R. Kinney Williams - Yennik, Inc.?
R. Kinney Williams

 
Yennik, Inc.

External VISTA?
Penetration-vulnerability Testing

External VISTA - Frequently Asked Questions

VISTA Home Page

For information about VISTA security testing, please select the request form below that meets your security needs.

External - VISTA information request form
Internal - VISTA information request form

What is VISTA penetration study? 
What is the difference between the Internal - VISTA and External - VISTA?
What does VISTA test for over and beyond  port scanning?
We outsource our network administration duties to an independent vendor.  Why wouldn't their vulnerability test be considered independent?
Would the VISTA be helpful to our network administrator?
Does the VISTA meet the regulatory requirement for a vulnerability test?
How much does it cost to perform the External - VISTA?
Why is there a 30-day follow-up test for the external-Interest VISTA?

Is the service host-based or network-based? 
Is the external VISTA  solution product-based or service-based? 
What specialized equipment is required?
Our financial institution already deployed firewalls, intrusion detection systems, and other security gear.  Why do we need the penetration-vulnerability assessment service from VISTA? 
We use VPN to connect our employees to corporate resources. How can VISTA protect our data assets?
How can I protect a heterogeneous network topology with a myriad of devices from hackers?
How often is the vulnerability database updated?
What happens if my network experiences rapid growth, for example through an acquisition?
What is the typical size of a financial institution in need of the VISTA service?
Do I need to be an expert in security to be able to understand the VISTA reports?
What kind of expertise is needed to analyze the VISTA results?
What are the minimal requirements to start the vulnerability audit?
How does Yennik, Inc. support VISTA?
How often should we have the VISTA performed?
What methodology does VISTA use to assess the vulnerabilities in a system?
What devices are detected in the discovery process?
How does the scanner interact with my network?
How does VISTA find vulnerabilities and characterize network systems? 
What is an Inference-Based Scanning Engine? 
What does VISTA detect during a scan?
What happens after you detect a network vulnerability?  Do you provide information to help me correct the problem? 
How many different types of vulnerabilities do you detect?
Do firewalls interfere with the scanner audit checks?
What impact will the scanner have on my traffic load?
How does the scanning service test a network for a Denial of Service (DoS) attack without bringing down the Web server?
How does the scanning service audit remote database servers?
How is this product bandwidth-efficient?
Does the scanning service look for viruses, backdoors, and trojans?
Does the scanning service look for SNMP vulnerabilities?
How long does it take for you to complete the VISTA?
What are the VISTA reports?
Where are the results reported?
What do the different vulnerability severity levels mean?
How is the "Overall Security Risk" calculated in dynamic reports? 
What ensures the privacy of VISTA information, including scan results? 
There are links to external sources in the scan reports and dynamic reports. Is the content on these external sites verified to solve my vulnerability problem?
The scanner detected a significant number of vulnerabilities and possible threats.  Who can help me to fix my systems?
What expertise is needed to fix vulnerabilities?

How does the penetration/vulnerability study tests differ from intrusion testing?
What vulnerability assessment service does VISTA utilize?
Couldn't we use a scanner directly?
Why should we use the VISTA security testing services?

What is VISTA penetration study?

The VISTA penetration study is an audit of the process of identifying network and device vulnerabilities before hackers can exploit the security holes.  The vulnerability test, also called security scanning tools, assesses the security of your network or host systems and reports system vulnerabilities that your network administrator can use to make any necessary security adjustments.  Vulnerability testing can scan networks, servers, firewalls, routers, and applications for vulnerabilities.  Generally, the scan can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies.  The VISTA is not intrusive.  

Penetration testing is a "best practice" IT security tool for any financial institution connected to the Internet.  Independent testing is required by the recently released FFIEC Information Security Booklet (pages 80-81) as well as by the Gramm-Leach-Bliley Act.  For most Internet connections, the FDIC, OCC, OTS, FRB, and NCUA examiners will require Internet security testing.  The vulnerability test is part of Prevention, Detection, and Response as outlined by the FDIC in the white paper "Risk Assessment Tools and Practices for Information System Security." 

Return to the top of the page.  

