Friday, 30 May 2014

Configuration Auditing: The Hygienist You've Always Wanted

by Nicola Whiting (COO, Titania)

About the Author

Nicola Whiting is Titania Ltd’s Chief Operating Officer and has a solid reputation for increasing revenues and profitability within technology based SME environments. She joined the team in 2011 has overseen a period of intense growth and change. Now Nicola’s focus is on extending the organizational capabilities and workforce skills, in order to continue to embrace innovation.

For many, configuration security ranks about the same as dental hygiene.

Critical infrastructure devices such as firewalls, switches and routers need to be secured against external hackers and internal threats, but it’s not seen as exciting and does not rank highly on boardroom agendas.

The most common result is to use a dual approach, combining scanning or agent based software, with annual penetration test reviews – to use the same analogy, daily brushing and an annual trip to the dentist.

This two-layer response does offer some advantage, it’s great for regular big-picture analytics (the ones that boardrooms like) and the annual penetration testers do a thorough job of analysing vulnerabilities and providing a detailed report.

Unfortunately as anyone with a mouthful of fillings can testify, it also often lets the rot set in!

The Dual Response Issue

Network scanners send huge numbers of network probes to a device and can impact performance. Only exposed vulnerabilities are identified, this potentially misses many issues that would be found with a detailed manual audit.

Agent-based audit software requires software to be installed on the audit devices and this is not possible for all devices. Furthermore, the required agent software can introduce additional security vulnerabilities.

Penetration testing requires expert level knowledge and is one of the most widely used and trusted forms of detailed security analysis. The process involves simulating an attack on your network systems through active exploitation of security vulnerabilities. To the resident network team, it can feel like the equivalent of lining up for a root canal….

Typically your primary goal is to test the operational capability of your network defenses to successfully detect and respond to attacks. Depending on the agreed scope of the test, reported elements may include: hardware and software vulnerabilities, poor or improper system configuration and suggested improvements to operational processes.

Part of the testing process may involve a manual configuration review.

Examining individual device configurations is highly time-consuming with significant manpower costs. Typically this results in point in time audits, extrapolating results from a sample of devices and potentially leaving vulnerabilities on non-assessed devices.

The Third Option

Early in his career as a Penetration Tester and CHECK team leader, Ian Whiting (CEO of Titania Ltd) realized there was a third option that was not being provided within the security marketplace. He realized that by automating the detailed configuration vulnerability analysis he could improve auditing speed, accuracy and return on investment.

His initial requirements were to:

• Flatten the security assessment process
• Achieve significant cost savings on current audit practices
• Improve the productivity of the audit process
• Reduce human error factor through automation
• Provide instant, device-specific expertise to non-specialist auditors

Through many years of hard work he developed a configuration auditing solution, that is now a “go to” tool in both SME and global Penetration Testers tool kits and has grown far past its original brief.

The “Configuration Hygienist” 

Whilst penetration testers are typically both highly skilled and adaptable, you cannot be expected to have in depth knowledge of every system you come across! The same is also true of the network administrators who manage those systems, they may not have the in-depth security background required to identify potential weaknesses in their systems.

Typically your penetration tester’s toolkit is not something you can pass on, but as a “cyber hygiene” professional, it makes sense to look for ways to reduce the likelihood of vulnerability cavities developing between visits.

The interim use of a cost effective configuration auditor widens the potential for detailed device analysis and on-going identification of potential security weaknesses. Return visits can then be less about finding conflicting rules and compliance failures and allow more focus on operational improvements and higher level security issues.

Nipper Studio - Configuration Auditing Tool

Nipper Studio’s early growth was entirely by word of mouth and Titania is very grateful to the penetration testing community. Thanks to you, Nipper Studio is now a multi-award winning, global solution used in over 60 countries and on every continent.

Nipper Studio quickly performs a thorough security assessment of multiple complex network devices, providing a detailed audit report, typically unachievable with scanning based technologies. The audit report can be used in a variety of ways and includes recommendations and commands to mitigate the issues.

It requires no additional services on the device or any agents to be installed and can audit the devices without either scanning or connecting to them (ideal for high security clients!).

Figure 1. Scanning in Nipper Studio
It is designed to be both flexible and easy to use. Functionality can be extended through plugins and allows for custom integration into bespoke systems e.g. for use in continuous monitoring. 

The device configuration can be read in by loading a saved configuration file obtained from the device or by connecting to the device over the network.

Figure 2. Reading a configuration in Nipper Studio
Once a device’s configuration has been processed by Nipper Studio a wide range of report types can be created, such as a penetration tester grade security audit, configuration reporting, compliance analysis, change reporting and more.

An extensive range of options enable you to fine tune and customise your reports with no expert knowledge required.

So if you’re looking at what configuration auditors could do to improve your own ROI, or a tool to aid your clients monitor their internal controls then you can refer to our Nipper Studio overview above.

Other products in the marketplace now have some overlap, but it’s a good guide for what to expect your configuration auditor to deliver.

For more information or to arrange a free trial please contact

No comments:

Post a Comment

Did you find our blog useful? Let us know! We would love to hear your thoughts, opinions and comments regarding any of our blog posts.