Security assessments can help organizations win the war against cyberattacks by identifying and remediating vulnerabilities.
Sometime in the sixth century B.C., Chinese general Sun Tzu wrote one of the most successful books on military strategy. In it he states that strong leadership and sound planning can result in victory over a superior force. Conversely, he explains that overconfidence can lead to stunning defeat.
The Art of War offers sage advice for organizations battling IT security threats. General Sun understood that assessing risks and developing a plan of attack are more important than engaging the enemy head on. He also warned that failing to identify your own weaknesses can give your opponent the opportunity to gain the upper hand.
In the past, network security depended upon a hardened perimeter to keep intruders outside of the network boundaries. Today, networks have become more fluid, extending to growing numbers of remote and mobile users and cloud-based applications. The so-called “attack surface” has grown dramatically, with numerous points where an intruder might be able to penetrate the network. This makes it increasingly difficult for organizations to identify every potential security gap.
That’s why a comprehensive security assessment is key to the development of a sound security strategy. It generally consists of a vulnerability assessment, penetration test, risk assessment, and an audit of all of the hardware and software in the organization’s infrastructure. A well-conducted assessment helps organizations identify potential security gaps, prioritize actions and move more quickly to mitigate risks.
Vulnerability Assessments
Vulnerability assessments involve running an internal and external scan on an organization’s network to find known weaknesses. Depending upon the size of the network, a vulnerability assessment can take anywhere from a couple of hours to a couple of days to complete. But the real work takes place before and after the scan itself. Prior to the scan security experts should inventory the IT infrastructure and tailor the scan to target potential vulnerabilities.
When the scan is complete, a detailed report is generated that includes a definition of the found vulnerabilities, how they might be exploited, and how that might affect the organization’s security posture. Using that report, security experts can develop a plan for remediating the vulnerabilities.
Penetration Tests
Penetration tests utilize some of the same processes as a vulnerability assessment, but go much deeper. The information gathered is used to launch strategic attacks — the types of attacks hackers would launch based upon their eavesdropping on the environment over a period of time. The goal is to gain the perspective of what a hacker would see and what the hacker could do to penetrate the network.
Penetration testing is used to determine the effectiveness of the technical, operational and physical controls in place in the organization. The penetration testing report is often very eye-opening. It helps organizations understand their level of exposure and what needs to be done to reduce that exposure.
As such, penetration testing is particularly important for organizations facing regulatory compliance audits. The internal and external scan, coupled with a review of security policies, can help organizations improve their security posture, adopt compliance best practices and ultimately pass compliance audits.
Risk Assessments and Audits
Risk assessments look at all of the applications, processes and functions within an organization to identify those that are mission-critical. They then identify the threats to those systems, the likelihood of those threats and the potential impact on the business. Regular risk assessments are an essential part of any security strategy as they help organizations their efforts on the most significant threats.
Security audits compare the configurations of devices, operating systems and applications to best practices and industry standards. A thorough audit will also look at security policies and procedures, data governance, and other security controls. Audits are typically used to prove compliance with government and industry regulations mandating the security and privacy of sensitive information.
Conclusion
Hackers operate by exploiting network vulnerabilities, and the number of vulnerabilities that threaten any given organization continues to grow exponentially. In this climate, organizations must start by gaining greater visibility into the type and number of threats they are facing.
The Art of War provides an excellent guide for the development of a cybersecurity strategy. Each organization needs to understand its specific strengths and weaknesses in order to implement the right tools and policies to combat cyber threats. Comprehensive assessments conducted by experienced experts can help organizations win the cybersecurity war.
