What is internal VISTA penetration study? 
What is the difference between the Internal - VISTA and External - VISTA?
Why wouldn't our outsourced IT company's internal-vulnerability test be considered independent?
Would the internal VISTA be helpful to our network administrator?
Does the internal VISTA meet the regulatory requirement for a vulnerability test including testing virtual machines?
How much does it cost to perform the internal - VISTA?
Why is there no 30-day follow-up like the external VISTA?
How often is the vulnerability database updated?
What happens if our network experiences rapid growth, for example through an acquisition?
What is the typical size of a financial institution in need of the internal VISTA?
Do I need to be an expert in security to be able to understand the VISTA reports?
What are the minimal requirements to start the internal VISTA penetration study?
How does Yennik, Inc. support VISTA?
How often should we have the internal VISTA performed?
What methodology does VISTA use to assess the vulnerabilities in a system?
What devices are detected in the discovery process?
How does the scanner box interact with my network?
How does VISTA find vulnerabilities and characterize network systems? 
What is an Inference-Based Scanning Engine? 
What does VISTA detect during a scan?
What happens after you detect a network vulnerability?  Do you provide information to help me correct the problem? 
How many different types of vulnerabilities do you detect?
What impact will the scanner have on my traffic load?
How does the scanning service audit remote database servers?
How is this product bandwidth-efficient?
Does the scanning service look for viruses, backdoors, and trojans?
Does the scanning service look for SNMP vulnerabilities?
How long does it take for you to complete the internal VISTA?
What are the VISTA reports?
Where are the results reported?
What do the different vulnerability severity levels mean?
How is the "Overall Security Risk" calculated in dynamic reports? 
What ensures the privacy of VISTA information, including scan results? 
There are links to external sources in the scan reports and dynamic reports. Is the content on these external sites verified to solve my vulnerability problem?
The scanner detected a significant number of vulnerabilities and possible threats.  Who can help me to fix my systems?
What expertise is needed to fix vulnerabilities?
How does the penetration/vulnerability study tests differ from intrusion testing?
What vulnerability assessment service does VISTA utilize?
Couldn't we use a scanner directly?

Why should we use the VISTA security testing services?

The internal VISTA penetration study is an audit of the process of identifying network and device vulnerabilities before hackers can exploit the security holes.  The vulnerability test, also called security scanning tools, assesses the security of your network or host systems and reports system vulnerabilities that your network administrator can use to make any necessary security adjustments.  Vulnerability testing can scan networks, servers, virtual machines, firewalls, routers, and applications for vulnerabilities.  Generally, the scan can detect known security flaws or bugs in software and hardware, determine if the systems are susceptible to known attacks and exploits, and search for system vulnerabilities such as settings contrary to established security policies. 

Penetration testing is a "best practice" IT security tool for any financial institution connected to the Internet.  Independent testing is required by the recently released FFIEC Information Security Booklet (pages 80-81) as well as by the Gramm-Leach-Bliley Act.  

Return to the top of the page.  

What is the difference between the Internal - VISTA, and External - VISTA?

The External - VISTA tests your financial institution's connection to the Internet to ensure that your firewall is properly configured to prevent unauthorized intrusion from hackers.

The Internal - VISTA tests your financial institution's  internal network that includes your servers, virtual machines, firewalls, routers, and workstations to prevent unauthorized intrusion from insiders.

To perform the VISTA-total or the Internal - VISTA, we install a pre-programmed scanner box on your network.
Scanner box.  Click to enlarge.

Return to the top of the page.

Why wouldn't our sourced IT company's internal-vulnerability test be considered independent?

Since your vendor probably designed your computer security, the vendor would not be considered independent.  In addition, the vendor probably sells software and hardware.  Yennik, Inc. is strictly IS security auditors and we do not sell software or hardware.

Return to the top of the page.

Would the internal VISTA be helpful to our network administrator?

Definitely.  Your network administrator, whether internal or outsourced, would use the results to determine how to better secure your internal network.

Return to the top of the page.

Does the internal VISTA meet the regulatory requirement for a vulnerability test including virtual machines?

Yes.  In addition, internal VISTA is a security tool recommended by Internet security best practices.  A banker told us that the VISTA reports and audit letter were especially helpful during the FDIC information systems examination, when the bank was asked which tools it uses to identify and control risk.  "Verbal assurances are not enough.  By showing the FDIC our VISTA reports and audit letter, we proved that we regularly identify risks, rank them by priority, adjust our actions to eliminate those risks, and then verify that we're no longer vulnerable." 

Return to the top of the page.

How much does it cost to perform the internal - VISTA?

Return to the top of the page.

Why is there no 30-day follow-up like the external VISTA?

