Security Assessments: Minimize your vulnerabilities

View Video  

Security assessments can reduce information risks in the same way that physical examinations diminish the possibility that minor health problems can become a full-blown medical crisis. System-wide security checkups can be as simple as network scans or as in-depth as hacker intrusion simulations to strategically assess areas of potential weaknesses. Typically, these assessments gauge four areas where information security is vital to business health: overall security capabilities, privacy, risk management and compliance.

Assessing security program design shortens emergency reaction time

Many SMBs have preventive security measures in place, such as firewalls, antivirus systems and networking monitoring software. But while prevention can go a long way in safeguarding information assets, having a plan in place for meeting potential threats is critical, says David Puzas, business line manager for IBM’s Internet Security Services division. “Building out a security program is not as simple as just buying one box and a couple of pieces of software and tossing them on a network—and hoping that everything is solved for you,” he says.

Realizing comprehensive security relies upon your ability to strategically assess areas of potential weakness, which is where having an assessment of your overall security program comes in. Often called security program design and management, these checkups review how—and how quickly—an organization can react in the case of an information breach. For SMBs, these examinations should provide a blueprint for supporting existing business processes, without requiring an overhaul of existing IT investments.

These assessments, according to Eric Maiwald, Vice President, Security & Risk Management Strategies, at the Burton Group research firm, “look at the risks, then you look at the countermeasures you have already deployed, you look at the ability of the organization to implement additional controls.” The intent or outcome of an assessment, he explains, “highlights areas where an enterprise can cost-effectively manage their risk.”

Assessments facilitate cost/benefit considerations, Maiwald continues, “the executive can make an informed decision as to whether it's better to place that money against risk management or whether it's better to put the money against some other type of business expansion or business risk.”

 “We want to look at it from an availability standpoint—what are our availability requirements?” he asks rhetorically. “Do we really require 24/7/365 or are there certain times when we can be down for maintenance? How do we deal with longer outages where we might have to implement the disaster recovery plan—or what might be our business continuity plan to continue operating if something really bad happens?”

Once the consequences are understood, says Maiwald, SMBs can move forward with a blueprint for overall security. “If you want an architecture for security or for risk management, it really has to start with the business risk and how the business actually goes about making money,” he says. “So if you understand where your business—or how your business—functions, that allows you to understand what the risks are.”

Privacy assessments keep the right doors closed

Today’s free flow of information can extend to people who have no business need for accessing systems. Even within an SMB, few people really need access to all data the company holds. Assessments of security privacy typically include an overview of how well policies, procedures and permissions affect overall security. For example, access rights to certain kinds of information, such as financial transactions or human resources records, are often best reserved for certain managers. But as a company grows, the policies that govern access can quickly become outdated and ineffective.

Privacy assessments, however, help create policies that ensure critical information is not damaged or stolen internally. Burton Group’s Maiwald suggests some questions SMBs need to have answered for privacy assessments. “Are there cases where we need to understand how that information can be used by authorized individuals?” he asks. “Do I have accountability requirements?”

How an SMB protects customer and partner information held in servers and storage devices is also examined in privacy assessments. Retailers, for example, need to protect credit card information, which is sent to servers; privacy assessments examine both the electronic and physical ways in which this critical information can be protected from identity thieves. This can include simulating attacks on Web-based applications, as well as using next-generation video surveillance techniques to monitor computer rooms and server cages in data centers.

But regardless of how privacy is assessed, the conclusions must lead to action, says Maiwald. “An assessment is really worthless if all it provides to the enterprise is a list of technical vulnerabilities that are found on systems,” he says. “It might be as simple as being able to reconstruct a transaction so as to be able to show a customer how something occurred or why a specific charge occurred. It may be something entirely different to be able to reconstruct a set of events because you had some type of a breach.”

Intentional hacking reduces security risks

Simulated attacks are also a useful tool in examining security risks. Applications and databases can easily be hijacked and used to pose crippling internal threats—transforming helpful business tools such as billing systems and customer relationship management software into instruments of harm.

To discover and fix these built-in weaknesses, penetration testing is frequently used in security risk assessments. Also known as ethical hacking, these attack simulations see security experts attempt to penetrate a network by mimicking the techniques used by malicious attackers. This provides a hacker’s-eye view of vulnerabilities and discovers weaknesses that need to be addressed.

Less dramatically, security experts examine any application that makes use of the Internet for security vulnerabilities. More often than not, these software packages require fine-tuning for optimal security, yet most SMBs often do not examine the security of each application on a regular basis. Most security risk assessments evaluate each application and create a list of applications most vulnerable to attack.

Physical hardware housing applications, databases and operating systems can also be vulnerable to damage. By looking at things such as enclosures, power supplies and hardware placement, security risk assessments review areas where these assets can be accidentally damaged. The possibility of intentional damage is also appraised. As with privacy assessments, security risk assessments frequently use video surveillance to monitor who is near assets—and whether these people should continue to be granted access to these locations.

Regulatory compliance lowers the possibility of fines

Discovery of IT systems at risk also includes comparing the way information is used against areas where sound security is required by law. Assessments can help ensure compliance with regulations such as the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry (PCI) Data Security Standard, as well as regulations required by 30 states in the United States. Failure to act in accordance with these regulations can expose midsized businesses to unexpected financial risk—and ignorance is not an acceptable excuse.

Regular examination of the software and systems used to hold sensitive information also reveals ways in which business processes can better meet regulatory compliance requirements. And here, regularity is critical, as regulations change as often as the number of security threats. For any business that uses credit card information, these assessments are essential. The same goes for organizations in healthcare. By combining the tactics of privacy and risk assessments, regulatory assessments create lists of areas where SMBs are out of compliance, as well as areas where they may risk falling out of compliance.

Handing off assessment chores can magnify the scope of examinations

Because of the complexity of in-depth security assessments, many SMBs are unable to perform these examinations internally. Outside vendors offer services in this area, and can often be more cost-effective than a midsized business attempting to review the minute details of IT infrastructure.

Characteristics SMBs should look for in outsourced assessment providers include the ability to provide all four major security assessments, as well as capability to tailor these services to particular industries. Some of these services are available on a subscription basis, while others provide training for SMB IT staff.

The Burton Group’s Maiwald also suggests that when selecting an outside provider, experience providing assessments for specific industries should be a key consideration. “So, the best of all possible worlds is you find an assessment team who has worked in your industry before and understands what kind of business you have and how your business functions. Having the technical chops to do some of the detailed assessment, yeah, that’s important, but I look at that as secondary to the understanding of what the business environment is.”

Whether performed internally or by outside vendors, these examinations do more than zero in on weak spots. With security assessments, midsized businesses are better equipped to make informed decisions about immediate and long-term security requirements that can make all the difference in long-term profitability.

Learn More

• Our Information Security Assessment identifies risks and provides a specific, actionable plan to improve overall security posture. Learn more about the features and benefits of this comprehensive evaluation.
• Validate your existing security controls and quantify real-world risks. Learn about Penetration Testing.
• Payment Card Industry (PCI) Assessment Service: We can help you achieve security best practices that meet the requirements of the payment card industry standard.
• Download your complimentary Security eKit: An electronic collection of whitepapers, analyst reports and other resources of interes