Security assessments can help organizations win the war against cyberattacks by identifying and remediating vulnerabilities.
“If you know your enemies and know yourself, you
can win a hundred battles without a single loss.”
–Sun Tzu, The Art of War
Sometime in the sixth century B.C., Chinese general Sun Tzu wrote one of the most successful books on military strategy. In it, he states that strong leadership and sound planning can result in victory over a superior force. Conversely, he explains that overconfidence can lead to stunning defeat.
The Art of War offers sage advice for organizations battling IT security threats. General Sun understood that assessing risks and developing a plan of attack are more important than engaging the enemy head on. He also warned that failing to identify your own weaknesses can give your opponent the opportunity to gain the upper hand.
Hackers operate by exploiting network vulnerabilities, and the number of vulnerabilities that threaten any given organization continues to grow exponentially. In this climate, organizations must start by gaining greater visibility into the type and number of threats they are facing. A comprehensive security assessment can help organizations identify vulnerabilities, prioritize actions and move more quickly to mitigate those risks.
“The art of war is of vital importance.”
General Sun recognized that war exacts a high cost, both in human and monetary terms. As a result, The Art of War emphasizes the importance of understanding how the enemy operates in order to win the war while avoiding the high cost of direct conflict insofar as possible.
The cost of a network security breach can also be substantial. According to the Ponemon Institute, the average total cost of a data breach reached $3.8 million in 2015, a 23 percent increase over 2013. Even where sensitive data is not compromised, organizations can experience costly downtime, lost reputation and reduced morale.
In the past, network security depended upon a hardened perimeter to keep intruders outside of the network boundaries. Today, networks have become more fluid, extending to growing numbers of remote and mobile users and cloud-based applications. The so-called “attack surface” has grown dramatically, with numerous points where an intruder might be able to penetrate the network.
This makes it increasingly difficult for organizations to examine every avenue for network access as a potential security gap. Vulnerability assessments, penetration tests and regulatory compliance audits are key to the development of a sound security strategy.
“If the enemy is superior in strength, evade him.”
Vulnerability assessments involve running internal and external scan on an organization’s network to find known weaknesses. Security experts recommend using multiple, professional-grade tools — a scan using off-the-shelf shareware won’t find very much and may have a 40 percent false positive rate. Using a variety of tools and techniques enables IT teams to validate the results and minimize false positives.
Depending upon the size of the network, a vulnerability assessment can take anywhere from a couple of hours to a couple of days to complete. But the real work takes place before and after the scan itself. Prior to the scan organizations should inventory the IT infrastructure and tailor the scan to target potential vulnerabilities.
When the scan is complete, a detailed report is generated that includes a definition of the found vulnerabilities, how they might be exploited, and how that might affect the organization’s security posture. Using that report, security experts can develop a plan that shows how to remediate the vulnerabilities.
“Seizing the enemy without fighting is the most skillful.”
Penetration tests utilize some of the same processes as a vulnerability assessment validation, but go much deeper. The information gathered is used to launch strategic attacks — the types of attacks hackers would launch based upon their eavesdropping over a period of time. The goal is to gain the perspective of what a hacker would see and what the hacker could do to penetrate the network.
The penetration testing report is focused on the systems that the IT team was actually able to penetrate. It is often very eye-opening. It helps organizations understand their level of exposure and what needs to be done to reduce that exposure.
Penetration testing is used to determine the effectiveness of the technical, operational and physical controls in place in the organization, as well as the organization’s vulnerability to a particular threat. As such, penetration testing is particularly important for customers facing regulatory compliance audits. The internal and external scan, coupled with a review of security policies, can help organizations improve their security posture, adopt compliance best practices and ultimately pass compliance audits.
“Security against defeat lies in our own hands.”
A security assessment is essentially a superset of these services. It generally consists of an internal and external scan as well as an audit of all of the network and security devices in the customer’s infrastructure. A primary goal is to ensure that devices and operating systems are configured such that no open, unneeded services could be exploited.
However, there remains a lot of confusion in the industry regarding security assessments, and a lot of these buzzwords are used very loosely. It is important to ensure that IT security teams have the tools and expertise to dig deeper and find the vulnerabilities that threaten the organization.
The sharing of critical applications and data with customers, suppliers, and remote and mobile workers can open up the network to malware, denial of service attacks and other malicious threats. At the same time, a growing number of federal, state and industry regulations require that organizations take measures to protect data from destruction, loss, alteration or other unauthorized use.
While every organization is at risk, there is no one-size-fits-all security solution. Because every IT environment is unique, each organization needs to understand its specific strengths and weaknesses in order to implement the right tools and policies. A thorough security assessment is an important first step in the development of a security plan.