Vulnerability Assessments and Penetration Testing – Common Issues Found

In part one of our series on Vulnerability Assessments and Penetration Testing, we will discuss the common issues that usually lead to a finding during an assessment of a company’s network or web application. In many cases, the resulting issues are exploitable and can leave valuable data available to hackers.

Data breaches are occurring at an all-time high, which has increased awareness of the importance of network security at the C level, helping IT departments to increase their budgets and move their needs to the top of every corporation’s annual budget. The need for accessible on-demand data used in real time decision making and increased focus on business efficiencies has resulted in vital / confidential data being accessible, stored, and transferred electronically across corporate networks and the internet. Attempted breaches occur every day through the use of automated bots and targeted attacks, but without proper testing, how do you know if your business or a third party service provider of yours is susceptible to attack?

The most basic, and sometimes overlooked tasks, can leave you and your organization at the highest risk for intrusion. So how can we fix that?

Proper Monitoring Network and Application Security

There are a number of common failures that an unseemingly high number of IT departments fall victim to which leave their organizations at risk for intrusion:

Delays in patching security flaws of operating systems and software;
Use of unsecure access protocols;
Lapses in licensing for antivirus, IDS, IPS, and other vulnerability identification and prevention tools;
Weak passwords for firewalls and other exposed services;
A loose software management policy;
Weak secure coding guidelines and QA review processes; and
Lapses in IT Management’s adherence to security controls and protocols.

All of these issues are preventable by ensuring a proper security maintenance program with sufficient resources dedicated to its execution is in place. A regularly scheduled external and / or internal vulnerability assessment can serve to validate operation of current security practices and identify new issues that may have been introduced as a result of an upgrade or system change.

Part two of our series will focus on how regular Vulnerability Assessments and Penetration Testing can assist with maintaining compliance with regulatory frameworks.

————————————————————-

[si-contact-form form=’10’]

Get Our Emails

SOC Reporting Guide

Popular Resources

SSAE 16 Terminology – Controls at a Service Organization

Controls at a Service Organization refer to the controls that are in place at your company. Many of these controls should be covered within your policies and procedures, as they

SOC 1 and SOC 2: A Comparative Analysis

Some organizations have heard of SAS 70, SSAE 16, and now SSAE 18, but, haven’t seen the value, other than because one of their customer require it. Truth is, that’s

SOC 1 & SOC 2 Preparation Checklist

I’ve been hearing from various people in the marketplace that they were interested in learning about some steps, at a high level, that they need to take to get off

Best Practice Strategies for SOC 2 User Access Reviews

User access reviews are a critical control in almost any IT control framework because they help ensure that users have the appropriate level of access to sensitive data and systems.

SSAE 18 / SOC 1 Type 1 Report – Background Information

A SSAE 18 / SOC 1 Type I Report shows Company’s that your Organization has appropriate controls designed and in place as of the date the report is issued. It

SSAE 16 Terminology – Carve-out Method

When performing a SSAE 16 Review, you will be inundated with various terms that you may have never heard of before. We plan on continuing with a serious of posts