Information Technology Reference
In-Depth Information
Attackers look for weak
points of entry
Figure 16.3
The door is not always the primary target
.
link is weakest, we cannot know precisely how much tension
will be needed to break the chain.”
This can work in favor of security professionals. In a good chain, finding
the weakest link requires considerable energy and professionalism.
Security professionals devote considerable effort to trying to determine
the weakest link (Figure 16.3). They begin with logical analysis and use
various tools, such as penetration tests, to identify the specific within the
general. Some candidates in software, where vulnerabilities are more likely
to exist, include:
Applications (in-house or off-the-shelf). Applications constitute one
of the bigger security vulnerabilities. They are often black boxes,
with little visibility on the outside, for what goes on within the
application.
Major changes to the technology or architecture of existing appli-
cations. Whenever such a change is put in production, it is likely
that something has been missed or misunderstood.
New or upgrades to existing hardware infrastructure.
Legacy applications that have come out of their protected silos,
through enterprise integration or Web access, but cannot support
latest security requirements in a structural manner.
Physically removed infrastructure elements, such as remote offices,
vendors, or partners.
Employees and contractors — existing or new. The extreme case
is to treat employees as if they are outsiders when it comes to
security; relaxing these requirements is an exception. When it
comes to knowing about vulnerabilities, one's knowledge of the
history of the application is also quite helpful. Employees who
have been around for some time should be included in security
analysis. They carry valuable information not always available
through formal documentation.