The internal testing is completely different from external testing.  External vulnerabilities are quickly resolved; however, internal vulnerabilities require network administrator time to ensure that correcting the internal vulnerability does not take down the system or make core applications non-functional.  As such, an institution may have to operate with a vulnerability internal but at least the vulnerability is known and can be monitored.  

Our experience has shown that 30 days is not enough time for network administrators to properly assess and correct internal vulnerabilities.  To allow you efficient time to evaluate the internal test results on your schedule, we offer additional testing over a year at a reduce fee from the initial testing.

Return to the top of the page.

How often is the vulnerability database updated?

The vulnerability database is updated daily as new vulnerabilities emerge.  Our service maintains the most comprehensive and up-to-date KnowledgeBase in the security industry.  The CVE-compliant KnowledgeBase tracks thousands of vulnerabilities for more than three hundred (300) applications on twenty (20) operating systems.

Return to the top of the page.

What happens if our network experiences rapid growth, for example through an acquisition?

The internal VISTA scales virtually infinitely with a financial institution's network growth.  We can easily add or remove IP addresses to your vulnerability audit.

Return to the top of the page.

What is the typical size of a financial institution in need of the internal VISTA?

The internal VISTA is the first scalable, affordable Web service providing cost-effective internal network auditing for financial institutions of every size.  Our internal VISTA clients range in size from $50 million in assets and up.

Return to the top of the page.

Do I need to be an expert in security to be able to understand the VISTA reports?

No.  The VISTA reports are self-explanatory and easily understood by your network administrator.  The audit report is written to be understood by your Board of Directors as to the security risks associated with the Internet.

Return to the top of the page.

What are the minimal requirements to start the internal VISTA penetration study?

Your authorization and the internal IP addresses you want tested.  It normally takes about two weeks to order and the scanner box.  Please contact Kinney Williams at examiner@yennik.com for more information.

Return to the top of the page.

How does Yennik, Inc.  support VISTA?

Since we are IS auditors, we are available to answer your overall security questions and help you understand the possible exposure to your institution.  If technical issues need addressing, we use our service's qualified technical support staff for technical type questions to assist your Network Administrator.

Email support is always available at examiner@yennik.com or call R. Kinney Williams at Office 806-798-7119.   

Return to the top of the page.

How often should we have the internal VISTA performed?

This differs with each institution.   If you are already having internal or vendor network vulnerability testing performed, we would recommend having the internal VISTA performed at least annually.  Most institution should have the internal VISTA perform at least semi-annually.  Larger operations should consider having the VISTA performed quarterly or monthly.  The FFIEC Information Security Booklet on pages 80-81 requires an annual independent penetration test. 

Return to the top of the page.

What methodology does VISTA use to assess the vulnerabilities in a system?

VISTA is a continuous process designed to identify, track, and eliminate vulnerabilities before they are exploited.  This process has four basic steps:

Step 1: Discover - Dynamic identification of all perimeter devices

Step 2: Analyze - Powerful scanning engine and up-to-date vulnerability database

Step 3: Report - Concise, actionable reporting with trend analysis

Step 4: Remedy - Links to methods for correcting vulnerabilities 

Return to the top of the page.

What devices are detected in the discovery process?

The following devices are identified in the discovery process:

1. Routers, Administrable Switches and Hubs (Cisco, 3Com, Nortel Networks, Cabletron, Lucent, Intel and Newbridge)
2. Operating systems including virtual operations (NT 3.5, NT4.0, NT 2000, Win9x, Linux, BSD, MacOS X, Solaris, HP-UX, Irix, AIX, SCO and Novell)
3. Firewalls (CheckPoint Firewall-1, Novell Border Manager, TIS, CyberGuard and Ipchains)
4. Web Servers (Apache, Microsoft IIS, Lotus Domino, Netscape Enterprise, IpSwitch, WebSite Pro and Zeus)
5. FTP Servers (IIS FTP Server, WuFTPd and WarFTPd)
6. LDAP Servers (Netscape, IIS, Domino and Open LDAP)
7. Load Balancing Servers (IBM Network Dispatcher, Intel, Resonate Central Dispatch, F5, ArrowPoint and Alteon)

Return to the top of the page.

How does the scanner box interact with my network?

The scanner box uses standard and customized TCP/IP packets to communicate with your network infrastructure.  The testing is non-intrusive and non-destructive.

Return to the top of the page.

How does VISTA find vulnerabilities and characterize network systems?

The scanner's proprietary architecture uses adaptive intelligence to scan and run "test and compare" analysis against its KnowledgeBase of exploits.  This accelerates the scanning process and minimizes traffic load on your system. 

Return to the top of the page.

What is an Inference-Based Scanning Engine?

