Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

GSS recommends application and internet vulnerability scanning for the public sector.

Global Secure Systems (GSS) : 19 February, 2008  (Technical Article)
As part of regular and comprehensive compliance monitoring for public sector organisations, Global Secure Systems is calling for a tighter regime of internet server and application software vulnerability testing.
Global Secure Systems (GSS) has called on the public sector to adopt a sound information security policy and have all internet servers and applications regularly scanned to test for vulnerability exposure. Without these checks in place they risk a security breach and could become the next IT disaster.

Citing recent projects with Royal Borough of Kensington & Chelsea, Basildon District Council and Arun District Council, GSS (incorporating Peapod UK) argued that in addition to regular penetration testing, Public sector organisations need ongoing vulnerability assessments to ensure that existing and new vulnerabilities are identified and remedial action can be prioritised and taken before they are exploited.

Driven by the new eGovernment agenda, there is a focus in the public sector, specifically councils, to provide and develop web enabled services for the public, businesses and other arms of government. This translates into a number of different and complex systems that are constantly changing.

GSS warns that as the architecture is continuously evolving so is the security status. Each time a new system is introduced or changed it interlinks with all other existing systems and could potentially create a new vulnerability that may go unnoticed. Additionally, the number of discovered vulnerabilities is growing substantially each year, with some 8,000 (200 per quarter 600 - 700 per month) found in 2006 according to statistics produced by CERT.

Robin Hollington, director of consulting for GSS explains, 'There is a lot of money invested in eGovernment initiatives but often these projects receive publicity for all the wrong reasons. This damages reputations and erodes confidence, and subsequently the level of take-up by the public which means the efficiency savings projected are not realised. By conducting regular assessments, vulnerabilities are easily identified and the potential risks managed before a breach occurs.'

GSS cites historical data that demonstrates clients who take its vulnerability assessment service, on average, fix 38 per cent, of their vulnerabilities between successive assessments, further validating the argument for regular assessments. For example, after six monthly scans a client's vulnerability exposure is expected to be one tenth of its original risk level making it much easier to respond when new significant vulnerabilities are discovered.

The value in regular testing is substantiated by Basildon District Council. Its initial penetration test picked up a number of vulnerabilities which were immediately addressed. Subsequent monthly assessments identified a strange pattern of vulnerabilities that existed one month, but were gone the next, yet re-appeared the month after. By highlighting this oddity, Basildon DC was able to investigate and address the change management process which had resulted in the intermittent appearance of flaws on this particular system.

Each set of tests results in a concise report and where vulnerabilities have been discovered, remedial actions are suggested. The results from the scans are ordered in a database structure which enables the scanning team to produce comprehensive management trend and comparison statistics and charts which are presented in the scan reports. This means that one month can be directly compared against up to 12 previous months, identifying what was and was not fixed and pinpointing any new vulnerabilities introduced since the system was last tested. The scan reports are viewed via a web browser enabling security analysts, management and directors to drill into the areas of specific interest to them. Visible to those who have access, it is easier to monitor and clearly distinguish what needs doing rather than ploughing through wads of paper.

Russell Hookway, network manager for Royal Borough of Kensington & Chelsea confirms, 'We are always on the lookout for a great testing package, which we have received from GSS. What differentiates this service is the reporting. Instead of receiving a paper based report an inch and a half thick, cluttered up with unnecessary information and padding, we get a concise, tabbed, web-based report that enables the department to monitor where significant vulnerabilities are occurring and how long they take to fix. Efficient and cost effective - exactly what councils need.'

Chris Lawrence, assistant head of technology services at Arun District Council adds: 'Arun DC recognises the value of using GSS's Vulnerability Assessment service on a regular basis. The web-based report is user friendly, extensive and in a format that is easy to use by the network team. The assessment service identifies issues to be addressed that might otherwise not get picked up and so is a very useful pro-active tool for keeping our internet presence free of vulnerabilities.'

Ongoing scanning programmes help to make vulnerability management a business-as-usual activity, providing the evidence to justify resources to fix systems and also to apply peer pressure on to colleagues and suppliers to improve the security of the systems they are responsible for.

GSS's vulnerability assessment service operates as an extension to its CESG CHECK scheme 'Green Light' penetration testing. This scheme ensures that a high quality service is delivered, both in terms of the integrity and capability of the individuals conducting assessments, and the processes by which the service is managed.
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo