It’s the 21st century – your cyber-security assessments cannot afford the “one and done” approach of yesterday.
Modern information systems, comprised in large part by computer networks, contain a myriad of intertwined technologies – databases, applications, networking devices, web services and email just to name a few. All of these technologies are provided by diverse platforms at various release levels. Throw human users with varying roles and privileges into the mix and the resulting level of complexity makes an effective information security program an imposing challenge. Businesses are feeling the pressure of meeting the needs for global connectivity, e-commerce transactions, and online business-to-business communications while maintaining security programs to protect their information assets. Privileged account control, patch management, configuration management, and data backup are some of the hurdles to be cleared.
Worse still is how the threat landscape facing information systems is constantly in flux and evolving. This persistent state of change manifests itself in many ways, such as employee turnover, the decommissioning and deployments of network hosts (such as critical servers), installations of new operating systems and applications, connectivity requirements with business partners, remote employees and clients, and the changing business requirements and services which IT systems must continuously support.
The potential threats to such environments include external attackers such as hackers, malicious software (malware), rogue insiders, natural or manmade disasters, physical intruders, untrained or poorly trained employees, and distributed denial of service (DDoS) attacks. These dangers could exploit vulnerabilities in information systems to destroy, alter, or steal its resources (including sensitive and valuable data) resulting in financial loss and embarrassment for the affected enterprise. Even organizations deeming themselves “not important enough” or “too small to be noticed” are not immune: a business’s size, threat exposure, or IT sophistication may minimally reduce risk but can never eliminate it. In fact, the perceived lack of IT competency and capabilities of smaller businesses often makes them more tempting targets for cyber-criminals.
As today’s businesses rely on critical IT infrastructure, vulnerability assessments performed by external parties can play a pivotal role in assuring data confidentiality and integrity, and in maintaining system uptime and user connectivity. Vulnerability assessments provide a means for organizations to examine in detail the security posture of their information systems and determine the real level of risk affecting their assets. These assessments are intended to identify flaws of both a technical and non-technical nature which could lead to compromise of the system.
IT security means vigilance and persistence.
Cyber-security threats – both traditional and emerging – have rendered the “set it and forget it” information assurance model obsolete. Given the historical precedents of data breaches, malware infections and user account compromises which have led to lost revenue, tarnished publicity and decreased client trust, it is now infeasible to claim ignorance about the dangers of lax information security safeguards. Too often, however, CISOs and IT security managers make vulnerability assessments infrequent events. The result is that organizations’ security postures receive an inappropriate level of attention when assessments complete or when they are scheduled many months or even years in advance.
Businesses are ultimately responsible for adopting a consistent and methodic approach to identifying, assessing, and managing cyber-security risk for their own critical assets. Sporadic activity in this regard, however, renders your organization prone to attack because IT security threats (and the cyber-criminals behind them) are constantly at work. Facing persistent adversaries like these is a losing battle unless traditional approaches to cyber-security mature and adapt to modern threats. Even sizable, well-known enterprises have fallen victim to cyber-crime:
- Home Depot – reported data theft of about 70 million credit card details via hacked point-of-sale systems in 2014.
- Target – in 2013 a data breach resulted in the loss of customer names, mailing addresses, phone numbers or email addresses for up to 70 million people.
- Code Spaces – wiped out by weak authentication methods and locked out of their own resources in 2014; company folded.
- Stratfor – victim of email and credit card data theft; internal emails published on Wikileaks in 2012.
- HB Gary Federal – massive data theft and destruction in 2011 at the hands of Anonymous hacktivists who attacked with social engineering and SQL injections.
- US CENTCOM (2008) – an infected USB drive spread a remote access Trojan across military networks, including classified systems.
- TJ Maxx – weak wireless network encryption led to the theft of millions of credit card numbers in 2007.
Other notable victims of cyber-crime include Albertson’s, Michaels, Neiman Marcus, P.F. Chang’s and SuperValu. However, small- and medium-sized businesses are also susceptible to the same threats and vulnerabilities as these larger enterprises.
- The Symantec 2014 Internet Security Threat Report details how targeted attacks against medium-sized firms (those with 251 to 2,500 employees) and small firms (those with 250 employees and fewer) rose by 61% in 2013 from 2012 levels.
- The Verizon 2014 Data Breach Investigations Report shows that small businesses (those with fewer than 1,000 employees) suffered at least 5,819 security incidents, 243 of which resulted in confirmed data loss. Additionally there were at least 49 incidents of cyber-espionage reported for small businesses.
- The House Small Business Subcommittee on Health and Technology found in 2013 that 20% of cyber-attacks targeted small firms with less than 250 employees, and that 60% of SMBs fold in the six months following successful attacks.
Help is on the way: the Enterprise Security Assessment.
Prevalent’s Enterprise Security Assessment encompasses diverse activities such as vulnerability scanning, device configuration reviews, policy evaluation, inspection of physical and environmental security measures, and network traffic analysis. It is built on globally recognized standards for cyber-security and relies on reputable control sets and validation procedures to accurately determine an organization’s levels of compliance, risk, and anticipated remediation effort. Additionally, the Enterprise Security Assessment is continually updated and refined as regulatory frameworks and industry standard ‘best practices’ evolve, and as Prevalent incorporates client feedback and lessons learned to produce a highly effective service.
As businesses vary greatly due to their industries, sizes, and IT budgets the Enterprise Security Assessment can be tailor-made to fit enterprises of all stripes. Your business has its own unique characteristics and requirements. Prevalent can assist with determining the most urgent risk areas, recommending the corresponding assessment activities, and prioritizing remediation efforts to maximize the effectiveness and resiliency of your security program.
Ongoing interaction: your relationship with Prevalent.
To help you migrate toward a security model of continuous vulnerability monitoring and assessments, Prevalent provides vital assistance to clients regarding vulnerability remediation and guidance toward merging improved, repeatable security practices with standard business activities. Prevalent can also guide you toward implementing a defense-in-depth security model which utilizes multiple tiers of safeguards and reduces the single points of failure which can leave your resources exposed or offline.
Contact Prevalent for more details about the Enterprise Security Assessment.