What is the difference between the Internal - VISTA, and External - VISTA?

The External - VISTA tests your financial institution's connection to the Internet to ensure that your firewall is properly configured to prevent unauthorized intrusion from hackers.

The Internal - VISTA tests your financial institution's  internal network that includes your servers, firewalls, routers, and workstations to prevent unauthorized intrusion from insiders.

To perform the Internal - VISTA, we install a pre-programmed scanner box on your network.
Scanner box.  Click to enlarge.

Return to the top of the page.

What does VISTA test for over and beyond  port scanning?

The VISTA penetration study and Internet security test is much more sophisticated than just scanning ports.  As a hacker would begin, we also begin by conducting a comprehensive port scan.  The TCP and UDP port scans provide vital information about the open ports from which critical data is obtained.  This critical data provides the in-depth penetration-vulnerability information necessary for the Internet security audit.

With the information gathered from initial port scan, we perform a network discovery that depicts the network topology, access points to the network, machines names, IP addresses, operating systems, and discovered services, such as HTTP, SMTP, Telnet, SNMP, etc.  With this captured information, the appropriate vulnerability is selected out of over 18,000 know vulnerabilities; the appropriate test is performed, and results interpreted. 

The penetration security risk assessment, includes all routers, switches, hubs, firewalls, servers, workstations, printers, and wireless access devices. 

During the testing, detection and auditing databases includes PostgreSQL, Oracle, SQL Server, MySQL, Microsoft SQL, and Sybase.  These tests for vulnerabilities or erroneous configurations show the possible access points that would allow for information leaks, theft of data and confidential customer information, unauthorized penetration that could lead to intrusion, and denial of service attacks. 

The testing is further capable of identifying viruses, backdoors, worms, Trojans, and other malicious applications.  This testing is accomplished by sending specially crafted packets to the accessed host and analyzing the response. 

Return to the top of the page.

We outsource our network administration duties to an independent vendor.  Why wouldn't their vulnerability test be considered independent?

Since your vendor probably designed your computer security, the vendor would not be considered independent.  In addition, the vendor probably sells software and hardware.  Yennik, Inc. are strictly IS security  auditors and do not sell software or hardware.

Return to the top of the page.

Would the VISTA be helpful to our network administrator?

Definitely.  Your network administrator, whether internal or outsourced, would use the results to determine how to better secure your Internet connection.

Return to the top of the page.

Does the VISTA meet the regulatory requirement for a vulnerability test?

Yes.  In addition, VISTA is a security tool recommended by Internet security best practices.  A banker told us that the VISTA reports and audit letter were especially helpful during the FDIC information systems examination, when the bank was asked which tools it uses to identify and control risk.  "Verbal assurances are not enough.  By showing the FDIC our VISTA reports and audit letter, we proved that we regularly identify risks, rank them by priority, adjust our actions to eliminate those risks, and then verify that we're no longer vulnerable." 

Return to the top of the page.

Is the service host-based or network-based?

VISTA is a network-based service that detects vulnerabilities at the host and network level.  VISTA audits your network from the Internet - just like an intruder would do from outside your company - providing you with real-time analysis of your network.

Return to the top of the page.

Is the external VISTA  solution product-based or service-based?

External VISTA is a Web service.  The application is delivered as a service accessible over the Internet.  In contrast to product-based services, with the external  VISTA there is no hardware or software you are required to purchase for Yennik, Inc. to perform the external testing. 

Return to the top of the page.

What specialized equipment is required?

None. There is no hardware or software to purchase, update, or maintain.  VISTA is delivered securely over the Internet and accessible online through a Web browser. 

Return to the top of the page.

Our financial institution already deployed firewalls, intrusion detection systems, and other security gear.  Why do we need the penetration-vulnerability assessment service from VISTA?

VISTA complements your firewall, IDS, and router access list policies by supplying a more proactive, preventive approach as recommended by the regulators.  Simulating a hackers' point of view, VISTA probes your network for known vulnerabilities. It looks through firewalls into the De-Militarized Zone (DMZ) and beyond to assess any device that is visible to the Internet to determine any known vulnerabilities.  In addition, VISTA is run by an experienced information systems auditor, R. Kinney Williams, who issues an auditor letter to your Board of Directors.

