[Webinar Recap] Finding Cybersecurity Gaps and Vulnerabilities in Your Organization
Companies creating strong cybersecurity policies should focus less on generalities and more on specifics. What exactly can we do to block intrusion and monitor our systems to keep our data and our customers’ data safe?
Adopting a proactive approach will help companies adapt to the changing nature of hackers. They’ve evolved from individuals out to cause mischief to part of larger, better-funded criminal enterprises.
Not Just an Issue for Big Business
Large companies remain targets, but smaller or medium-sized companies are now being attacked even though many considered themselves too small to attract attention. These companies may even be easier targets for breaches because of a perception of not taking security precautions.
Another thing changing about cybersecurity is the amount of damage that can be done in a short amount of time. Hackers of the past may have taken a few documents or messed with files, but now everything in your system is up for grabs, including customer financial information or credentials to access vendor networks.
A breach can do catastrophic damage to a company’s reputation, which could take years to rebuild. Cybercrime is now a $100 billion industry, and criminals are equipped with the latest technology along with the tools of the traditional con artist.
Finding Cybersecurity Gaps and Vulnerabilities
It’s easy to become concerned about all of these statistics, but a smarter, more proactive approach is to do something about it. This begins with learning more about what makes you and your organization vulnerable and what steps you can take to change it. Checking for vulnerabilities can include thorough scans of your networks, testing how your systems respond to simulated breaches, and looking for weak entry points. A deeper system sweep can also let you know if an attack has already occurred that may not have been detected.
Matt Kozloski, Vice President of Professional Services for Kelser, is eager to educate businesses about the need for better vigilance and consistent reviews of their defenses. In a recent webinar, he defined what constitutes a valid risk and what specific steps companies can take to improve their cybersecurity and related defenses.
Assessing your company’s cybersecurity gaps and vulnerabilities starts with knowing your terms.
A vulnerability is a weak point that someone can exploit. Think of a physical office, where the door is the main access point. Unwanted people can try to break through this door or pick the lock, but you can make it difficult to enter. However, many owners don’t take the correct precautions so there are plenty of holes.
Vulnerabilities can come from mechanical means, such as bugs in hardware and software; human contact, like phishing attacks that prey upon our tendency to trust people; information disclosure, which is based on what people can learn about your organization and your systems; and natural disasters, which can cause physical damage.
What’s especially concerning is that 99% of computers out there have some exploits that might go unnoticed, especially in embedded plug-ins like Flash or Java.
One security study this spring found that more than 3.2 million computers had a corrupt version of JBoss installed which included coding for ransomware. That means the user may not know they were infected until their computer or network is locked and a demand for money is made. All they may have done is download an upgrade, something that happens too frequently with some of these programs.
Some companies invest only a small amount of time and resources into addressing their cybersecurity gaps and vulnerabilities. But someone wanting to be proactive can request a full vulnerability exam, which scans your network and shares potential security flaws.
This “absolutely critical” internal audit goes in depth by scanning all of your network access points, including desktops, network equipment, servers, printers and other hardware. It’s an automated general sweep that offers a broad evaluation. Once this is complete, a security analyst gathers all of the data and creates an easy-to-understand report of good points and weaker points.
Clients can request these vulnerability assessments anytime or schedule them regularly to learn how their defenses have improved over time or find areas where more work still needs to be done. Some companies plan these every quarter, every six months, or annually. The exact time isn’t as critical as having them performed routinely.
Companies are encouraged not to cherry-pick the results by saying that they’re already aware of some of the larger flaws, or saying “don’t worry” about other findings or underestimating the risks.
Instead, the best advice is to do something to remediate any detected weak points – solutions don’t have to be complex or expensive and can be simple patches, running some assessments or evaluating your risk management.
The second phase of analyzing vulnerabilities is to figure out ways your system could be entered through a penetration test, or pen-test for short. You can call in a white-hat hacker, or you can have your own staff attempt to access your data or compromise your system.
A ‘pen-test’ differs from a vulnerability assessment, which is more of a global sweep of your system. Instead, a pen test is a “deeper dive” that tests your system’s integrity to identify weak points that can be exploited and compromised, but in a non-emergency condition. This gives you a better chance to adjust parameters as needed, and not having to worry about eliminating an active threat.
Part of the final analysis is an assessment that calculates the degree of risk involved in different vulnerabilities, by defining risk as the likelihood of an attack happening multiplied by the possible impact. This produces a more objective conclusion of what areas to focus on.
Likelihood of Attack x Possible Impact = Risk
Simply spotting an area that potentially can be breached with either the pen test or the vulnerability assessment doesn’t necessarily mean that every hacker has the knowledge, ability or interest to exploit it, especially if there are easier methods to get in.
One of the best defensive strategies is to keep things simple but still effective, which is the purpose of Defend Forward, Kelser’s cybersecurity-as-a-service offering.
This transformative service was created to help small and medium-sized businesses, many which lack the resources to develop, research and implement their own security plans, which is becoming critical as the amount of cyber attacks and cost of breaches continue to rise.
So a solution that offers customized support with minimal up-front costs can be a winner.
For companies curious about how Defend Forward can help their organization, Kelser is offering a no-obligation security study of your structure and vulnerabilities. At no charge to you, you’ll receive a detailed report of your company’s weak points which will give you an idea of what areas to focus on.
The process involves a consultative session with a security engineer, answering a series of questions and accessing a few ports on your server. Then you’ll receive recommendations for actionable steps to take to fix any cybersecurity gaps and vulnerabilities, and a proposal for how a tailored Defend Forward plan can assist your organization to be secure for the future.
Overall, people are becoming aware of some aspects of cybersecurity, such as not opening strange emails or attachments. But vulnerabilities still abound, especially when the “human element” is involved. Well-crafted phishing emails, or even corrupted thumb drives deliberately left in parking lots can all potentially infect computers quickly and often without anyone realizing it.
What questions do you have about finding gaps and vulnerabilities in your organization's cybersecurity? Let us know in the comments below, and don't forget to watch our on-demand webinar to learn more!