Avoiding the pitfalls of an ordinary Security Assessment
October 18, 2012
How about taking a different approach to the ordinary Vulnerability Assessment or Penetration Test? It’s time to start thinking outside the compliance checkbox.
When thinking about the numerous challenges our clients face in developing a mature, effective Information Security Program for their company, a few key items always bubble up, which include rationale and budget for Security Assessments.
One common theme we often encounter is how to convey to decision-makers the importance and criticality of performing in-depth vulnerability assessments and penetration tests throughout the year. The thing that is often overlooked is the actual reason a company needs to perform these assessments – it’s all about understanding what and where your risks are, and whether the controls that are in place are effective. But it doesn’t stop there, because once you’ve identified the risk, it’s imperative to execute on a remediation plan and, just as importantly, retest to ensure the circle is complete. Lastly, you need to convey that message to your organization along with tangible metrics in order to demonstrate progress.
Having a recurring line item in your budget for annual security assessments is going to be a lot less expensive than the cost of an actual breach. Think about the damage to your company’s brand or reputation, the costs associated with notifying customers and shareholders, and the overall impact on your IT department for recovery and remediation from a breach. Combined, these costs will easily exceed the expense of comprehensive, proactive testing tenfold.
It’s important to note that Vuln & Pen testing is not a guarantee that your environment is secure, but rather it’s one component of an overall program and a prescriptive measure that helps identify and mitigate your risk posture.
When it comes to Vulnerability Assessments and Pen Tests, one of the biggest misconceptions is thinking that “I only need to assess my Card Holder environment”. The issue here is that malicious attackers don’t limit their bad intentions to a single range of handpicked IP addresses/systems, or that they only attack after business hours – in their minds, everything is fair game at any time!
Please don’t limit yourself to “cherry picking” and only concerning yourself with meeting the minimum requirements of a compliance initiative. Expand your scope to include all external-facing systems, internal systems and probably most importantly, the human factor. Social Engineering is one of the most effective techniques used to gain unauthorized access to your sensitive and proprietary company data, and it’s the primary attack vector used by the most successful hackers all over the world.
According to the results from CSO Online’s 2012 Global Information Security Survey, out of 12,052 respondents, only 47 percent have Threat & Vulnerability Assessments in place in their enterprises, and of that number, 28 percent outsource this effort and 18 percent have nothing in place. From that same survey, 40 percent have a pen testing program, 32 percent outsource this and 22 percent are doing nothing. So what this tells us is less than half of the respondents in this use case, which is probably a fair representation industry-wide, are actually being diligent and adequately assessing their environments on a recurring basis.
The Security Assessment process should always be considered a lifecycle project that doesn’t simply stop when vulnerabilities are identified or limited to checkbox compliance, but rather followed thru to completion while also keeping in mind that your enterprise will inevitably change within days, weeks or months as a result of implementing new technologies, upgrades, migrations, routine maintenance, patch management and more.
The FishNet Security Assessment Team is one of the leading firms in the world, performing Security Assessments for Fortune 100-1000 clients as well as the SMB market. Please contact your local sales representative for more information on our assessment offerings and portfolio. Let us do the work for you so your IT security department can focus on other initiatives and priorities.