Return to the top of the page.

We use VPN to connect our employees to corporate resources. How can VISTA protect our data assets?

Even for companies that have deployed preventive measures such as firewalls, IDSs, and VPNs, vulnerability assessment has become a critical component of their overall network security strategy. According to the Computer Emergency Response Team (CERT), 99 percent of network intrusions occurred based on known vulnerabilities and could have been prevented with proactive vulnerability assessment.

Return to the top of the page.

How can I protect a heterogeneous network topology with a myriad of devices from hackers?

VISTA is not restricted to a network topology and audits heterogeneous networks of any size.  As a Web service, it scans for vulnerabilities at the network level (for example, switches, routers, firewalls, etc.) and host level (for example, applications, operating systems, services, etc.).

Return to the top of the page.

How much does it cost to perform the External - VISTA?

The External - VISTA security testing starts at $1,500, which is payable after the initial testing is performed.  There is never a charge if you are not completely satisfied with our service.  For information about VISTA security testing pricing, please select the request form below that meets your security needs.

External - VISTA information request form
Internal - VISTA information request form

Return to the top of the page.

Why is there a 30-day follow-up test for the external-Internet VISTA?

This will allow time for your network administrator to make any necessary security changes to your information technology system.  The 30-day follow-up scan verifies that the changes were make correctly.  

Return to the top of the page.


How often is the vulnerability database updated?

The vulnerability database is updated daily as new vulnerabilities emerge.  Our service maintains the most comprehensive and up-to-date KnowledgeBase in the security industry.  There are over 18,000 known vulnerabilities and growing every day.

Return to the top of the page.

What happens if my network experiences rapid growth, for example through an acquisition?

VISTA scales virtually infinitely with a financial institution's network growth.  We can easily add or remove IP addresses to your vulnerability audit.

Return to the top of the page.

What is the typical size of a financial institution in need of the VISTA service?

VISTA is the first scalable, affordable Web service providing cost-effective network vulnerability auditing for financial institutions of every size.  Our clients range in size from $15 million to over $4 billion in assets.

Return to the top of the page.

Do I need to be an expert in security to be able to understand the VISTA reports?

No.  The VISTA reports are self-explanatory and easily understood by your network administrator.  The audit report is written to be understood by your Board of Directors as to the security risks associated with the Internet.

Return to the top of the page.

What kind of expertise is needed to analyze the VISTA results?

You can access VISTA reports from your browser.  Reporting is menu driven and user friendly.  Automated, actionable reports present the audit data in easy-to-understand tables, charts, and graphics for technical and business target audiences.

Return to the top of the page.

What are the minimal requirements to start the vulnerability audit?

An IP address and your authorization.  Please contact Kinney Williams at examiner@yennik.com for more information.

Return to the top of the page.

How does Yennik, Inc. support VISTA?

Since we are IS auditors, we are available to answer your overall security questions and help you understand the possible exposure to your institution.  If technical issues need addressing, we use our service's qualified technical support staff for technical type questions to help assist Network Administrator.

Email support is always available at examiner@yennik.com or call R. Kinney Williams at Office 806-798-7119.

Return to the top of the page.

How often should we have the VISTA performed?

This differs with each institution.   If you are already having internal or vendor vulnerability or intrusion testing performed, we would recommend having the vulnerability test performed at least annually.  Most institution should have the VISTA perform at least semi-annually.  Larger operations should consider having the VISTA performed quarterly or monthly.  The FFIEC Information Security Booklet on pages 80-81 requires an annual independent penetration test. 

Return to the top of the page.

What methodology does VISTA use to assess the vulnerabilities in a system?

VISTA is a continuous process designed to identify, track, and eliminate vulnerabilities before they are exploited.  This process has four basic steps:

Step 1: Discover - Dynamic identification of all perimeter devices

Step 2: Analyze - Powerful scanning engine and up-to-date vulnerability database

Step 3: Report - Concise, actionable reporting with trend analysis

Step 4: Remedy - Links to methods for correcting vulnerabilities 

Return to the top of the page.

What devices are detected in the discovery process?

