A New Assessment Strategy for 2016

By: Darin Barton CISSP, CISA

Vulnerability assessing & penetration testing has long been identified with a mandated once-a-year approach. The shelf life on this bill-of-goods has long since expired and it is time to adopt a new assessment strategy for 2016.

The concept and practice of vulnerability assessing has been misunderstood and drastically underutilized for years. It continually surprises me when IT managers and executives under-budget assessments because they associate the practice with FUD solution selling and not good practice and common sense. We see it all the time, during technical seminars or conferences, where IT executives witness firsthand how easily a hack can be executed; followed by a recognition that they have not done enough to secure their empire. Typically, it isn’t until something catastrophic goes wrong, such as a hack or data breach, where they (or their CEO’s) start to question their inability to identify common threat, vulnerability and risk factors.

I understand the predicament. Executives must show a reduction of risk and value for money spent but for years assessment programs would not tie ongoing mitigation improvements into the reporting, thereby, leaving the value proposition on the floor.

What organizations really need is a consistent and continual method to understand the true nature of their threat, vulnerability and risk status and then take steps to mitigate their identified gaps. When speaking of vulnerabilities this can be somewhat difficult if assessments are only run once a year, primarily because the vulnerability landscape is always changing. A web site could be thought secure in January and then highly vulnerable in February. Take for instance 2014’s Heart Bleed and Shell Shock vulnerabilities which, seemingly out of nowhere, forced organizations to take immediate and disruptive action to protect their environments.

A vulnerability assessment program should include:

In-depth quarterly vulnerability assessments
Annual penetration testing
Detailed customized and validated reporting
Assessor recommendations and remediation strategies
Ongoing historical assessment tracking and vulnerability management
Unlimited, customer initiated, scanning. (If you change your web site, web applications, architecture, security policy or add a new server prior to your quarterly scan you now have the ability to double check your standing and plan accordingly.)

When selecting a competent assessor, ensure they have proven themselves to be highly conversant with current CVE, CVSS and OWASP vulnerability & exposure ratings with an ability to properly validate assessment findings for your unique environment. Please keep in mind vulnerability assessing and penetration testing is very different and the assessment provider must specialize in each type.

Don’t forget about wireless. Ensuring the wireless architecture, security, monitoring & alerting and authentication configurations (corporate & guest) are customized, and not out-of-box defaults, is a critical piece to securing the WLAN enterprise.

Obviously, not all organizations or environments are the same so having flex within the vulnerability assessment program is a must and the results and rewards should be evident over time:

Compliance objectives are easier to achieve and maintain.
By understanding your vulnerability risk you know how to best apply your IT security budget.
Allows for vulnerability mitigation tracking so you can see, over time, how your company’s risk objectives are performing.
In-depth and insightful reporting makes it easier for your executives to get involved with a vulnerability strategy.
Your IT team can focus on it’s real objectives – keeping your work force functioning and your data safe.
Most importantly, you are constantly reducing the risk impact against your business which means brand security and cost recognition.

:Darin Barton CISSP, CISA is a senior security professional in Toronto Canada, with 20+ years experience in cybersecurity and investigations and currently employed with Access 2 Networks Inc. (A2N).

Testimonials

"Outstanding support... Unmatched technical expertise. Unbiased opinion. The level of service from A2N post-sales is unparalleled in the industry."

Jamil El Ghazal, Manager, Multiview Corporation

"Thank you for always going above and beyond. Your managed cybersecurity services are exceptional and you constantly demonstrate your dedication to customer service."

Brad Waller, IT Manager, Commonwell Mutual Insurance

“Special thanks to you and your team for the quick turnaround. This is why I keep coming back!”

Byron Bricker, IT Manager, Konrad Group

“…we were really impressed with their service and capability. Most importantly, they share their knowledge. I would recommend them to anyone.”

Guy Parisien, Network Administrator, Canada Council for the Arts

“A2N is one of those companies that just knows how to do things right. They were the best partner choice I ever made. Highly recommended!”

Steven Waters, VP IT, Cannex Financial Exchange

“The team at A2N have helped us out time after time from consulting to fixing. They can always be counted on for their support and they deliver amazing results. These guys, simply, are incredible! “

Chris Stapells, IT Manager, RPM Technologies

"As a major health care provider, we needed a key partner in helping us identify and design a comprehensive solution. Our continued working relationship and aftersales support has been exemplary. I would highly recommended A2N"

Christopher Broadbent, IT Department, Ungava Tulattavik Health Center

A2N – IT Matters-Secure IT

BLOG