What Your Business Needs to Know About Security Assessments
Cyber attacks pose a risk to all sorts of networks and computer systems. Security hardening your networks, whether they’re on-premises or on the cloud, is absolutely necessary. Data breaches, DDoS attacks, and malware can cost your business a lot of money in regulatory fines, litigation, reputational damage, theft, and downtime.
However, security hardening is never a one-size-fits-all solution, and it’s never a set-it-and-forget-it solution either.
Data privacy regulations change, and the cyber threat landscape continuously evolves. Making any changes to your network, from new endpoints to new applications, will change your security needs. Your security needs may also change according to how much risk you’re willing to manage. There’s always some degree of risk to your information security, no matter the circumstance. Nothing is 100% secure, and your network is unique.
The truth is you can’t be sure of how you can improve your network’s security without proper and thorough security assessments which should be done, at least, periodically to test your network’s readiness.
There are many different types of cybersecurity assessments and different ways to conduct them. Both how and which assessments you need will vary according to the unique nature of your business and your networks.
Below, is a summarization of some common types of security assessments to get you started on the path to improving your network’s security.
Audits are conducted to determine your network and organization’s compliance with specific regulations, such as the GDPR or HIPAA. Where your business operates and which industry you’re in will determine which regulations you must comply with. Canadian businesses need to comply with Canada’s PIPEDA data privacy regulations. American financial institutions need to comply with the Gramm–Leach–Bliley Act.
Data breaches occur constantly, and most are never reported in the media. If the government audits your business or if a data breach is discovered, your business could face hefty fines. However, if you keep up with your own security audits to assure regulatory compliance, then you’ll be prepared for any surprise government audit in the future.
Audits are always for specific regulations. Therefore, it is important to both know which regulations apply to your business, and to conduct periodic audits to ensure compliance. Money spent on self-conducted audits is always money well spent, preventing much more expensive fines, litigation, and reputational damage.
An apple a day keeps the doctor away! But do keep in mind that a compliance audit measures how well your network complies with specific regulations, not how secure your network is in a pragmatic sense. I can make sure that I abide by all traffic regulations and please my driving instructor. But if the speed limits are dangerous and a storm leads to poor visibility and slippery roads, my driving may still be unsafe.
Risk assessments start with your Blue Team, if your company has one. Otherwise, they should be started by whoever in your organization is responsible for making decisions about the security of your data. Risk assessments are conducted to determine what your business has to lose, and how much risk you’re willing to accept. For example, all of the data stored on your servers on-premises or in the cloud is a data asset. What potential threats pertain to those assets?
As I mentioned, nothing is 100% secure. There’s always some degree of risk. Usually balance needs to be found between security and usability. That’s why your network will always face some degree of risk, and you will need to decide how much risk is acceptable. For instance, if you try to secure your network like Fort Knox, your remote employees might not be able to access their corporate email which may hurt your business’ productivity and flexibility. If your company needs connectivity to your employees’ own phones and laptops, you’ll need a Bring Your Own Device policy.
Ultimately, your organization will need to conduct risk assessments to determine what your assets are, which risks they face, and what an acceptable level of risk is relative to the liberties you’ll need in order to conduct business.
Vulnerability assessments are often mistakenly confused with penetration tests. However, if you haven’t done much focused security hardening, vulnerability assessments are where you have to start. Network vulnerability scans (with applications such as Metasploit Framework), checklists, application scans, Common Vulnerabilities and Exposures (CVEs) specific to the software and hardware your network uses, and host-based scans (targeting servers) are common methods and tools for vulnerability assessments. You will need to know which vulnerabilities pertain to your organization’s specific software, hardware, networking devices, cloud platforms, and the various ways your organization has configured them. From there you can apply patches, mitigations, and other specific security hardening techniques.
Penetration testing is when your organization employs specialists who act as cyber attackers in order to conduct simulated cyber attacks. They should only be conducted when your network has a moderate or advanced level of security maturity. Penetration tests should be conducted with the assumption that your network has already received vulnerability assessments, risk assessments, and compliance audits.
There should be a specific scope and framework for your penetration tests, and your penetration testers must stay within them. You could test the physical security of your data center, could a cyber attacker physically break into the building? Social engineering is a common way that cyber attackers acquire unauthorized access to your network. Would your employees be fooled by phishing or a scam phone call? Ransomware is a huge problem. Are your data backups reliable? Could you detect malware in your network? Penetration tests are for specific cyber attacks when you’re already confident about your network’s security. Penetration tests assess whether or not your confidence is justified.
Most of the big software companies have bug bounty programs these days. Apple offers bounties of $100,000 if a tester finds a vulnerability under very specific conditions! And often companies in various other industries offer bug bounty programs simply to reward outsiders for finding their vulnerabilities.
Bug bounty programs are offered to outsiders to your organization and members of the general public. Those outsiders must meet very particular vulnerability disclosure requirements so that an organization can patch a vulnerability before cyber attackers discover it. However, not all organizations should have bug bounty programs. If your company can’t handle customers and other members of the general public going bug hunting, a bug bounty program isn’t right for you. And that’s nothing to be ashamed of. But if your company develops software, has a high level of security maturity, carefully designed vulnerability disclosure policies, and a budget to give $5,000 or $50,000 to lucky bug hunters, a bug bounty program might be right for you.
So, where do you go from here . . .
Depending on lots of different factors, one or two or all of these types of security assessments may be appropriate for your organization. Whatever your business’ unique needs are, your cybersecurity will need to be assessed somehow in order to prevent cyber attacks and have ready and effective incident response.
Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.
Contact us to learn more. Don’t Gamble With Your Security
Written by Kim Crawley
I write about cybersecurity for various vendors and blogs like AT&T, BlackBerry Cylance, Kaspersky, Venafi and Corporate Information Technologies.