How to Complete a Thorough Security and Systems Vulnerability Assessment and Audit
By Dan Cleworth - October 14, 2020
Organisations are under increasing pressure from regulatory updates, changes in compliance laws and employee expectations to ensure that the data they process is held securely. Failure to do so can result in regulatory fines, a loss of new business and more often than not - reputational damage. Organisations must manage and protect the data they hold efficiently, effectively and apply the most appropriate security controls to protect that data.
Your organisation's data is protected by a series of operational and technical security controls. These security controls themselves come in a variety of types and mitigate against a variety of information security risks. If we walk through an attack, we can see there are several stages where the attack can be stopped, slowed or the impact minimised. Wherever and whenever possible, you want to prevent an attack from happening, and as this is not always possible, you then want to be able to detect it is happening. Once discovered you want to correct it and recover from it. On analysis of the attack, you may determine that you need to enhance your defences by adding deterrents and more robust preventive measures to stop the attack in the first place.
Security controls should be applied in layers (defence-in-depth), with the cumulative aim to either stop an event happening in the first place or, through quick detection, limit the impact of the attack. Outlined below are some of the types of security controls in more detail.
Directive controls attempt to direct, confine or control the actions through policies.
Deterrent controls try to discourage an individual from unwanted activities.
Preventive controls attempt to prevent an incident from occurring in the first place.
Detective controls attempt to discover or detect events after they have occurred.
Compensating controls are alternative controls used when a primary control is not feasible.
Corrective controls attempt to reverse the impact of an incident.
The other control is the recovery control. This is an expansion of the corrective controls but has more advanced characteristics.
Each of the above types of security controls can be categorised into physical, technical (logical) and administrative (operational) categories.
Security controls can fall into several categories e.g. CCTV, it is both a deterrent control and a detective control. Below are a few examples for each of the types of security controls:
Directive: security policies, codes of conduct procedures, posted notifications
To protect your data appropriately, you first need to establish where your security and privacy holes are. You need to ensure you have identified your most vulnerable processes, assets, and those assets that would cause the organisation, and individuals harm if compromised. These assets, systems and services should be prioritised during any assessment to ensure that they are covered when engaging in a time-bound testing service. A security control assessment (SCA) is the formal evaluation of an organisation's security control effectiveness. These assessments can be operational and technical assessments.
Register for a free 30-day trial of the 9ine App and transform the way you manage data privacy and protection.
How to assess your organisation's vulnerability to attack?
Once you have prioritised all of your systems, services and servers, you need to look at getting a series of vulnerability scans performed against your organisation. Vulnerability scanners are programs designed to search your network for known vulnerabilities. The vendors of the technologies themselves have published these vulnerabilities for transparency and to highlight the need to apply their security patches or configuration changes. Also, some known vulnerabilities will have been identified and posted by individuals who have identified the weakness.
A vulnerability scan will provide you with a point in time analysis of your organisation's susceptibility to a cyber attack. The tests will identify and assess the vulnerabilities that pose a threat to your organisation's environment. Once the vulnerabilities have been identified most vulnerability scanners will provide you with a graded output of the vulnerabilities identified, outlining which are critical and high, all the way down to those that are for information only and pose no real threat.
Most vulnerabilities can be fixed by applying a vendor's security patches or modifying the configuration of a device that has not been touched since original implementation. Generally, you will find areas of the systems and services that have been overlooked or are no longer in maintenance windows. A vulnerability scan allows you to tick off a few big-ticket items and in some cases brings the retirement and replacement of devices or systems that have long since passed their sell-by-date.
For a more comprehensive review of your systems and services, you then need to move to a penetration test (pen test). A pen test applies human logic and simulates a real-world attack. During a pen test, the ethical hacker/security consultant will combine a series of identified vulnerabilities to traverse the organisation's network until they have successfully escalated their privilege on your system to meet their needs. The vulnerability scan may have found two or three individually rated medium vulnerabilities. However, a malicious user or hacker could use these vulnerabilities in turn for a collectively more coherent and successful attack.
Penetration tests are usually broken down into three main areas:
Internal penetration tests:
These tests simulate attacks to the organisation's internal systems and services as if performed by a malicious insider or an external attacker who has already successfully penetrated the organisation's perimeter defences. These tests are generally looking for:
Vulnerabilities that allow a remote hacker to control or access sensitive data
Misconfiguration of systems (missing patches, security updates)
Default passwords (system accounts, common passwords, default admins etc.)
Outdated software that can lead to exploitation and data extraction
Presence of open or unsecured ports
External penetration tests:
These tests mimic the behaviour of a hacker whose aim is to identify and exploit vulnerabilities found in the organisation's external facing systems and services, such as email servers, MIS/SIS servers, remote access terminals, homegrown and third party externally accessible services and so on. These tests are generally looking for:
Forms and parameters accepting malicious commands
Vulnerabilities that allow extraction of data or unauthorised access
Out of date plugins and components
Improperly configured and unsecured services
Configurations that allow escalation of privileges
Web application penetration tests:
These tests are aimed at individual web applications and assess the security level and posture of the web application itself (not any underlying hardware). The tests gauge the strength of the web application for both manual and automated security testing. Some of the procedures used within the simulated attacks include:
Brute force attack testing
Script injecting and broken access control
Session cookie exploitation
User authorisation process manipulation
SQL injection and OS command injection
The vulnerability scans and penetration tests will provide your organisation with:
A list of identified vulnerabilities (point in time analysis)
The likelihood and probability of exploiting your current vulnerabilities
The tangible and intangible risk impact of an exploitation
A series of actions or mitigating steps to resolve or reduce the vulnerability
All vulnerability scans and penetrations tests are a point in time analysis of the organisations security and susceptibility to attack. New vulnerabilities in systems and services and new exploits (exposing those vulnerabilities) are crafted every day. Keeping on top of the latest identified weaknesses in your systems and services is crucial in maintaining your users and data security. Regular vulnerability scans and penetration tests should form part of your annual security and data privacy security regime. Maintaining effective patch management will go a long way to minimising the likelihood of a successful attack.
These tests should form part of a more comprehensive assessment of both the technical and operational measures you have in place. Some of the other critical areas of security that will be covered on other security blogs are:
User training and awareness
Technical and Operational Readiness Review
Incident management and reporting
Business Continuity and Disaster Recovery Planning
In summary, organisations must look to utilise vulnerability scanning and penetration testing services to identify weaknesses that could lead to the compromise of their networks, systems and software solutions. Too many organisations miss prioritising security and assume cyber attacks happen to someone else! It is far easier to proactively protect and manage your security than be on the back foot and reactively plug holes that should not exist.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.