At some point, every business has to ask the questions. How safe is my network and the data I have stored on it? How will it affect my business if there is a breach or data loss? How will I recover in either event? How well do I even understand these issues?
As a new security analyst, I spent countless hours studying all the possible ways a network could be compromised and the corresponding ways to prevent or stop it. When I started visiting businesses and assessing their environments I was curious as to how often networks were being attacked, so I started looking at firewall logs. I was shocked to see that every single log I looked at had evidence of a vulnerability analysis scan done on that network from unknown entities in the last 3 days, all performed without the business’ knowledge. That was when I realized how real the threat is.
Network security is a complex problem that requires significant time and expertise to tackle. That is why many companies look to outside sources for assistance. With so many options though, how do you choose the Managed Vulnerability Services that are right for you? Read on for a comprehensive summary of the different cybersecurity services available.
The Difference Between Vulnerability Scanning, Assessment, and Management
Often confused with Vulnerability Management, scanning is a very small part of the overall program in which a computer looks at (scans) your network and tries to identify ways to get in. It checks across multiple protocols looking for open ports, missing patches, weak settings, etc. and generates a report which lists everything it found and possible ways to remediate. There are many scanners commercially available. From freeware versions to high end hosted scanners with a lot of power, and everything in between. Networks should regularly be scanned from both inside, and outside the firewall. Inside scans are often overlooked but are an essential part of a solid security vulnerability management program.
Conducting a Vulnerability Assessment is the first step in an actual Vulnerability Management Program. During this phase, vulnerabilities are discovered and assessed. This can consist of but is not limited to:
- Observing physical security such as ease of entry to the facility, the server room, and network jacks.
- Studying network topography to ensure proper segmentation and protection of the most valuable data
- Reviewing hardware and software settings to ensure they comply with applicable standards
- Interviewing personnel to learn processes for proper data management and efficiency
- Scanning the network as discussed above
- Running tests to see if the network can be penetrated by an outside entity, known as “Pen testing.
At this point, a detailed report is generated listing all vulnerabilities, their severity, and possible solutions. That report is delivered, and the Vulnerability Assessment is complete.
The rest is Vulnerability Management!
A Vulnerability Management Program is an ongoing process that includes scanning and assessment as well as remediation and monitoring. Too often, IT departments will find a weakness, fix it, and consider themselves secure. The ongoing cycle looks like this:
Again, it is a never-ending cycle. As the threat evolves, so must your defense! In addition, changes in the network often have unintended consequences. A key part of any major network change is reassessing the security of the network any time there is a change. Learn more in our related article about the importance of having a web application vulnerability management program.
We have discussed the “discover” and “assess” phases. During the remediation phase, vulnerabilities are addressed. This often includes patching your Operating System (OS) and other software such as anti-virus programs and card processing software, updating ACL’s, changing security settings on servers and other software, writing or updating your Information Security Policy (ISP), changing processes, etc. Since most networks aren’t originally designed with security in mind, this can be a lengthy process, particularly if you are just standing an Information Security Program up.
Although the “monitor” phase is listed third in the cycle, you should always be monitoring. Monitoring does not simply consist of waiting for an alarm to go off. It means actively checking the status of the network. Are the alarms we have set being sent properly and being investigated and acted upon promptly? Is the anti-virus running the way it should? Are there anomalies in the firewall logs we should investigate? Are personnel following our guidelines and are we enforcing/refreshing those guidelines regularly? Is management kept up to date with the status? Monitoring should probably take up most of the IT security department’s day.
Which service is right for you?
Every network needs to be on a vulnerability management program. The scale of that program will vary greatly on the size and complexity of the network as well as the value of the network and the data stored or processed on it.
Another way of putting it would be that you shouldn’t spend more on network security than the network is worth. A coffee shop with a small network that exists to process credit card payments and provide guests with wi-fi does not have the same security requirements or expenses as an investment firm with billions of dollars under management that is using its network to manage customer finances, store customer data, and communicate between employees.
