Every network and device on the Internet is a target. Criminal organizations and rogue individuals constantly probe every system they can find. If they discover a weakness, they can steal information, wipe out files with ransomware, and take control of computers to gain more attacking power.
To keep your systems safe, you need to discover their weaknesses before someone else does. Doing this systematically is called a vulnerability assessment. If you haven’t done one, you can be sure there are weaknesses to discover. Even the most secure networks have some flaws.
An assessment prioritizes risks as well as identifying them. It takes both importance of information and degree of vulnerability into account. Valuable databases obviously are a serious concern, but so is any device with weaknesses that could give an attacker an easy foothold in the network.
The first step in assessing vulnerabilities is to identify your valuable digital assets. Where is critical information stored? How well-protected is it? Are there secondary locations which also hold the information?
Business databases require serious protection. Someone who gets access to one can obtain customer data and business records. They’re the most obvious assets to protect, but other files may contain critical information as well. Mailing lists may be plain text files. Desktop machines can hold confidential memos about upcoming deals. Outdated information sets may have been abandoned but not purged. The assessment needs to locate all points that have a significant need for protection.
Any device which is reachable from the Internet is a target. The assessment needs to include an inventory of them, with information about their operating systems and Net-accessible software.
The network architecture needs a careful examination. The firewall should keep out any access which doesn’t have a business purpose. Attackers can exploit bugs in protocols and services which no one else is paying attention to. The most critical parts of the infrastructure shouldn’t be directly accessible from outside the local network.
If employees can use their home computers and smartphones to access the network, they need to be counted. There are clear benefits from telecommuting and a BYOD policy, but they’re also a source of risk.
Any device with software that isn’t maintained is vulnerable. If patches have been issued but not installed, it has publicly known weaknesses. The operative word is “devices,” not just computers. Printers, Wi-Fi access points, and fax machines are all computing devices which can have dangerous bugs if they aren’t patched. Old devices are an especially serious problem if they can’t be updated anymore.
Configuring software properly is an essential part of protecting it. Risky features should be disabled if they aren’t needed. Passwords need to be strong. Access controls should be set up correctly.
Software should store critical data, such as passwords and financial information, in encrypted form. Unencrypted information is a significant risk.
Most breaches can be traced to human error. Hardware and software protections aren’t very effective if employees don’t understand good security practices. They need to learn to use good passwords, to treat email with caution, and to be careful about the information they put on their personal devices.
Access from outside the company is another source of human risk. Business partners and contractors have their own security issues, and a compromise of their networks could give an attacker a way into your network. Outside organizations should have the access they need, but no more.
Once the assessment is complete, the company is in an informed position to improve its security. Not all vulnerabilities are exploitable; for instance, an open port with no software responding to it can’t be exploited — currently. The next step is to prioritize vulnerabilities and address them starting with the greatest risks. Penetration testing can be a valuable tool for this. Knowledge is power, and knowing where the vulnerabilities are is the best basis for a security strategy.
Otava lets you keep your backups secure and off-site for maximum safety. Contact us to learn more.