The following devices are identified in the discovery process:

  1. Routers, Administrable Switches and Hubs (Cisco, 3Com, Nortel Networks, Cabletron, Lucent, Intel and Newbridge)
  2. Operating systems (NT 3.5, NT4.0, NT 2000, Win9x, Linux, BSD, MacOS X, Solaris, HP-UX, Irix, AIX, SCO and Novell)
  3. Firewalls (CheckPoint Firewall-1, Novell Border Manager, TIS, CyberGuard and Ipchains)
  4. Web Servers (Apache, Microsoft IIS, Lotus Domino, Netscape Enterprise, IpSwitch, WebSite Pro and Zeus)
  5. FTP Servers (IIS FTP Server, WuFTPd and WarFTPd)
  6. LDAP Servers (Netscape, IIS, Domino and Open LDAP)
  7. Load Balancing Servers (IBM Network Dispatcher, Intel, Resonate Central Dispatch, F5, ArrowPoint and Alteon)

Return to the top of the page.

How does the discovery process identify and characterize devices?

During discovery process, the service tries to find as many computers within a domain as possible.  The user provides an Internet domain name (such as "YourBankName.com"), then VISTA uses the domain's DNS (Domain Name Server) and network IP address range information.  The service performs a full ping sweep of IP addresses and fingerprinting hosts to characterize all devices found.

Return to the top of the page.

How does the scanner interact with my network?

The scanner will use standard and customized TCP/IP packets to communicate with your network infrastructure.  All testing is non-intrusive and non-destructive.

Return to the top of the page.

How does VISTA find vulnerabilities and characterize network systems?

The scanner's proprietary architecture uses adaptive intelligence to scan and run "test and compare" analysis against its KnowledgeBase of exploits.  This accelerates the scanning process and minimizes traffic load on your system. 

Return to the top of the page.

What is an Inference-Based Scanning Engine?

The scan conducts the audit using its Inference-Based Scanning Engine, an adaptive process that intelligently runs only tests applicable to the host being scanned. Depending on the host profile discovered (for example, operating system and version, ports and service, etc) through an adaptive process, the scanner selects the appropriate test module form a library of more than 100 tests.

Return to the top of the page.

What does VISTA detect during a scan?

We gather and analyze information from all devices within the network, including the following:

Host Information 

The scanner maps your network by running scans and checks on all specified parts of your IP-based networks. The scan maps servers, workstations, routers, firewalls, switchers, printers, hubs, and other network appliances into easy-to-understand tables and charts. 

Network and Host Vulnerabilities 

The scanner uses its immense KnowledgeBase of vulnerabilities to find vulnerabilities on numerous.

Return to the top of the page.

What happens after you detect a network vulnerability?  Do you provide information to help me correct the problem?

VISTA provides a detailed report about each vulnerability, including:

  1. The vulnerable host(s)
  2. Operating system weaknesses
  3. Level of security risk of the vulnerability on an industry-standard scale of one (1) to five (5)
  4. Description of the vulnerability
  5. Recommendation for correcting the problem 

Return to the top of the page.

How many different types of vulnerabilities do you detect?

The scan check for thousands of vulnerabilities for more than 300 applications running on twenty (20) operating systems. Our engineers update the vulnerability database daily and the database grows by an average of more than 20 new vulnerabilities per week. Continuous updating of vulnerabilities ensures that your network is always audited for the latest vulnerabilities.

Return to the top of the page. 

Do firewalls interfere with the scanner audit checks?

Firewalls are essential to network security.  We test the effectiveness of firewalls plus applications that are naturally accessible through firewalls, such as Web, FTP, and mail services.

Return to the top of the page.

What impact will the scanner have on my traffic load?

The scan is designed to minimize both the audit time as well as the bandwidth it uses.  Thus, its impact on the network traffic load is minimal.  For example, if the target host or network performance deteriorates during a scan, the scan will adapt dynamically and reduce the scan speed.

Return to the top of the page.

How does the scanning service test a network for a Denial of Service (DoS) attack without bringing down the Web server?

When the scanning service tests for a Denial of Service (DoS) vulnerability on a host, it sends special test packets.  By analyzing the host's response, the scan can determine if the host is vulnerable to a DoS attack without flooding it with traffic.

