The FBI has confirmed that 2020 was a record year for cybercrime in the U.S., with all-time highs in both the number of attacks reported and the resulting financial losses. For the year, the FBI’s Internet Crime Complaint Center received 791,790 cybercrime complaints (up 69 percent from 2019) with reported losses exceeding $4.1 billion.
Even more startling is how many organizations now consider such attacks to be practically inevitable. In a new IDG Research study, nearly 80 percent of IT security leaders said their organizations lack sufficient protection against cyberattacks — despite increased IT security investments made in 2020 to deal with distributed IT and work-from-home challenges.
With threats becoming more frequent, sophisticated and costly, it is important for companies to have a clear understanding of where they might be vulnerable. The best way to gain that insight is by conducting regular security assessments to evaluate the organization’s security posture from the perspective of a would-be attacker.
A truly comprehensive assessment is a multiphase process that will provide a great deal of clarity about potential risks and vulnerabilities and serve as the basis for an organization-wide incident-response plan. Here’s a closer look at four tests that should be part of your assessment process:
Posture Assessment. This is a valuable first step in the process, designed to provide a very high-level view of the security measures currently in place. In many ways, it is more of a business assessment than a technical assessment. It should help you identify your top security priorities. Typically, an auditing team will conduct interviews with C-level executives and other key stakeholders to assess the value of specific systems and data. That information can then be used to determine which data, applications and systems require the highest levels of security and which are more risk tolerant.
Vulnerability Assessment. In this phase, auditors use a variety of automated tools to conduct internal and external network scans. These tools essentially try to match attack signatures against a database of known malware. The results are summarized in a detailed report describing found vulnerabilities, how they might be exploited, and how that might affect the organization’s security posture. Although this is an important part of the process, it is only designed to identify well-known threats and will almost certainly miss many other vulnerabilities.
Penetration Testing. This is an ethical hacking exercise in which security professionals launch simulated attacks on your network in order to assess technical, operational and physical security measures. Typically, testers will scan ports for possible attack vectors, perform traffic analysis, evaluate encryption and patching processes, and probe firewalls and other perimeter defenses. A good pen test will help you uncover hard-to-find vulnerabilities such as configuration flaws, protocol vulnerabilities, web application coding errors and unpatched applications.
Red Teaming. Like pen testing, red team operations are ethical hacking exercises — but they are much more focused. Pen tests are meant to find and exploit as many vulnerabilities as possible, but red teams launch more targeted attacks in order to test your organization’s detection and response capabilities. Additionally, red teams operate in stealth mode using any means possible, including social engineering techniques, to breach your systems and access sensitive data without your knowledge.
Few organizations have the internal resources to adequately conduct the full range of tests. Professional-grade scanning tools may be too much of an investment, and staff limitations can make it difficult to devote the manpower needed to conduct comprehensive tests, evaluate the results and write the reports.
Verteks has the manpower, expertise and tools to conduct comprehensive tests. We’d welcome the opportunity to develop a testing regimen that can provide an unbiased outsider’s view of your network security environment. Call us to learn more.