As a Service Provider that specializes specifically in Information Security, we get asked this question a lot… and rightfully so, because it’s become extremely critical to every business in our modern society. Let’s start with taking a close look at the “why” portion of this question before getting into what a Vulnerability Assessment is and what it will do for your business when performed on a regular basis.
It’s important to first understand that every business, regardless of size… collects, manages, manipulates, and stores Personally Identifiable Information (PII) from its customers, partners, and vendors. That means that every business, regardless of size, has the inherent responsibility (even under law) to guard and protect not only its own proprietary data, but also the data that it collects, manages and stores from others.
The second important point to understand is that in the event of a Data Breach, your organization will be required to prove its “Due Diligence” and “Due Care” for the protection of the data in question, not only to your customers and your insurance company, but also likely in the court of law. This is true in both civil and criminal court cases in order to determine the business’s level of negligence. In addition, businesses are required to notify affected parties of a Data Breach within a very short period of time. In Wisconsin, that period is 45 days according to the “Wisconsin Data Breach Notification Law”1 found in Section 134.98 of the Wisconsin State Statutes2.
Therefore, the short answer for “WHY” your business needs to perform Vulnerability Assessments is that,
“Without independent auditing and testing
It’s impossible to know where your vulnerabilities are.”
Let’s look into that profound statement a little deeper, as surely many of you reading this either have their own internal IT Staff or are working with another IT Service Provider. The notion of which may be prompting you to instantly assume that your business and its data is being properly and securely protected. Maybe it is… maybe it’s not. More importantly, let’s not assume.
So, how would you actually know for sure without an audit that’s unswayed by self-interest and/or self-preservation in order to identify your business’s vulnerabilities and present the raw facts?
Truth is, you probably wouldn’t… because everyone involved regarding your technology and its maintenance potentially has something to lose. Keep in mind that getting someone “fired” is not the goal, nor is it ideal, at least not unless there is strong evidence of outright negligence. The goal is to identify security vulnerabilities and work as a team to get them corrected in order to provide better protection for your business.
Unless your business has a dedicated IT Security team that is completely separate from any other IT related duties, your business is far more at risk than you may think. As bold a statement as that is, it’s reasonably true. More importantly, it’s probably not your IT Staff or Service Provider’s fault… at least not directly.
In most cases the primary focus of IT, as well as the business’s expectation, is directed toward maintaining high availability and maximum uptime of the systems they support along with performing various Help Desk duties and assisting your business’s network Users. In short, they already have their hands full, and likely don’t know what they don’t know. This means that Information Security is either not in their wheelhouse, or it’s a secondary concern to keeping the systems and the users operational. Either of which is a recipe for eminent disaster… one that could be avoided by performing frequent third-party Vulnerability Assessments.
Vulnerability Assessments are designed to identify and assess security threats, assign an appropriate risk level to the threat to establish the order of importance for correction, and to provide guidance on how to securely harden the system, processes, and procedures in a manner that effectively neutralizes the identified threats. It’s extremely important to stress that Vulnerability Assessments should never be performed by those who manage and maintain the system, as it is far too easy to become biased or blinded by one’s own work. The old adage, “You can’t see the forest because of the trees” comes into play here. Therefore, a qualified independent third-party is required for absolute accuracy.
There are several types of Vulnerability Assessments, the most common of which are generally referred to as Internal and External Vulnerability Assessments. As you can imagine by their names Internal Vulnerability Assessments focus on internal systems, processes, and procedures whereas External Vulnerability Assessments focus on business systems and resources that are accessible from the Internet. Let’s take a closer look at each.
External Vulnerability Assessments
- Identify external assets via Domain Name Service (DNS) lookup based on the primary Domain name.
- Perform Secure Sockets Layer (SSL) Certificate audit to ensure properly encrypted communications to Internet facing resources. Also identifies vulnerable security ciphers and encryption misconfigurations.
- Perform Internet Facing Server Hardening analysis to ensure proper Security, Privacy, GDPR, PCI-DSS, and HIPAA Compliance.
- Domain Security test to identify Typosquatted, Cybersquatted, and Phishing websites abusing your brand.
- Identify unnecessary open ports and other security vulnerabilities of Internet facing assets and resources.
Internal Vulnerability Assessments
- Administrative review of security policies, processes, and procedures.
- Administrative review of physical and logical network diagrams.
- Administrative review of Incident Management Policies and Breach Notification Plans.
- Identify, inventory, and scan all assets on the network for vulnerabilities including missing software updates and patches, firewalls turned off, unauthorized software installations, etc.
- Gather Router, Switch and Wireless configurations and identify weaknesses and misconfigurations.