The scan conducts the audit using its Inference-Based Scanning Engine, an adaptive process that intelligently runs only tests applicable to the host being scanned. Depending on the host profile discovered (for example, operating system and version, ports and service, etc) through an adaptive process, the scanner selects the appropriate test module form a library of more than 100 tests.

Return to the top of the page.

What does VISTA detect during a scan?

We gather and analyze information from all devices within the network, including the following:

Host Information 

The scanner maps your network by running scans and checks on all specified parts of your IP-based networks. The scan maps servers, virtual machines, workstations, routers, firewalls, switchers, printers, hubs, and other network appliances into easy-to-understand tables and charts. 

Network and Host Vulnerabilities 

The scanner uses its immense KnowledgeBase of vulnerabilities to find vulnerabilities on numerous.

Return to the top of the page.

What happens after you detect a network vulnerability?  Do you provide information to help me correct the problem?

The internal VISTA provides a detailed report about each vulnerability, including:

1. The vulnerable host(s)
2. Operating system weaknesses
3. Level of security risk of the vulnerability on an industry-standard scale of one (1) to five (5)
4. Description of the vulnerability
5. Recommendation for correcting the problem 

Since we are IS auditors, we are available to answer your overall security questions and help you understand the possible exposure to your institution.  If technical issues need addressing, we use our service's qualified technical support staff for technical type questions to assist your Network Administrator.

Return to the top of the page.

How many different types of vulnerabilities do you detect?

The scan check for thousands of vulnerabilities for more than 300 applications running on twenty (20) operating systems. Our service's engineers update the vulnerability database daily and the database grows by an average of more than 25 new vulnerabilities per week.  Continuous updating of vulnerabilities ensures that your network is always audited for the latest vulnerabilities.

Return to the top of the page. 

What impact will the scanner have on my traffic load?

The scan is designed to minimize both the audit time as well as the bandwidth it uses.  Thus, its impact on the network traffic load is minimal.  For example, if the network performance deteriorates during a scan, the scan will adapt dynamically and reduce the scan speed.

Return to the top of the page.

How does the scanning service audit remote database servers?

The scanning service detects and audits databases (PostgreSQL, Oracle, MySQL, Sybase) without requesting any specific login or configuration.  It searches for vulnerabilities or erroneous configurations that may lead to information leaks, theft of data, or even intrusion and denial of service attacks.  Most other vulnerability assessment tools require passwords or manual configurations to scan databases.

Return to the top of the page.

How is this product bandwidth-efficient?

The scan allows for a variable bandwidth load (low, medium, high, or maximum) on the machines being scanned.  The scanners closely monitor the time-response (through RTT, response-time tests) and dynamically adjust the load according to the setting selected.  Furthermore, the scan will only run the scans appropriate to the type of machine scanned (for example, no test specific to NT will run on a Linux machine).  We typically run the scan on low bandwidth.

Return to the top of the page.

Does the scanning service look for viruses, backdoors, and trojans?

Yes.  The scan checks the most commonly used TCP and UDP ports to see which ports are open.  Then, all open ports are scanned.  Open ports are often exploited for common attacks, including netbus, back Orifice, Sockets, and various Trojan horses.  By scanning all open ports, the scanning service can also help detect unauthorized services.

Return to the top of the page.

Does the scanning service look for SNMP vulnerabilities?

The scanning service automatically detects if a system has SNMP enabled.  The scanner attempts to access the SNMP information base.  If successful, the SNMP information tree will be displayed in the scan report.

Return to the top of the page.

How long does it take for you to complete the internal VISTA?

There are several factors that determine how long the scan will take to run, such as the number of hosts being scanned, your scan preferences, the number of services running on a host, network latency, and network traffic.  It takes about two weeks for us to deliver you the internal scanner box.  After that, we normally will have the internal VISTA completed within two business days. 

Return to the top of the page.

What are the VISTA reports?

Once the identification and analysis phase is completed.  We provide easy-to-understand HTML reports that summarize the security of network devices and the results.  We generates easy-to-comprehend, actionable text, and graphical reports.  

? Summary Information
? Network Information
? Host Information
? Vulnerabilities Detected
? Severity Levels
? Potential Consequences
? Recommended Fixes (w/ patches)

We also generate a Management Summary, which contains a global view of the security level of all network IP addresses.  Sample html reports:

Return to the top of the page.

Where are the results reported?

We post the VISTA reports on a secure web site restricted to your organization.  The reports are viewed using your browser. We notify you by email when information is posted to your secure site.  

Return to the top of the page.

What do the different vulnerability severity levels mean?

Each vulnerability and possible threat is assigned a severity level, which is determined by the security risk associated with its exploitation. The table describes the five (5) vulnerability severity levels.

Return to the top of the page.

How is the "Overall Security Risk" calculated in dynamic reports?