Return to the top of the page.

How does the scanning service audit remote database servers?

The scanning service detects and audits databases (PostgreSQL, Oracle, MySQL, Sybase, and Microsoft SQL) without requesting any specific login or configuration.  It searches for vulnerabilities or erroneous configurations that may lead to information leaks, theft of data, or even intrusion and denial of service attacks.  Most other vulnerability assessment tools require passwords or manual configurations to scan databases.

Return to the top of the page.

How is this product bandwidth-efficient?

The scan allows for a variable bandwidth load (low, medium, high, or maximum) on the machines being scanned.  The scanners closely monitor the time-response (through RTT, response-time tests) and dynamically adjust the load according to the setting selected.  Furthermore, the scan will only run the scans appropriate to the type of machine scanned (for example, no test specific to NT will run on a Linux machine).  We typically run the scan on low bandwidth.

Return to the top of the page.

Does the scanning service look for viruses, backdoors, and trojans?

Yes.  The scan checks the most commonly used TCP and UDP ports to see which ports are open.  Then, all open ports are scanned.  Open ports are often exploited for common attacks, including netbus, back Orifice, Sockets, and various Trojan horses.  By scanning all open ports, the scanning service can also help detect unauthorized services.

Return to the top of the page.

Does the scanning service look for SNMP vulnerabilities?

The scanning service automatically detects if a system has SNMP enabled.  The scanner attempts to access the SNMP information base.  If successful, the SNMP information tree will be displayed in the scan report.

Return to the top of the page.

How long does it take for you to complete the VISTA?

There are several factors that determine how long the scan will take to run, such as the number of hosts being scanned, your scanner preferences, the number of services running on a host, network latency, and network traffic.  We normally will have the initial VISTA completed within two business days.  After you review the VISTA results, we will issue our audit letter within two business days.

Return to the top of the page.

What are the VISTA reports?

Once the identification and analysis phase is completed.  We provide easy-to-understand HTML reports that summarize the security of network devices and the results.  We generates easy-to-comprehend, actionable text, and graphical reports.  

? Summary Information
? Network Information
? Host Information
? Vulnerabilities Detected
? Severity Levels
? Potential Consequences
? Recommended Fixes (w/ patches)

We also generate a Management Summary, which contains a global view of the security level of all external network IP addresses and the changes since the last scan.  Sample html reports:

VISTA Management Summary Report

 

VISTA IT Project Report

 

Return to the top of the page.

Where are the results reported?

We post the VISTA reports on a secure web site restricted to your organization.  The reports are viewed using your browser. We notify you by email when information is posted to your secure site.  

Return to the top of the page.

What do the different vulnerability severity levels mean?

Each vulnerability and possible threat is assigned a severity level, which is determined by the security risk associated with its exploitation. The table describes the five (5) vulnerability severity levels.

Return to the top of the page.

How is the "Overall Security Risk" calculated in dynamic reports?

The "Overall Security Risk" value is the weighted average of the highest severity levels detected on each IP address included in your dynamic report. For example, let's say the dynamic report includes the following 3 hosts:

Host Highest Severity Level
A 5
B 4
C 3
Overall 4

 

Figure 3 ? Example to Determine Overall Security Risk

To calculate the "Overall Security Risk", use the following formula:

(5+4+3) divided by 3 = Overall Security Risk of "4" 

Return to the top of the page.

What ensures the privacy of VISTA information, including scan results?

First, information is stored on dedicated database servers, which are protected from remote attacks by a dedicated firewall and intrusion detection system.  In addition, the servers are located in the center of multiple security rings on a private network that utilizes non-routable addresses.  Information from our database is sent to the institution's browser via a secured 128-bit SSL connection.  The partner's key is not stored and is not accessible to employees.  Second, your VISTA results on store on our ISP severs in an ID and password protected directory for your access only.  The ISP is protected from remote attacks by a dedicated firewall and intrusion detection systems. 

Return to the top of the page.

There are links to external sources in the scan reports and dynamic reports. Is the content on these external sites verified to solve my vulnerability problem?

