Network security testing is a sequence of repeatable steps that identify vulnerabilities and weaknesses in an organization’s network. This blog outlines these steps, explains why they are crucial, and offers tips to help readers maximize the effectiveness of their testing.
Table of Contents
- Selecting a network security testing methodology
- Defining the organization’s test objectives
- Establishing what is in and out of scope
- Identifying the network security tests to be performed
- Gathering network and vulnerability information
- Performing the network security tests
- Reporting actionable test results
- Establishing a schedule for network security tests
- What to do after reading this blog
Selecting a network security testing methodology
For organizations that need to demonstrate compliance with specific industry standards, start by selecting a network security testing methodology, such as NIST SP 800-115. A testing methodology ensures that the organization follows a predefined and repeatable testing process.
For organizations seeking to conduct a focused risk assessment, methodologies like NIST are too broad. For these organizations, the first step is to define the objectives of network security testing. A customized testing methodology can be subsequently defined to support these specific goals.
Pro Tip:
Use the same methodology to verify subsequent remediation actions.
Defining the organization’s test objectives
Test objectives set the direction for the testing activities. Network security test objectives should be focused on areas of the network that support business-critical functions or contain sensitive data. Table 1 provides a list of network areas typically considered business-critical.
| Network area | Examples |
|---|---|
| Internal trusted network | Core internal network |
| Perimeter network | Internet-facing services such as Email and VPN servers |
| User and device authentication infrastructure | Network Access Control (NAS) systems Identity management systems |
| Network security infrastructure | Monitoring and control systems Patch and configuration management tools |
| Mobile device infrastructure | Wireless networks BYOD support infrastructure |
| Internet of Things (IoT) and Operational Technologies (OT) | Building and industry-specific control systems |
Table 1: Typical business-critical network areas
Testing objectives can vary significantly between organizations, depending on their industry, size, applicable compliance and regulatory requirements, and the technology implemented. For example, a bank might focus testing on the internal trusted network, network security infrastructure, and PCI compliance. In contrast, a hospital may focus on testing around perimeter networks, mobile device infrastructure, and HIPAA compliance requirements.
Objectives should clearly state the aspects of the network being tested. Example objectives are:
- Verify that the internal trusted network conforms to the stated security policies and recommended configurations.
- Identify vulnerabilities in the internal and external trusted network.
- Conduct a penetration test (pen test) to check whether malicious actors can access network resources.
Pro Tip:
Link objectives to measurable results, such as reducing vulnerabilities by 20% or reducing the number of network components that do not meet the stated configuration guidelines by 20%.
Establishing what is in and out of scope
A scope statement describes what will be tested and the conditions under which the tests will be performed. Its primary purpose is to align the business stakeholders and the technical team responsible for testing. In addition to listing the objectives and deliverables, the scope statement should include:
- In-scope items.
These are the network areas, components, and services to be tested. For example, the internal trusted networks for core VLANs and subnets, DNS/DHCP services, and firewalls and IPS security appliances. - Out-of-scope items
These are the specific areas, assets, or activities that are explicitly excluded from testing. For example, specific IP address ranges, operational systems, and Denial-of-Service tests. - Testing constraints.
These are the rules for conducting the tests. For example, testing is to be conducted between 6 PM and midnight using the staging non-production network.
Pro Tip:
Identify the affected stakeholders and obtain stakeholder sign-off on the scope statement. Formal sign-off helps avoid misunderstandings, scope changes, and conflicts during the testing process.
Identifying the network security tests to be performed
Although the requirements vary, the fundamentals of security controls remain the same. This consistency enables the use of similar types of tests across diverse organizations. Table 2 lists common areas of network security testing.
| Test area | Description |
|---|---|
| Configuration reviews | Checks the network device security settings against the organization’s baseline or industry benchmark |
| Data protection | Evaluates the use of secure cryptographic suites and certificates |
| Log verification | Ensures events are recorded |
| Monitoring validation | Checks if alerts are generated and actioned |
| Network scanning and connectivity tests | Verifies segmentation, zoning, firewall rules, and authentication methods |
| Packet sniffers | Analyzes network traffic for unexpected traffic and abnormalities |
| Port scanning | Identifies open, closed, and filtered ports |
| Radio frequency sniffers | Detects rogue wireless devices |
| Vulnerability scanning | Checks switches, firewalls, routers, and servers for known weaknesses |
Table 2: Common network security test areas
The breadth of these network areas means that testing requires a diverse set of different tools, techniques, and skill sets. Tool selection should be based on the network area being tested and the kind of test being conducted. For example, Network Mapper (NMAP) is an open-source tool that scans ports and discovers network services, and Aircrack-ng is a free tool that injects wireless traffic and performs various attacks on wireless networks.
