Vulnerability Assessment and Remediation: We Answer Some of Your Most Important Business Questions

By Ron Samson Jr

Why do I need a Vulnerability Assessment and Remediation Plan?

Look, we know what you’re thinking: “We have never been hacked to my knowledge, why would I need a cybersecurity assessment and remediation program, or plan?”

To keep your business safe, and in line with the ever-changing cyber security, risk and compliance landscape, a vulnerability assessment is essential. Not only will it give you the information you need to make decisions on how to keep your intellectual property (IP) and infrastructure protected, you may be able to identify inefficiencies in processes that can make your business run more efficiently. This can mean savings on your bottom line, expansion of your profit margin and increased revenue and reputation among customers and clients.

Did you know that the EU General Data Protection Regulation (GDPR) poses some very strict rules on why businesses can collect user data, how it must be treated, and rigid guidelines on how it must be stored and disposed of? A comprehensive vulnerability assessment can help you determine which regulations and guidelines you are responsible for becoming and maintaining compliance with. Depending on your industry, business processes and region or country, regulations ranging from the Health Insurance Portability and Accountability Act of 1996 (HIPAA), to the National Institute of Standards and Technology (NIST) Frameworks (800-53, 171 etc.), the Health Information Trust Alliance (HITRUST), and China’s recent cybersecurity law (2017).

Speaking of clients, a vulnerability assessment can help identify third party vulnerabilities from client and vendor interfaces. An assessment helps not only finding the internal vulnerabilities, but the external ones as well.We know that you most likely completed a Strengths-Weaknesses-Opportunities-Threats (SWOT) analysis for your small business. This is a bit more specific and in-depth, and can help you stay updated and safe.

“Did you know that a vulnerability may be found in any of the people, processes, and technology that make up your information systems?”

But My Company Is Already Protected.

Oddly enough, the assessment and remediation plan are often overlooked by many businesses.  Most companies feel that they are protected if they have an intrusion detection system (IDS), intrusion prevention system (IPS), and/or firewall. This is simply not enough. These systems are good to have but usually run on signature-based detection.  If the vulnerability does not have a signature there is a strong possibility it will not be detected. Receiving several false alarms may also make your IT manager less vigilant. Vulnerabilities are lurking around every corner because new weaknesses are discovered every day.  Your network infrastructure could be airtight today and 10 new vulnerabilities could be discovered tomorrow.

The Assessment

The vulnerability assessment can help find all the forgotten and out of sight vulnerabilities that could be an open door for an attacker. The way into your network may not be the head-on path you planned for. Criminals are learning how to hack wireless printers, thermostats, and other devices that transmit and receive wireless data. How often do you update the firmware on the printer? Once they gain access to this device they perform what is known as a pivot to a secondary device and continue to do so until they gain access to the part of the network they are seeking.

Remediation

That is why it is always good to have a remediation plan in place. If your system is local, it is important to know if those backs ups you’ve been making will actually work. You need to know what data will be lost if you only do backups once a day vs every hour vs every month. If your infrastructure is cloud based, how often do they test their back-ups? We assume cloud-based services are infallible, but it is still your responsibility as a customer to ask the right questions. You still need to have an idea of what your cloud-based vendor will do and how fast they will be able to do it.  These conversations should be had before an incident not after.

Vulnerability assessment and remediation should not be taken for granted or you could find yourself on the wrong side of an “incident”. With regulations like the GDPR in place, one incident could be the end of a business.  Your network is only as strong as its weakest link.

What Do I Include (Scope) and How Do I Complete an Assessment?

With the cloud and “as a Service” businesses more and more at the forefront, it is often not clear as to what people, processes and technology should be included in an assessment. After all, if your business runs from a laptop and a cell phone, what more could you be responsible for?

Let’s take a look:

People:

  1. Internal – Even if your business consists only of you, you should look at your interactions with your own technology. How you use your phone and laptop, where you use them, and what you use them for should be evaluated.
  2. External – If you have vendors and clients, take a look at how you interface with them Third Party Risk Management (TPRM) is how you determine the risks for those external interfaces. Do you use Amazon Web Services (AWS)? If so, there are things you need to know about their System and Organization Controls (SOC) certifications. If you meet your clients in person, or use a web portal, the technologies they use, and their behaviors can affect your overall security posture.

Processes:

The way your company runs is important. Do you have a formal or informal governance structure? Do you have programs, policies, and procedures in place to make sure that the way you and your employees do things is efficient, and as foolproof as possible?

Evaluate all of your information security processes, and other processes as well. Chances are there will be room for improvement, or implementation. Make sure you review these as new technologies, or people come into play in your business or gain access to your information systems.

Technology:

Do you use the aforementioned laptop, and phone? Do you have a server farm? Are you a bitcoin miner with hundreds of units? Maybe a traditional business with Point of Sale (POS), and inventory systems, equipment and hardware? Do you manufacture t-shirts, 3D models, or even labels?

These are the things you need to include in your assessment and remediation. Anything that physically, or logically connects to your information systems, or your company interacts with in any way, even if it is rarely.

The Assessment Is Done, Now What?

Now that you have taken a look at the people, processes, and technology that make up the core information systems, and figured out where to implement best practices, new technologies, and training it is time to take action!

The best way is to get your information and reports summarized, and then using the same risk modeling that you used to start and build your business, rank the vulnerabilities by which are most impactful to your businesses functionality, such as your bottom line, reputation. Then based on the assessment, determine which ones you feel are the most likely to occur, based on the same risk ranking system that you should already have in place (you DO have overall risk management tools in place right?)

If you are a small enough organization, a small scope assessment can be done internally, with free tools from organizations like NIST, or the Federal Communications Commission (FCC). For larger businesses, or more complicated infrastructure and information systems, you may choose to use a formal, external firm to conduct your assessment. Either way, the results are the first step in securing your information, infrastructure, and clients, and protecting your company, and its profitability!

Looking for help? Clearnetwork offers services that will greatly increase your security posture with little increased effort on your end

This blog post serves as the first in a series about vulnerability and risk assessments, remediation management, and information and cybersecurity.