Following up on your vulnerability and penetration testing

You’ve performed your security assessment, found the flaws in your network environment, and now know where your gaps are. What’s next? Do you simply hand the report off to another team and hope that everything gets addressed? Do you share it with management? Perhaps, you turn the findings into a to-do list for the coming year. The important thing is that you do something. Interestingly, this is where many organizations fall short in terms of their security testing efforts. They find and acknowledge the risks, but fail to follow up on them – no accountability. Or there’s minimal follow up with little prioritization. Time passes, things get back to normal, and then – boom – it happens. The dreaded incident or confirmed breach rears its ugly head. It’s something old that was documented in a security assessment report that someone overlooked along the way. It’s the worst possible scenario.

There’s the saying talk is cheap. When it comes to information security oversight, it’s a story that rings all too true. You go through the motions and pay good money to find the security flaws, only to get distracted and never actually address them. It only takes one finding. It could be critical such as a weak password on a public-accessible server, or high-priority such as a missing patch that can lead to a denial of service attack. Someone could even exploit medium or low-priority items such as a misconfiguration on a firewall, or internal user emails advertised on public web pages via phishing scams. Regardless of the threat, your exposure creates tangible business risks.

It’s important to dedicate the time and resources needed to follow up on each item that is uncovered in your security assessment. Address them directly where you can by tweaking configurations, adjusting password requirements, applying patches, and the like. Failing to do so can lead to security debt which only accrues over time until eventually exploited. When the incident occurs, you’re going to be called on it. Any gaps in addressing known flaws won’t be defensible once a breach occurs. Not unlike a heart disease or cancer diagnosis that goes ignored, the consequences will surface sooner or later. Do you address it on your own terms now, or later when you’re forced to?

Your follow-up and remediation efforts must involve management. That’s the only realistic way you’re going to have a long-term success. You can get – and keep – management on board by underscoring the importance of the findings and how they impact overall business resilience. Put the results in terms that they will understand. This means correlating specific security vulnerabilities with business risks. Obtaining and maintaining buy-in is a long-term process. You may get pushback at first as a lot of non-technical executives tend to think that these security issues are something that IT, and IT only, should be handling. That’s certainly not the case.

Instead of kicking the can down the road, you must act. The best approach is to utilize the Pareto principle and focus your efforts on the 20% of the findings that are creating 80% of the risks. In other words, the low hanging fruit – the basics – that are both easily-exploitable and have severe consequences. Start with the most urgent flaws on your most important systems and then work your way down the list. Taking this approach will ensure that you address the critical areas and can stay out of trouble as evidenced by the findings in the annual security breach reports, such as the Verizon Data Breach Investigations Report, among others.

You’ll likely find that the majority of your critical and high-priority areas won’t require a ton of effort or expense. In fact, many such findings can be resolved by simple changes in policies and processes, or by acquiring new technologies to help facilitate and enforce what you’re trying to accomplish. The important thing to just do something. In almost every case, doing something is better than doing nothing.

You don’t want to just “get by” when customers, business partners, and regulators are expecting businesses to go the extra security mile. The key is action and that starts with following up on every finding of consequence uncovered in your periodic security assessments.

  • Was this Helpful ?
  • Yes   No

Tags:

>

Written by

Kevin Beaver

Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta-based Principle Logic, LLC. With over three decades of experience in the industry, Kevin performs security assessments and consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin can be reached at his website www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.

More Articles
Back to Blog

Related Articles

  • What to expect during your next penetration test

    For some businesses, vulnerability and penetration testing is a deeply-ingrained process that just works. However, for many others, this exercise is less known – arguably a mysterious, if not a downright scary aspect of running an information security program. After all, there is someone (internal or external to the business) whose main goal is to…

    Read More
  • Low-hanging security fruit you can’t afford to overlook

    Vilfredo Pareto got it right many decades ago when he said that 80 percent of the effects come from 20 percent of the causes. This very principle can be applied to your information security program. Rather than getting caught up in unnecessary complexities that only serve to distract, your security risks can be distilled into…

    Read More
  • Bad password – all it takes to break down the walls

    You’ve done your fair share of penetration tests and you have likely come across this scenario – you captured a password for a client system and the next thing you know, you were able to gain full administrative access to their entire Windows network! The password was Summer2016. Weak? Yes! However, it complied with the…

    Read More

© 2018 Specops Software. All rights reserved. Privacy and Data Policy