Assess the value of the network to the business
I am not talking about how much the network cost to purchase and install. I am talking about what it does for the business. Only personnel intimately familiar with the business and how it operates have the knowledge to accomplish this. There are so many facets to it that generally, one person needs to collect all the available information and present it to management for decisions. This may be handled by professional IT security professionals either in-house or contracted.
Developing a Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP) may be required to do this. These plans determine your actions in the event of a major event affecting your network, your ability to access your network, or the data contained on it. While they are often confused, they have very different objectives.
A Disaster Recovery Plan is for the IT side. It clearly outlines the steps to returning the network to normal business operations after a disaster such as fire in the server room, compromise of client data, major virus infection, Denial of Service Attacks, etc. It has step by step procedures for each scenario, points of contact for assistance, and other pre-planned items that will make fixing the problem easier and faster.
The Business Continuity Plan on the other hand is more for management. While IT is fixing the disaster, this plan outlines the parts of the business that must continue operations, and details exactly how that is going to happen under the different scenarios you have identified as disastrous to your business. Some businesses that cannot afford ANY interruptions to operations have plans that include an alternate office with continuous backups running so employees can literally jump into their car, drive to the alternate site, sit down, and pick up right where they left off. As you can imagine, this is a very expensive option. Other businesses can tolerate large amounts of time without the network and shift to paper records and employees working from home.
The bottom line is balancing the cost of business operations being halted against the expense of quickly continuing them. Writing these plans involves information from many departments. Both plans need to be exercised in order to help familiarize personnel and find/fix any flaws found.
Questions to ask might be:
- How heavily does the business depend on the network?
- If the network goes completely down, what is the cost to the business?
- If the network is down, what is our ability to continue revenue generating operations?
- How much will repair/replacement of the equipment cost?
- How long it would take to recover?
- How valuable is the data stored? Is it properly backed up?
- Are we cross trained enough that the absence of any single person won’t cripple our efforts?
Assess the depth of security required
Once you know the value of the network to you, you need to know the risk to it. This involves determining attack surfaces, attack vectors, likelihood of attack, and your ability to minimize that risk. First, bring together department leads and experienced personnel to brainstorm out the risks. Then ‘rank’ them by severity and likelihood. The likelihood of an online attack is high, and the consequences of a successful attack are also high, so you would definitely want to take measure to minimize that risk. On the other hand, the consequences of an earthquake can be very high, but may have a very low likelihood of occurring in your geographical area, so you wouldn’t be too concerned about that.
Armed with that information, you can then decide, based on your risk tolerance and other mitigating factors, such as standards compliance, how robust your security needs to be.
Assess your in-house ability to run a Vulnerability Management Program
Now that you have a firm grasp of what is required, you know what current staff can handle. You may need to supplement your Information Security Department with new hires or consultants.
If you have a long term need for additional personnel, hiring new staff is a great solution. However, if you are experiencing a short-term need because you are starting a new Information Security Program up, repairing the effects of an ignored Information Security Program, preparing for some policy compliance assessment, or remediating problems found on an assessment you may save money in the long term by hiring short-term security consultants.
The world of information security and managing your vulnerability is a specialty field inside IT. A System Administrator wouldn’t be expected to design a network, a Network Engineer wouldn’t be expected to manage the database, and a Database Manager or any other specialty wouldn’t be expected to manage the networks security.
Larger companies have well-staffed Information Security Departments. Smaller companies have an Information Security Officer that IS the department. Some companies are just starting to consider information security as an important facet of their business.
There are massive amounts of information available on the subject, and there are people available to help you make sense of it all. My strongest advice is to act now. Don’t wait until you’ve experienced a major event like a breach, a crippling virus, or major physical damage to the network before doing something. In my military days we had a saying, “Prior planning prevents poor performance. The 5 P’s.” It was true in that world, and it’s true when it comes to the Confidentiality, Integrity, and Availability of your data.
RSI Security can help
Our security consultants do these this type of work every day and can assist you in all aspects of your Vulnerability Management Program. To browse our options, visit the RSI Security Services page, or contact us today to speak with a security expert about our cybersecurity solutions. Stay Secure!