- Ensure Guest Access to the Internet, Phone Systems, Internet of Things (IoT) Devices, etc., are properly segregated from the Main network and cannot communicate with one another (Network Isolation).
- Check Firmware on Routers, Switches, and Wireless Access Points to ensure they are up to date.
- Gather Internal Domain Host Configuration Protocol (DHCP) and DNS information and identify old/stale records and other misconfigurations.
- Gather Domain Information from the Domain Controller to identify old/unused Computer and User accounts that need to be removed from the system.
- Review User Accounts for Excessive User Rights Assignments.
- Gather Group Policy Object (GPO) information and look for GPO processing conflicts and Excessive User Rights Assignments.
- Review Server Shares and Access Control Lists to identify proper data management and Excessive User Rights Assignments that contradict security best practices of least privilege.
- And much more.
Proper Information Security Controls should be applied to each of the seven layers of the network stack as illustrated by the OSI 7-Layer Model9, and at every logical layer of the organization as well. With this in mind, the tools and methodologies used are critical to the effectiveness and accuracy of the Security and Vulnerability Assessments being performed.
Many Managed Service Providers (MSPs) use a product called “Network Detective” by Rapid Fire Tools6 to perform various “Security and Technology Assessments”. In addition to Network Detective, our Security Professionals at ITNS Consulting use additional security specific auditing and reporting tools that are recognized standards in the Information Security Industry such as:
- Kali Linux Advanced Penetration Testing and Security Auditing Suite7,
- Nessus Professional3,
- OpenVAS Network Vulnerability Scanner4,
- and Rapid 7 Nexpose Vulnerability Scanner5 to name just a few.
Our methods include utilizing our own custom scripting for network discovery in addition to leveraging several free tools that are openly available on the Internet for various types of network reconnaissance. The concept of utilizing this type of methodology is to collect information about your business’s resources in very much the same way and attacker would do before leveraging an attack on your systems.
Many attackers will leverage various methods of credential manipulation in order to gain higher levels of network or system access. Therefore, authenticated and unauthenticated vulnerability assessments are required in order to provide in depth detail as to what an attacker can see, as well as compromise with various credentials. By performing these extensive tests, we are able provide the appropriate consulting necessary for identifying and managing real-world internal and external threats to your organization.
Once the Vulnerability Assessment has been successfully completed, a meeting is arranged with the business’s designated representative and the Internal IT staff and/or Managed Services Provider to discuss the findings and create an action plan to resolve the identified issues. In addition, a scheduled reassessment within 30-45 days should be performed in order to verify the issues were properly resolved. This is also a good time to make sure new vulnerabilities have not been introduced.
It is highly recommended to perform scheduled periodic assessments at least quarterly to ensure that Windows Updates and other factors do not introduce new threats into the network environment. Windows Updates have been known to periodically revert securely hardened computers and servers back to non-secure “factory” defaults, and therefore should be continually monitored very closely. In addition, hardware and software “adds, moves, and changes” can introduce vulnerabilities into the network as well.
Business level security goes far beyond just having a network firewall and anti-virus on the computers and keeping them updated. Even businesses that go as far as Email and Web filtering along with basic security training for their users are just scratching the surface of what it really takes to keep their businesses truly secure. Yet, it seems to be the norm with far too many businesses we’ve talked with… and unfortunately for them, it’s simply not enough. Routine Vulnerability Assessments need to be incorporated into your multi-layered approach to security rather than being viewed as “optional”. Otherwise, how will you know what’s working… and what isn’t?
Your organization, like every other business, is under constant attack from cyber criminals. Without proper data security and business continuity controls in place, it’s only a matter of time before these criminals get lucky and breach your defenses, take over your systems, and steal or destroy your data. Any type of security breach can have a devastating financial impact on your business and its reputation. In fact, many statistics have shown that 3 out of 5 small to medium sized businesses never fully recover from a serious data breach and are forced to close their business permanently.
As a business owner, the peace of mind of knowing that our business is safe and secure is immeasurable. Our ultimate goal at ITNS Consulting is to make sure your business has the protection you deserve! Schedule your free no-obligation consultation today to identify critical areas in your business that need immediate improvement… before it’s too late!!!
Sources:
- Wisconsin Data Breach Notification Law
- Wisconsin State Legislature – Section 134.98
- Nessus Professional – #1 in Vulnerability Assessment Tools
- OpenVAS – Network Vulnerability Scanner – Open Source Version of Nessus/Greenbone Security
- Rapid 7 Nexpose Vulnerability Scanner
- Network Detective by Rapid Fire Tools
- Kali Linux – Vulnerability Assessment and Penetration Testing Tools
- Offensive Security – Training for Security Professional
- OSI 7-Layer Model Links:
Wikipedia
Medium