Why is it important and how regular testing can benefit your company?
As business has transformed over the years to a more service-oriented environment, a significant increase in trust has been placed on outside organizations to manage business processes and corporate data. Do you truly know how secure your third party service providers networks and / or web applications are? What about your own network or web applications?
Data breaches are occurring at an all-time high. Network security’s increased awareness at the C level is also helping IT departments to increase their budgets and move to their requests to the top of every corporation’s annual budget. The need for accessible on-demand data used in real time decision making and increased focus on business efficiencies has resulted in vital / confidential data being accessible, stored, and transferred electronically across corporate networks and the internet. Attempted breaches occur every day through the use of automated bots and targeted attacks, but without proper testing, how do you know if your business or a third party service provider of yours is susceptible to attack?
Properly Monitor Network and Application Security
There are a number of common failures that an unseemingly high number of IT departments fall victim to which leave their organizations at risk for intrusion:
- Delays in patching security flaws of operating systems and software;
- Use of unsecure access protocols;
- Lapses in licensing for antivirus, IDS, IPS, and other vulnerability identification and prevention tools;
- Weak passwords for firewalls and other exposed services;
- A loose software management policy;
- Weak secure coding guidelines and QA review processes; and
- Lapses in IT Management’s adherence to security controls and protocols.
All of these issues are preventable by ensuring a proper security maintenance program with sufficient resources dedicated to its execution is in place. A regularly scheduled external and / or internal vulnerability assessment can serve to validate operation of current security practices and identify new issues that may have been introduced as a result of an upgrade or system change.
Software as a Services (SaaS) offerings, application service providers, 3rd party colocation / hosting facilities, and especially corporate networks, have become prime targets for hackers, and the number of incidents increasing yearly, as they are treasure troves for confidential and business data that are targeted by criminals. This has elevated the importance of IT Security in the enterprise and within various compliance and regulatory frameworks.
Recognized frameworks include, at minimum, requirements that a regular vulnerability assessment of either the production network and / or web application be performed. Depending upon your environment the following frameworks potentially required these assessments:
- Sarbanes-Oxley (SOX);
- Statements on Standards for Attestation Engagements 16 (SSAE 16 / SOC 1);
- Service Organization Controls (SOC) 2 / 3;
- Payment Card Industry Data Security Standard (PCI DSS);
- Health Insurance Portability and Accountability Act (HIPAA);
- Gramm Leach Bliley Compliance (GLBA); and
- Federal Information System Controls Audit Manual (FISCAM).
Commonly Identified Risks
- Inappropriate SSL Certificate (expired, not properly configured, self-signed, etc.);
- Unknown or unnecessarily open shares;
- Dormant user accounts that have not expired;
- Unnecessary open ports;
- Rogue devices connected to your systems;
- Dangerous script configurations;
- Servers allowing use of dangerous protocols;
- Incorrect permissions on important system files;
- Running of unnecessary, potentially dangerous services;
- Default passwords in use; and
- Unpatched services / applications.
Cyber Security Risk Management Preparedness
The US-CERT (Computer Emergency Readiness Team) Recommends CEO’s and Business Owners to ask themselves the following questions regarding their readiness to defend against and recover from a cyber-attack:
- How Is Our Executive Leadership Informed About the Current Level and Business Impact of Cyber Risks to Our Company?
- What Is the Current Level and Business Impact of Cyber Risks to Our Company? What Is Our Plan to Address Identified Risks?
- How Does Our Cyber Security Program Apply Industry Standards and Best Practices?
- How Many and What Types of Cyber Incidents Do We Detect In a Normal Week? What is the Threshold for Notifying Our Executive Leadership?
- How Comprehensive Is Our Cyber Incident Response Plan? How Often Is It Tested?
These questions may seem obvious to you if you have a strong security or controls background, but you would be surprised at the number of executives that have put little to no thought into IT security and how an intrusion would impact them directly. Having a regularly scheduled internal or external vulnerability assessment and penetration test performed is a good way to inform executive leadership of the threats facing the company, determine the Company’s current risk level and adherence to industry standards and best practices, and to test ITs ability to respond to intrusion attempts and other incidents.