The "Overall Security Risk" value is the weighted average of the highest severity levels detected on each IP address included in your dynamic report. For example, let's say the dynamic report includes the following 3 hosts:

Figure 3 ? Example to Determine Overall Security Risk

To calculate the "Overall Security Risk", use the following formula:

(5+4+3) divided by 3 = Overall Security Risk of "4" 

Return to the top of the page.

What ensures the privacy of VISTA information, including scan results?

First, information is stored on service's dedicated database servers, which are protected from remote attacks by a dedicated firewall and intrusion detection system.  In addition, the servers are located in the center of multiple security rings on a private network that utilizes non-routable addresses.  Information from our database is sent to the institution's browser via a secured 128-bit SSL connection.  The scanner's key is not stored and is not accessible to the service's employees.  Second, your VISTA results on store on our ISP severs in an ID and password protected directory for your access only.  The ISP is protected from remote attacks by a dedicated firewall and intrusion detection systems. 

Return to the top of the page.

There are links to external sources in the scan reports and dynamic reports. Is the content on these external sites verified to solve my vulnerability problem?

We post links to fixes or workarounds when they are available, as part of our service to help clients' network administrators remedy vulnerabilities.  The scanner's security engineers have validated the solution in our vulnerability lab to ensure that it functions as specified for the appropriate operating system.

Return to the top of the page.

The scanner detected a significant number of vulnerabilities and possible threats.  Who can help me to fix my systems?

Remedy information is comprehensive to allow your system administrators and/or network administrators to fix vulnerabilities found through the scanner.  If your institution does not have a vendor that can assist you, in most cases, we are able to provide a referral to a qualified information technology company in your area.

Return to the top of the page.

What expertise is needed to fix vulnerabilities?

A number of operating system have easy click and fix patches; others require downloads and installation of packages.  In some cases, all that is needed is to turn off unused services or reconfigure policies.  For example, a mail server might not need to run http, and therefore that service can be disabled.  In general, the fewer services a server supports, the less chance for vulnerabilities exist.  In some cases you may want to contact your IT department before attempting to fix vulnerabilities.

Return to the top of the page.

How does the penetration/vulnerability study test differ from intrusion testing?

The vulnerability test is basically the same as intrusion; however, the vulnerability test does not attempt to compromise (break in) the financial institution's computer operations, which greatly reduces the chance of crashing your computers.  Vulnerability testing tools are used by Internet security testers and "hackers" to determine where to compromise your computer system.  The VISTA recognizes the vulnerabilities and allows you the opportunity to close any known vulnerability, which provides reasonable assurance against unauthorized external intrusion.

Return to the top of the page.

What vulnerability assessment service does VISTA utilize?

Yennik, Inc. engages Qualys, Inc. a worldwide leader in providing vulnerability assessment services and internal scanner box.  We use their QualysGuard vulnerability assessment program and technicians.  QualysGuard is state of the art commercial vulnerability analysis software to perform the vulnerability test of the configuration of your Internet connection to your computer operations.  The QualysGuard knowledge base of exploits is constantly updated, which ensures that at the time of the test all know vulnerabilities were tested.  Qualys employs multiple sources to updating the knowledge base, including Bugtraq (a list of new vulnerabilities published and updated by Security Focus, Inc.), hacking sites monitored by Qualys, and the research of Qualys' own security engineers.

QualysGuard PCI has been approved by the PCI Council to provide PCI scanning services.  The Payment Card Industry Data Security Standard, known as PCI DSS, is a global security standard developed by the major credit card brands as a guideline to help organizations that process credit card payments protect sensitive customer data.  QualysGuard PCI is the only, fully-automated on demand PCI compliance solution that helps both Acquiring Institutions and Merchants automate PCI compliance.

Qualys, Inc., the pioneer of Managed Vulnerability Assessment, enables Yennik, Inc. to remotely and automatically audit Internet-connected networks for security vulnerabilities.  Qualys' service platform approach enables immediate, transparent and continuous security auditing and risk assessment of global networks, inside and outside the firewall.   Founded in 1999 by a team of Internet security experts, Qualys is headquartered in Redwood Shores, California, with offices in France, Germany and the U.K. 

Return to the top of the page.

Couldn't we use a scanner directly?

Yes, and in many situation this is necessary; however, this would be considered an internal assessment and not an independent assessment of the institution's Internet security as required by the FFIEC Information Security Booklet on pages 80-81.  This is where Yennik, Inc., as an independent auditor with 21 years examination experience, helps your institution by providing the independent penetration-vulnerability test, which we refer to as VISTA (Vulnerability Internet Security Test Audit), which includes our audit letter to your Board of Directors certifying the test results.

Return to the top of the page.