The Ultimate Cheat Sheet for Network Vulnerability Assessments
In today’s fast paced world, new threats and vulnerabilities to communication infrastructures (networks) are discovered daily. Vulnerabilities can take many forms including known viruses and attacks, complex strategies to gain information where attackers disguise themselves as legitimate employees, and worst of all, weaknesses that have yet to even be discovered. In this age of information where assets are in the form of data, do you feel confident that your organization’s controls are adequate? If the answer is no, you may want to consider completing a Network Vulnerability Assessment. However, before you invest the time and effort, here are a few things to keep in mind.
- Focus on Inside and Out: A Network Vulnerability Assessment is designed to find and assess vulnerabilities both from outside and within your organization. Many organizations just focus on security from outside of their network, but security within your network is equally important.
- Remember Manual Procedures are Important: Too often, vulnerability assessments just rely on scanning tools for vulnerabilities; however we believe that by performing manual procedures also, vulnerabilities/abnormalities that otherwise may not have been caught might be found – keeping management in a proactive instead of reactive position. Physical security is another area that is often overlooked. It is important to include procedures to ensure your employees aren’t doing things such as writing down passwords and leaving written customer information unsecured.
- Make sure you Understand the Results: After testing, it is important that management has a solid understanding of the vulnerabilities identified. This includes weeding out false positives, risk rating the vulnerabilities based on your business and existing control structure, and providing a report to management. It’s a good idea to request a report with more explanation and understandable language in addition to the technical results so that all levels of management can gain an understanding of the security posture of the organization.
- Include Social Engineering: Social Engineering is a very popular and effective way to compromise a computer system. You’ve probably heard it before, but if not, social engineering procedures are designed to gain unauthorized access to systems and information using “non-technical” hacking techniques that exploit our natural human tendency to trust. We recommend including procedures to test your users’ security awareness. This can come in different forms including simulated phishing email attacks or phone call attacks. The purpose is to ensure that your employees don’t do something they shouldn’t (click on an email link or give away sensitive information over the phone). But until you test your employees using real world scenarios, do you truly know how they’ll react?
- Track and Remediate Findings: After all is said and done, it’s important to track and remediate your findings. The number one thing to remember about a NVA is that you can’t just complete the assessment and then “set it and forget it.” Making sure to track your progress and then implement changes that stick is key!
While a Network Vulnerability Assessment can be intimidating the first time around, once you have it completed you will ultimately have solid recommendations to help improve upon your systems and steadily lessen your risk of a security breach.