Network Risk Assessment: Penetration Testing and Social Engineering

Electronic information systems, now de rigueur for recordkeeping, hold company and customer data, a majority of which may be confidential. If ineffective network security controls are in place, however, an intruder can enter from the outside and steal the data to exploit. The result may be identity theft, leaked private company information (think of the WikiLeaks fiasco), lawsuits, or dissatisfied customers. In order to meet industry standards, keep company information confidential, and maintain a satisfied customer base, implement an effective network security plan involving regular risk assessments.

Although an electronic information system’s data is often thought of as solely technical, a network risk assessment considers all ways in which this information could be stolen, including through physical or social means. As a result, a network engineer performing a risk assessment uses a combination of penetration testing and social engineering techniques.

Penetration testing involves using ethical hacking techniques to break into a network and identify vulnerabilities, or weak points in which an outside party can enter. A four-phase process is used: planning, discovery, attacking, and reporting. The first two phases involve gathering all basic information for the network, including port and service identifications, host names, IP addresses, employee names and contact information, operating system information, and application and service information. To access the interior, the engineer may be granted employee-level access to the system. With all information gathered, the engineer does a vulnerability analysis, comparing the network data with a vulnerability database.

All vulnerabilities identified become targets for ethical hacking in the attack stage. When performing the test, the engineer determines if an attack was successful, the level of complexity needed to break in, and the measures necessary to reduce future attacks. Because vulnerabilities often come in groups, the engineer may go back and forth between the discovery and attack phases before producing a full report.

Data about employees and the system serves as reference for the social engineering part of network risk assessment. Often a phishing scheme, social engineering involves tricking network users to reveal passwords or usernames. Because employees should never blindly give away such information, the engineer poses as an outsider by attempting to obtain such information through online or telephone conversations, instant messages, or emails.

Email phishing schemes are some of the more common approaches for attackers to obtain network information. Typically, an email appearing to be authentic, such as from the company, a bank, or internet service provider, is sent out and requests username or password information. The email then takes the user to an unsecure website to obtain the information, which, aside from a username and password, may be account, credit card, or social security numbers. With this information, the intruder breaks into the network to steal data to possibly exploit.

Certain individuals, such as executives, may be more important than others on a network, and in social engineering, a network engineer may target such employees.

Building a Quality High Performance Professional Network in the “Knowledge” Economy

In the knowledge-rich society and professional world we live in, building a quality high performing professional network should be a focus for every professional knowledge worker. More than ever, we need to be connected and integrated in communities that provide mutual value. It is no longer enough to have a network consisting of all the people you meet at conferences, through work or at other events.

We need to pro-actively develop and manage our professional network as an integral part of our career management in the knowledge economy. This is far more than just having the inter-personal skills to talk to people and make meaningful contact that can grow into lasting professional links. Having these skills is great, and we need them. But managing our professional network needs to go beyond that.

  1. We need to be able to ascertain the quality and performance of our professional network.
  2. We need to know what the strengths and weaknesses are of our current network.
  3. We need to know how to pro-actively manage our network to ensure we prepare for the next step in our career.

In order to do all of this we need to understand how knowledge is generated and shared in societies. We also need to understand how different kinds of people fulfill different requirements for knowledge. And, importantly, we need to know what our strengths are in professional networking.

When we look at our current professional network, we need to be able to identify strengths and weaknesses, and have a road map of how to improve and refine our professional network to serve us best, and also optimize value for all other members of our network.

Just like we suffer from an information overload in the current online and knowledge-rich world, we can end up having a large number of people that we know, but we do not derive the value that we could from the network because it is not suitable for our career, or is so overloaded that we are not able to have focused contact. We can end up wasting time by increasing the size of our network without really improving its quality and performance in our career or for anybody else in the network. If we allow that to happen, we also do not do others a service, because we all become numbers in one another’s professional networks rather than a well-functioning community that add value for one another.

There are more and more online tools and facilities that enable us to build global professional links and networks. The aim is not to participate in as many of them, or even to have as many contacts as possible. Rather, we need to utilize these wisely in order to build meaningful and useful professional networks that will become an integral part of the success of our careers.

Most courses (and online courses), as well as other information about professional networks focus on the inter-relational and social skills we need to build good links with others. These are important, but do not necessarily mean we’ll end up with a good professional network. Information on how to ensure quality and optimize value from the network for all participants is not readily available.

However, a quality, well-designed and high performance professional network is imperative in the knowledge economy.

Windows Network Monitoring

One of the most commonly used operating systems today is Windows. As with anything else, the more popular that a given operating system or item becomes, the more likely it is to be the target of people who would use it to their own ends. Windows, like any other operating system which is vastly popular, is no exception to that rule.

Windows operating systems and Windows networks are prone to attempted breaches, which means that monitoring them is imperative. While some WIndows systems give you a basic method of monitoring your network, they don’t help you to see what kind of applications are using the network or running in the background.

Having this information to hand is very important if you need to discover and to terminate any kind of programs that are using your bandwidth or are using an injected malware.

Some Windows network monitoring can take place using the built in software and network monitoring tools that Windows 7 or Windows 8 offers you. If you’re looking for just basic network monitoring, you may not need to worry about third party network monitoring tools, but rather may just be able to get the information that you need using the Windows tools.

Taking a look at processes running in the background, as well as who is connected to your network is possible in Windows 7. Making sure that they are supposed to be there, what kind of load they are using and whether or not they are slowing your service is another way that the Windows network monitoring tools can help you.

In order to monitor your windows network all that you’ll need to do is to go to the Windows task manager. If you’re interested in how active the network is click performance and review the Ethernet or the WiFi sections to review that information. It is easy to view and easy to understand. You can even check on your own IP address.

Your Task manager is going to give you links to network monitoring information that is slightly more advanced and which will give you all of the information on every single active component of your network.. It will tell you how much data is being sent and received, where it’s coming from and how much of an impact it has on the network resources.

Bear in mind that these built in tools do have their limits. If you require more than this, need to see more deeply into the network, you’re going to have to install some Windows monitoring tools from the outside. A wide array of freeware is out there that can help you to take a closer look at all of the network information and won’t cost you a penny. Much of it is even easy to install and simple to use. If you’re using Windows network monitoring tools and they aren’t quite what you’re looking for, it may behoove you to look into other tools that can help you to get a closer look at your home or professional network.