Following up on your vulnerability and penetration testing
(Last updated on August 2, 2018)
You’ve performed your security assessment, found the flaws in your network environment, and now know where your gaps are. What’s next? Do you simply hand the report off to another team and hope that everything gets addressed? Do you share it with management? Perhaps, you turn the findings into a to-do list for the coming year. The important thing is that you do something. Interestingly, this is where many organizations fall short in terms of their security testing efforts. They find and acknowledge the risks, but fail to follow up on them – no accountability. Or there’s minimal follow up with little prioritization. Time passes, things get back to normal, and then – boom – it happens. The dreaded incident or confirmed breach rears its ugly head. It’s something old that was documented in a security assessment report that someone overlooked along the way. It’s the worst possible scenario.
There’s the saying talk is cheap. When it comes to information security oversight, it’s a story that rings all too true. You go through the motions and pay good money to find the security flaws, only to get distracted and never actually address them. It only takes one finding. It could be critical such as a weak password on a public-accessible server, or high-priority such as a missing patch that can lead to a denial of service attack. Someone could even exploit medium or low-priority items such as a misconfiguration on a firewall, or internal user emails advertised on public web pages via phishing scams. Regardless of the threat, your exposure creates tangible business risks.
It’s important to dedicate the time and resources needed to follow up on each item that is uncovered in your security assessment. Address them directly where you can by tweaking configurations, adjusting password requirements, applying patches, and the like. Failing to do so can lead to security debt which only accrues over time until eventually exploited. When the incident occurs, you’re going to be called on it. Any gaps in addressing known flaws won’t be defensible once a breach occurs. Not unlike a heart disease or cancer diagnosis that goes ignored, the consequences will surface sooner or later. Do you address it on your own terms now, or later when you’re forced to?
Your follow-up and remediation efforts must involve management. That’s the only realistic way you’re going to have a long-term success. You can get – and keep – management on board by underscoring the importance of the findings and how they impact overall business resilience. Put the results in terms that they will understand. This means correlating specific security vulnerabilities with business risks. Obtaining and maintaining buy-in is a long-term process. You may get pushback at first as a lot of non-technical executives tend to think that these security issues are something that IT, and IT only, should be handling. That’s certainly not the case.
Instead of kicking the can down the road, you must act. The best approach is to utilize the Pareto principle and focus your efforts on the 20% of the findings that are creating 80% of the risks. In other words, the low hanging fruit – the basics – that are both easily-exploitable and have severe consequences. Start with the most urgent flaws on your most important systems and then work your way down the list. Taking this approach will ensure that you address the critical areas and can stay out of trouble as evidenced by the findings in the annual security breach reports, such as the Verizon Data Breach Investigations Report, among others.
You’ll likely find that the majority of your critical and high-priority areas won’t require a ton of effort or expense. In fact, many such findings can be resolved by simple changes in policies and processes, or by acquiring new technologies to help facilitate and enforce what you’re trying to accomplish. The important thing to just do something. In almost every case, doing something is better than doing nothing.
You don’t want to just “get by” when customers, business partners, and regulators are expecting businesses to go the extra security mile. The key is action and that starts with following up on every finding of consequence uncovered in your periodic security assessments.