
??
on three
basic
security
strangers communicating over open, insecure public networks must be assured of each other’s identities, enterprises must be assured their business partners cannot retract or deny what they communicate, and
0167-4048/97/$17.00
0 1997, Elsevier Science Ltd
Report
??
??
??
all parties must be assured that their messages cannot be altered or read by electronic intruders.
The explosive growth of the Internet combined with globalization of world markets has pushed these requirements to the centre stage. Use of cryptographic technology can fulfil these basic security requirements. Shell Information Services is developing and promoting the responsible use of cryptography in Shell companies. Plans are being made to introduce X.509~3 digital certificate services to authenticate electronic commerce users, support secure E-mail services and protect the confidentiality of Shell company information and network resources. Shell Information Services is actively co-operating with national authorities to minimize the obstacles and costs of deploying cryptography to support Shell companies’ global businesses.
Should TTPs be Licensed?, John Walker. Page 21 Industry is taking giant steps towards electronic commerce. Almost daily one will hear of yet another business service being offered electronically. The big question for some is the issue of security, and many believe that it has been solved. A typical answer to this question is a mistaken belief that cryptography is a panacea. But let us assume that you have overcome the above difficulties, you have got the technology in place, you trust your supplier or have the ability to scrutinize their claims, you understand security and have implemented the crypt0 properly, and you are using +56 bit keys.
Information
Security Technical
Report, Vol. 2, No. 3
Highlights
“How do I get someone’s public key?” and “How do I know the public key is genuine?“. The answer is that you don’t know, unless of course you can get someone else to vouch for it, and this is where Certification Authorities or Trusted Third Parties come in, whereby they can issue certificates to vouch for the public keys of individuals. This is not the end of the story, because by now the security bug will have taken hold and you will now ask yourself “How can I trust the CA/TTP?“. This is where licensing can help. It may not solve all the cryptography problems but it’s certainly a good starting point. As the CA/TTP market develops there will be more and more organizations from all over the world offering such services. How can you tell a competent TTP from an incompetent one? Licensing will help to protect those who don’t know any better, and of course as a bonus, it will also help better protect those who do know.
Network Security: Anything But Bulletproof, Christopher W. Klaus. Page 28 Know your enemy: it’s the first rule of battle. But when the corporate network is under siege, net managers need to know their weaknesses. Whether it’s source porting and source routing or spoofing and stealth scanning, Internet intruders have a wide array of weapons for breaking through the soft spots. More and more net managers are setting up firewalls as the first line of defence against intruders. And with good reason: properly deployed, the firewall is an extremely effective security tool, whether it’s being used to control access from the Internet or to protect sensitive data on internal networks.
3
Report Highlights
Source porting and source routing are just two areas of weakness. One of the most common firewall designs is the application proxy, which prevents traffic from passing directly between external and internal networks. Instead, a client on one side of the firewall establishes a circuit with the firewall, which in turn establishes a second circuit to the server on the other side, acting on the client’s behalf.
connecting this is a major though possibly unreasonable concern. History shows us corporate proprietary that more including government information, classified material, has been stolen via floppy disk than via firewall. Firewalls are not a defence system against espionage or traitors within the organization. Keeping outsiders on the outside is the purpose for which they are most suited.
It’s clear that firewalls alone don’t do enough to secure corporate nets. Most security authorities also recommend the use of authentication and encryption services as well. Trouble is, even these security schemes aren’t a complete solution.
In configuring a firewall, the major design decisions with respect to security are often already dictated by corporate or organizational policy; specifically, a decision must be made as to whether security is more important than ease-ofuse, or vice versa. There are two basic approaches that summarize the conflict:
Of course, net managers would like nothing better than to close every security loophole. Unfortunately, it’s not really practical to patch all the holes at once. So the next best thing to do is realize that not all vulnerabilities put machines in immediate danger. There are some weaknesses that can be classified as medium - or low-risk, with the acceptability of leaving these weaknesses open for exploitation depend on a risk assessment of your site.
Thinking About Firewalls V2.0: Beyond Perimeter Security, Marcus J. Ranum. Page 33 ??
4
The rationale for installing a firewall is almost always to protect a private network against intrusion. In most cases, the purpose of the firewall is to prevent unauthorized users from accessing computing resources on a private network, and sometimes to prevent unnoticed and unauthorized export of proprietary information. In some cases, export of information is not considered important, but for many corporations that are
??
??
That which is not expressly permitted is prohibited. That which is not expressly prohibited is permitted.
In discussing firewalls there is often confusion of terminology since firewalls all differ slightly in implementation if not in purpose. Various discussions on Usenet and the firewalls mailing list indicate that the term ‘firewall’ is used to describe just about any inter-network security scheme. A good definition for ‘firewall’ is a system or combination of systems that performs access control and provides some degree of security between networks. There are a few observations worth making about firewalls at a very general level. Firstly, a firewall is a leverage-increasing device from a network management point of view. Rather than looking at it as “all eggs in one basket”, it can also be viewed as a trustworthy basket, and a single point from which a very important security system can be controlled. The size of the
Information
Security Technical
Report, Vol. 2, No. 3
Report Highlights
zone of risk is crucial to the design; if it is small, security can be maintained and controlled easily, but if security is compromised, the damage can be more severe. The ideal would be to have such strong host-based security that a firewall would be redundant. Systems administration costs and a hard dose of reality prevents this ideal from being obtainable.