We post links to fixes or workarounds when they are available, as part of our service to help clients' network administrators remedy vulnerabilities.  The scanner's security engineers have validated the solution in our vulnerability lab to ensure that it functions as specified for the appropriate operating system.

Return to the top of the page.

The scanner detected a significant number of vulnerabilities and possible threats.  Who can help me to fix my systems?

Remedy information is comprehensive to allow your system administrators and/or network administrators to fix vulnerabilities found through the scanner.  If your institution does not have a vendor that can assist you, in most cases, we are able to provide a referral to a qualified information technology company in your area.

Return to the top of the page.

What expertise is needed to fix vulnerabilities?

A number of operating system have easy click and fix patches; others require downloads and installation of packages.  In some cases, all that is needed is to turn off unused services or reconfigure policies.  For example, a mail server might not need to run http, and therefore that service can be disabled.  In general, the fewer services a server supports, the less chance for vulnerabilities exist.  In some cases you may want to contact your IT department before attempting to fix vulnerabilities.

Return to the top of the page.

How does the penetration/vulnerability study test differ from intrusion testing?

The vulnerability test is basically the same as intrusion; however, the vulnerability test does not attempt to compromise (break in) the financial institution's computer operations, which greatly reduces the chance of crashing your computers.  Vulnerability testing tools are used by Internet security testers and "hackers" to determine where to compromise your computer system.  The VISTA recognizes the vulnerabilities and allows you the opportunity to close any known vulnerability, which provides reasonable assurance against unauthorized external intrusion.

Return to the top of the page.

What vulnerability assessment service does VISTA utilize?

Yennik, Inc. partners with Qualys, Inc. a worldwide leader in providing vulnerability assessment services.  Qualys performs over a billion scans a year.  While we use their QualysGuard vulnerability assessment program and technicians, we actual control and run your external VISTA.  QualysGuard is state of the art commercial vulnerability analysis software to perform the vulnerability test of the configuration of your Internet connection to your computer operations.  The QualysGuard knowledge base of exploits is constantly updated, which ensures that at the time of the test all know vulnerabilities were tested.  Qualys employs multiple sources to updating the knowledge base, including Bugtraq (a list of new vulnerabilities published and updated by Security Focus, Inc.), hacking sites monitored by Qualys, and the research of Qualys' own security engineers.

QualysGuard PCI has been approved by the PCI Council to provide PCI scanning services.  The Payment Card Industry Data Security Standard, known as PCI DSS, is a global security standard developed by the major credit card brands as a guideline to help organizations that process credit card payments protect sensitive customer data.  QualysGuard PCI is the only, fully-automated on demand PCI compliance solution that helps both Acquiring Institutions and Merchants automate PCI compliance.

Qualys, Inc., the pioneer of Managed Vulnerability Assessment, enables Yennik, Inc. to remotely and automatically audit Internet-connected networks for security vulnerabilities. 
Qualys' service platform approach enables immediate, transparent and continuous security auditing and risk assessment of global networks, inside and outside the firewall.   Founded in 1999 by a team of Internet security experts, Qualys is headquartered in Redwood Shores, California, with offices in France, Germany and the U.K. 

Return to the top of the page.

Couldn't we use a scanner directly?

Yes, and in many situation this is necessary; however, this would be considered an internal assessment and not an independent assessment because you have control over the testing configuration.  Independent testing of the institution's Internet security is required by the FFIEC Information Security Booklet on pages 80-81.  This is where Yennik, Inc., as an independent auditor with 21 years examination experience, helps your institution by providing the independent penetration-vulnerability test, which we refer to as VISTA (Vulnerability Internet Security Test Audit), which includes our audit letter to your Board of Directors certifying the test results.

Return to the top of the page.

For information about VISTA security testing, please select the request form below that meets your security needs.

External - VISTA information request form
Internal - VISTA information request form

 

Back Button

 

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

Please visit our other auditing sites:
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
Medical Records Security
US Banks on the Internet  
US Credit Unions on the Internet
Penetration-Vulnerability Testing

 All rights reserved; Our logo Yennik, Inc. is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated
VISTA©

We are Americans and will never be defeated.