For many, conducting a configuration audit ranks about the same as a visit to the dentist.
You need to secure critical infrastructure devices such as firewalls, switches and routers against external hackers and internal threats. However, it’s not seen as exciting and doesn’t always rank highly on boardroom agendas.
The most common result is a dual approach, combining scanning or agent based software with annual penetration test reviews. This would be the equivalent of daily brushing and an annual trip to the dentist.
This two-layer response offers some advantage. It’s great for regular big-picture analytics (the ones that boardrooms like). Annual penetration testers also do a thorough job of analysing vulnerabilities and providing a detailed report.
Unfortunately as anyone with a mouthful of fillings can testify, it also often lets the rot set in!
The Dual Response Issue
Network scanners send huge numbers of network probes to a device and can impact performance. Only exposed vulnerabilities are identified, this potentially misses many issues that would be found with a detailed manual configuration audit.
Agent-based audit software requires software to be installed on the audit devices and this is not possible for all devices. Furthermore, the required agent software can introduce additional security vulnerabilities.
Penetration testing requires expert level knowledge. It is one of the most widely used and trusted forms of detailed security analysis. The process involves simulating an attack on your network systems through active exploitation of security vulnerabilities. To the resident network team, it can feel like the equivalent of lining up for a root canal….
Typically your primary goal is to test the operational capability of your network defenses to successfully detect and respond to attacks. Depending on the agreed scope of the test, reported elements may include: hardware and software vulnerabilities, poor or improper system configuration and suggested improvements to operational processes.
Part of the testing process may involve a manual configuration audit.
Examining individual device configurations is highly time-consuming with significant manpower costs. Typically this results in point in time audits, extrapolating results from a sample of devices and potentially leaving vulnerabilities on non-assessed devices.
The Third Option
Early in his career as a Penetration Tester and CHECK team leader, Ian Whiting (CEO of Titania Ltd) realized there was a third option that wasn’t being provided within the security marketplace. He realized that by automating the detailed configuration vulnerability analysis he could improve auditing speed, accuracy and return on investment.
His initial requirements were to:
• Flatten the security assessment process
• Achieve significant cost savings on current configuration audit practices
• Improve the productivity of the configuration audit process
• Reduce human error factor through automation
• Provide instant, device-specific expertise to non-specialist auditors
Ian developed a configuration auditing solution – Nipper Studio. It is now a “go to” tool in both SME and global Penetration Testers tool kits and has grown far past its original brief.
The “Configuration Hygienist”
Penetration testers are highly skilled and adaptable, but you cannot be expected to have in depth knowledge of every system you come across! The same is also true of the network administrators who manage those systems, they may not have the in-depth security background required to identify potential weaknesses in their systems.
Typically your penetration tester’s toolkit is not something you can pass on, but as a “cyber hygiene” professional, it makes sense to look for ways to reduce the likelihood of vulnerability cavities developing between visits.
The interim use of a cost effective configuration auditor widens the potential for detailed device analysis and on-going identification of potential security weaknesses. Return visits can then be less about finding conflicting rules and compliance failures and allow more focus on operational improvements and higher level security issues.
Nipper Studio’s early growth was entirely by word of mouth and Titania is very grateful to the penetration testing community. Thanks to you, Nipper Studio is now a multi-award winning, global configuration audit solution used in over 80 countries across a range of industries.
Nipper Studio quickly performs a thorough security assessment of multiple complex network devices, providing a detailed audit report, typically unachievable with scanning based technologies. You can use configuration audit reports in a variety of ways, including recommendations and commands to mitigate the issues.
No additional services are required on the device and no agents need to be installed. It can audit devices without scanning or connecting to them (ideal for high security clients!).
Nipper Studio is flexible and easy to use. Functionality can be extended through plugins and allows for custom integration into bespoke systems e.g. for use in continuous monitoring.
The device configuration can be read in by loading a saved configuration file obtained from the device or by connecting to the device over the network.
Once a device’s configuration has been processed by Nipper Studio a wide range of report types can be created. This includes a penetration tester grade security audit, configuration reporting, compliance analysis, change reporting and more.
An extensive range of options enable you to fine tune and customise your reports with no expert knowledge required.
If you’re looking at what configuration auditors could do to improve your ROI, or for a tool to aid your clients monitor internal controls, then you can refer to our Nipper Studio overview above.
Other products in the marketplace now have some overlap, but it’s a good guide for what to expect your configuration auditor to deliver.