Every year you take your car to the garage for an inspection. Every year, you have your accountant audit your books. Every year, you renew your maintenance contracts and insurance. You do this because it’s good business, and it makes good sense. You do these things to stay safe and to protect your business. So why don’t you have a vulnerability assessment done annually?
According to Wikipedia, a vulnerability assessment “is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.” If you have computer systems on your network that are exposed to the Internet, then you are at risk. How much risk? Well, according to the Verizon 2015 Data Breach Investigations Report, the largest threat to an organization is coming from the outside. The report, based on an analysis of over 79,000 incidents, states that “in 60% of the cases, attackers were able to compromise an organization within minutes.”
The question you should be asking yourself right now is “What can I do to minimize my risk?”
Fortunately, there are some good, proven best practices you can implement that will significantly reduce your risk. While no organization is completely safe, there are things you can do to make you less appealing to the criminals out there. Think in terms of locking your car doors, or having an alarm system in your house. Someone who is committed to getting in will still get in, but in most cases, the criminals will move on to something less secure.
The best place to start is with the Council on Cyber Security and their Critical Security Controls framework . This document lists 20 things your organization should do, or have in place, to help minimize your risk to being compromised. For each item, there are steps you can take – some are marked “quick win”, meaning they can be implemented easily and with minimal cost.
For example, criteria number 4, CSC 4: Continuous Vulnerability Assessment and Remediation states “Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.” This section then lists ten items that make up this control. The document also provides guidance on procedures, tools and metrics that can be used to implement and sustain this control.
One item is having a regular assessment of your networks vulnerability. This includes a scan of devices and computers that looks at open ports (how computers talk to each other); the version of the software and operating systems; the levels of security (or lack of security) in place; and additional information that can be gathered by an attacker, that could be used to compromise your system.
While you can do these assessments yourself, it’s usually a good idea to periodically have someone from the outside take a look. If you think this is something that makes sense, or if you’d like to learn more, please contact us at your earliest convienence.
[i] Wikipedia, July 30, 2015. https://en.wikipedia.org/wiki/Vulnerability_assessment
[ii] Verizon 2015 Data Breach Investigations Report, July 30, 2015. http://www.verizonenterprise.com/DBIR/2015/
[iii] Cyber Security Council, Critical Security Controls, Version 5.1. July 30, 2015. http://www.counciloncybersecurity.org/critical-controls/