Strategic Security For IP Networks, Marcus J. Ranum. Page 46 Everyone gets caught between a rock and a hard place: net managers tend to live there - especially when it comes to network security. If they’re too lax, they’re asking for trouble. If they clamp down too tight, core business processes start to bog down. Striking the right balance means mastering an array of (at times) arcane technologies - firewalls, encryption software, secure Web servers, and virtual network perimeters (to name just a few). Access-control devices are the first line of defence for corporate networks. Although they can be based on radically different technologies, they all solve the same essential problem: limiting access to network resources. More specifically, these products selectively permit or deny access based on a specific characteristic, like an II’ address, phone number, or password.
mechanisms must all work together seamlessly. That’s a tough task. And chances of success are greatly improved by avoiding proprietary application program interfaces (APIs), techniques, and architectures - unless one vendor can clearly resolve all or nearly all security issues. ??
The final step is to tie in the remote sites through the encrypting routers or firewalls. If this gear supports filters, take advantage of them to permit access to a limited set of services. Log-in access can be further controlled by using a token authentication system like SecurID from Security Dynamics.
Windows NT Security, Ian White. Page 53 This article describes the underlying Windows NT security model and provides best practice advice on how Windows NT may be implemented within an organization securely. In addition this article also discusses how the system has evolved to meet recent security-related attacks and what potential weaknesses still remain.
Even though they solve the same type of problems, access-control devices aren’t mutually exclusive. Many organizations mix encrypting routers with conventional firewalls. The routers support interoffice communications; the firewalls protect the customer access networks.
Windows NT is a complex multi-tasking multi-threading 32-bit operating system that shares some similarities with traditional mainframe operating systems. There is a strict isolation between user applications, between applications and the NT kernel functions and also between applications and the underlying computer hardware. With the exception of the COM ports and the diskette drive, all access to hardware functions must be performed through a defined set of system calls.
Picking the right pieces is just the beginning: effective security means that Web servers, firewalls, transaction
The Windows NT operating system is object-orientated. Resources such as files, folders, ports, printers and processes are
Information
Security Technical
Report, Vol. 2, No. 3
5
Report Highlights
defined as discrete objects with their own security attributes. A subject may be granted access to an object if they have the required levels of permissions, privileges and capabilities. When considering the security of a Windows NT system an important consideration is whether to allow external connections to the system. If such connections are permitted then which network services and protocols should be supported? As a general rule, only those protocols and services actually required should be installed. For example, only install support for IPX if you intend to connect to a network that currently uses this protocol. In conclusion, Windows NT provides a comprehensive set of security facilities that currently require a high level of understanding and competence to configure into a secure production environment. Looking to the future the increased usage of facilities for implementing global registry changes and the increasing number of security-related add-on packages to assist with administration and auditing should help reduce the current dependency upon highly skilled technicians. This in turn should lead to a wider acceptance that Windows NT can provide a secure environment for business critical applications.
Unix networking in this day and age is predominately, although not exclusively, based on the TCP/IP protocol suite. These TCP/IP protocols are used as the foundation of the corporate network. Although reference may be made to other transport layer protocols (e.g. UDP rather than TCP) this article is intended primarily to provide an overview of the implementation of security within such a TCP/IP network. Successful network-based attacks against Unix systems result from a variety of vulnerabilities, the most common of which are: Poorly managed passwords. Abuse of mechanisms.
Exploiting spoofing.
facilities
and
existing
mechanisms
by
Software bugs. User errors, including exploitation social engineering attacks.
by
In terms of network security these vulnerabilities exist within the context of the three main functional areas of: ??
??
??
6
allowed
e.g. readable
Poorly designed services that either perform insufficient authentication, or, none at all.
Unix Network Security, Roy McNamarra. Page 66 This article discusses common vulnerabilities associated with Unix networking and how attackers could exploit these vulnerabilities. Having identified a range of vulnerabilities it then details some of the configurations and countermeasures that can be used to secure a host against them.
accounts,
Account Management Trust Relationships Application Access
The Relevance Of Penetration Testing To Corporate Network Security, Gary Hardy. Page 80 ??
Penetration testing, tiger team testing and generally the whole subject of attacking systems has been a controversial area for
Information
Security Technical
Report, Vol. 2, No. 3
Report Highlights
some time. There have been arguments for and against such techniques ranging from them being potentially very dangerous through to them being unnecessary when there are easier ways to identify weak controls. ??
??
??
The term penetration testing covers a wide range of tests and techniques which generally are designed to test for security the network vulnerabilities in environment. In some situations they are similar to emulating the activities of a hacker, by probing and searching for ways to circumvent or bypass controls and searching for weak points in the target organization’s electronic communications perimeter. Penetration tests should generate in addition to the actual test results themselves, a vulnerability assessment of the network that has been examined, usually a great deal of interesting and revealing information about the network itself, and conclusions about the adequacy of the controls that are in place. This kind of activity should only really be performed by trained and knowledgeable
Information
Security Technical
Report, Vol. 2, No. 3
staff, with appropriate planning and disciplines, and the results need to be communicated and often interpreted so that management and technical staff can usefully understand the process and findings. ??
??
There are many ways of approaching penetration tests. The following describes some of the alternatives: ??
Blind or With Knowledge?
??
Unannounced or Pre-Planned?
??
Remote or On-Site?
??
Structured or Ad-Hoc?
??
Fixed Plan or Iterative?
??
Stand-alone or part of Wider Review?
??
Manual or Automated?
Penetration testing is definitely a valuable technique that is gaining in popularity. To do it properly requires specialist skills and techniques, which will often be obtained by the use of outside consultants. To do it properly also requires the controlled use of effective tools. Care needs to be taken to avoid damage or misleading results.
7