Understanding Security Assessments
By Roger Murray | October 26th, 2016
It may come as of little surprise that security breaches hurt small business much more than larger corporations. According to the National Cybersecurity Alliance, more than 70% of attacks target small businesses. It is also estimated that 60% of hacked small businesses experience devastating economic hardship, leading many to suffer a complete loss, closing their doors within six months following a breach. While discounting the need for security may save money in the short term, the cost of a security breach can range from a minor inconvenience, damage to reputation, and/or loss of private customer data, fines related to failure to maintain HIPAA compliance, or as discussed, complete company closure.
Unfortunately, most security breaches are often attributed to profound lack of awareness by management, through our years of experience, even internal IT Staff overlooked or missed very real threats to their business’s network infrastructure.
“While the speed of compromising a victim’s network has drastically increased, the rate of discovery for an attack has continued to decline due to ever more sophisticated malware capable of avoiding detection for days.”
What is a Security Assessment: A proper Security Assessment will take the guesswork out of evaluating an organization’s exposure to threats. The assessment will provide a complete picture of the risks facing the network. It is an invaluable tool for any organization that depends on IT systems and processes to operate, and is a key component to any IT strategy.
“The majority of breaches involve phishing as a means to install malware. Yet, with over 8 Million Phishing Tests conducted, 30% of recipients opened the message. Even worse, 12% followed through with clicking the malicious attachment or link provided, thus enabling an attack to succeed. Finally, only 3% alerted IT or management of a possible phishing email for investigation.”
TSI has been performing Security Assessments for over a decade. Our approach has always involved an organization’s IT systems, processes, and users are aligned with the best processes that protect the network. We assess the company size, budget, and assets to determine the best solution.
“The result of our extensive assessments have found the largest discrepancies and disregard for security processes involved an organization’s internal IT staff.” Gerard Louise, CEO
What a Real Security Assessment Entails: With attacks gaining ground, bypassing common fraud detection/anti-virus protection, many organizations ask what they can do to protect their network? TSI believes the first step is in identifying vulnerabilities, as well as points where it is possible to gain access.
Step 1: Similar to our Technology Assessments, our Security Assessment begin with interviewing the main Point of Contact within the organization. It is imperative that we understand the organization’s business, goals, and any existing policies. Our security risk interview includes a multitude of questions related to the organization’s products and services. Including:
Access – How user access is managed and who controls it?
Compliance & Governance – Is the company subject to compliance? Is the industry private or government?
Backup & Disaster Recovery – Detailing the practices surrounding data backup and storage.
Internet & E-Mail Practices – How is highly sensitive data transferred within the organization? Is all of the information protected and encrypted?
Change Control Procedures – Discuss practices surrounding steps and procedures for changes in management as well as who is authorized to revoke/grant new permissions.
Control of Services – The amount of control the organization has over the functionalities of the services and products.
Data Breaches – Policies and Procedures established to protect against data breaches or other types of data compromises.
Data Privacy – Policies and Procedures implemented to maintain an appropriate level of privacy for customer data.
Data Protection – Discuss the steps that are taken to protect customer data from risks to confidentiality, integrity, and availability.
Step 2: Following the initial Security Interview and understanding the established policies (if any), we use a series of tools to scan the network. The intent of these scans are to determine what services or processes are running, that all software/firmware versions are up-to-date, as well as network specific discovery scans.
The results identify the level of security and the complete list of products that are deployed on the network with a correlating rating of effectiveness for Anti-Virus, Anti-Malware, Application Monitoring, etc.
Another component to this process is to identify and inventory all software/hardware collected during the scanning process. The documentation of these assets is critical to providing a complete picture of an organization’s IT infrastructure and to evaluate which assets are considered critical for protection. All data is included in the compliance reports remitted to the organization at the completion of the assessment.
Step 3: The most important aspects of the network security are reviewed during the third step of the process. The objective is to compare our findings with the industry standards to protect the organization’s network, as well as providing security best practice recommendations, such as:
Access Control Standards – Access control standards for information systems are coordinated with management, they should incorporate the need to balance restrictions to prevent unauthorized access against the need to provide unhindered support services for the daily users.
Remote User Access – Remote access control procedures should provide adequate safeguards through robust identification, authentication, and secure encryption techniques for users who utilize open Wi-Fi networks. All activities performed by a remote user must be validated by the Access Control List and recorded in an audit activity log.
Secure Unattended Workstations – All equipment requires appropriate safeguards to prevent unauthorized access, especially when left unattended. Systems should have an automated process to logout after a set time of inactivity defined within the company policies.
Manage Network Access Control – Access to sensitive resources on a network must be strictly controlled to prevent unauthorized access as well. All computing and information systems, as well as peripherals, shall be restricted to only a few individuals, and audited/reviewed often.
Control Access to Operating System Software – Access to operating system commands should always be restricted to those persons who are authorized to perform systems administration functions.
Password Management – The process of selecting passwords, their use, and management as a primary means to control access to systems should be strictly enforced through password best practice guidelines.
Secure Against Unauthorized Physical Access – Physical Access to Servers and Security Devices areas are always to be controlled by management. Staff with authorization to enter these areas should be provided with information on the potential security risks involved with entering.
Restrict Access – Setting appropriate levels of access controls is also paramount. This minimizes information security risks, while also allowing the organization’s business activities to be carried without undue hindrance.
Monitor System Access & Use – All access/use should be logged and monitored to identify potential misuse of systems or information.
Data Protection – Protecting Proprietary Data, while in storage, as well as in transit to a backup solution need to be protected from malware attacks.
Give Access to Files & Documents – Establishing appropriate access to information and/or documents should be carefully thought out and controlled. This approach ensures that only authorized personnel may have access to sensitive information, thus limiting exposure in the event of a breach.
Step 4: The final report of the Security Assessment outlines the findings, while also establishing the gaps between the state of the organization’s current security/protection, and our recommendations.
The report clearly indicates if the current approach is adequately keeping the organization safe and secure. Any recommendations for improvement have a detailed outline attached explaining the discrepancy. In addition, one of our technical experts normally walks through the report in person to answer any questions or concerns.
Ultimately the report creates a roadmap to a secure business, providing evidence to support security program budget allocations and investments. Many of our clients have used the report to design or update their Internet Security policies, develop security awareness training for their staff, or implement periodic security reviews and update security software used within their organization.