Pro Tip:
Network security testing can negatively impact the performance and operations of the network. The potential impact and consequences must be understood before the test is performed, allowing for precautions to be taken to minimize disruption.
Gathering network and vulnerability information
It is essential to have a clear understanding of the network topology, including connected devices and the services and protocols running over the network. This helps ensure that tests do not miss critical areas of the network or are incomplete.
To determine what should be tested, gather information about the organization’s internal network and publicly known data on security vulnerabilities and attacks. Table 3 lists the types of network information to be collected.
| Information | Examples |
|---|---|
| Business-critical systems | Checks the network device security settings against the organization’s baseline or industry benchmark |
| Asset inventory | Firewalls, switches, and routers |
| Security control mechanisms | Access control systems, Access Control Lists (ACLs), Virtual Local Area Networks (VLANs), and traffic protection |
| Network security policies | Acceptable use, remote access, password, and change management |
| Regulatory and compliance requirements | Network topology and data flow diagrams |
| Threat intelligence | Known industry attacks and technology weaknesses, such as weak cryptographic algorithms |
Table 3: Information gathered at the start of network security testing
Pro Tip:
Internal interfaces used to manage network equipment are often perceived as having a lower risk and are excluded from testing. However, if firmware updates are being done using the insecure File Transfer Protocol (FTP), an attacker could intercept the login credentials and gain administrative control of the device.
Performing the network security tests
To ensure repeatability, testing should follow a structured and controlled process. Test documentation should clearly outline the step-by-step process of performing the test, including the tools and configurations used, as well as the measurements taken.
Ideally, network data should be captured during the test execution. Network data may include screen captures, logs, scan results, configuration dumps, and packet capture (pcap) files. Timestamps should be included to facilitate the analysis of test findings in conjunction with other network events.
Tests should be monitored to ensure that they are not significantly impacting business operations. If tests have an unexpected negative impact on network operations, they should be reported immediately. It may be necessary to take corrective actions, which may include restoring the network to its original state.
Pro Tip:
Providing advance notice of pending network security tests can result in users changing their behavior, which can skew the test results. It is advisable to limit notifications to trusted stakeholders or key personnel.
Reporting actionable test results
The most important step is turning the test results into actionable items. Interpreting the test results and prioritizing the high-risk issues allows resources to be effectively directed to the problem areas.
To enable the remediation team to focus resources on having the most significant impact:
- List the discovered issues using a high, medium, and low severity ranking. Show the associated impacted asset(s) and recommended fixes.
- Group the recommended fixes into immediate, medium-term, and long-term solutions.
Testing metrics and Key Performance Indicators (KPIs) are measures of the organization’s network robustness in defending against cyberattacks. These measurements are also crucial for verifying that the remediation actions effectively address the identified issues and tracking improvements over time.
The metrics and KPIs vary depending on the organization’s security goals, size, and compliance and regulatory requirements. Example metrics categories are shown in Table 4.
| Network security function | Example metric or KPI |
|---|---|
| Vulnerability tracking | The number of high severity vulnerabilities open for longer than four weeks |
| Access control and identity management | The percentage of accounts protected by multi-factor authentication |
| Configuration control | The number of configuration guideline policy violations |
| Monitoring and reporting | The number of unresolved critical and important alerts |
| Asset and inventory control | The number of end-user devices with antivirus protection installed |
| Awareness and user training | The number of employees who have completed security training |
Table 4: Key network security functions and example metrics
Pro Tip:
Implement a tracking system to monitor the progress and completion of remediation actions.
Establishing a schedule for network security tests
The test schedule depends on the organization’s perceived risk exposure, available resources, and regulatory requirements. For example, some organizations run vulnerability scans on an ongoing basis, whereas others perform them only in response to audit requirements.
Many tests can be automated, for example, scanning for known vulnerabilities and verifying that firewall policies are implemented correctly. Automating tests is crucial for organizations with a limited workforce or those that require the ability to detect problems more quickly. Tests that require manual intervention by definition cannot be fully automated.
Pro Tip:
Retain test scripts and configurations to support consistent and repeatable testing, and to enable accurate re-testing after remediation actions have been implemented.
What to do after reading this blog
After reading this, you should:
- Review the testing methodology your organization uses for conducting the network security tests.
- Identify the business-critical components in your organization’s network.
- List the security test tools your organization uses and identify what each tool is designed to test.
- Determine which network tests are automated and run on a defined schedule.
- Examine your organization’s testing metrics, PKIs, and trends to identify opportunities for improvement.
