Before starting any task or project you really should have a plan.
Diving in headfirst without one might feel like you're getting things done and making progress, but halfway through you'll realise you've implemented tools that already exist in your business, forgotten vital parts of your business that need securing or didn't fully realise your legal and professional cybersecurity obligations.
A security assessment is that plan.
Creating and regularly updating a security assessment helps you stay focused and ensures valuable time and resources are not wasted reinventing the wheel and prevents overlooking important security aspects you didn't even know existed or needed attention. A plan also makes better use of tight cybersecurity budgets by outlining the highest risk items so funds can be aimed towards those tasks first.
There are standards for cybersecurity assessments such as ISO 27001 and the NIST Cybersecurity Framework, but at their core they're a big list of things that can go wrong. These assessments are designed to get you thinking about the scenarios that if happen, what would the impact be to your business and what do you have in place to prevent, stop, or reduce the impact of that event.
The most basic part of a cybersecurity assessment is a simple questionnaire. It is the simplest and best bang for buck part of a security assessment. Depending on the business there can be dozens of questions a cybersecurity expert will ask. A small sample of the types of questions include:
- Do you have a notifiable data breach plan?
- Do you have a business continuity plan?
- Do you have an onboarding/off boarding procedure for staff?
- Do you have any known compliance obligations? (if yes, please include them)
- Is any part of your office accessible to members of the public?
- Do you have staff that work remotely?
- Is your software and hardware automatically patched/updated?
- Do staff have the ability to install software themselves?
- Do you manage your passwords using third party tools such as LastPass?
- Has your business previously been the target of a cyber-attack?
You can also complete our full Cybersecurity assessment questionnaire here. There's no right or wrong answer to any of these questions and it is important to be honest as they form a starting point for future work. Trying to hide previous cybersecurity failures will only get in the way of trying to improve the current situation.
A huge database called Common Vulnerabilities and Exposures (CVE) is full of all the flaws in software and hardware devices hackers have found to date. It’s maintained by the US government along with private enterprise and is a key method experts use to learn about the latest cybersecurity vulnerabilities.
Most of the time there's an update, or mitigation strategy provided by the vendor of a product that you can apply or install that fixes the flaw listed in the CVE database. These are commonly referred to as “patches” and if they’re not applied it's like an open door, inviting hackers into your computer.
Automated tests go hunting through your network and all the devices on it, probing for flaws listed in the CVE database. How long the test takes depends on the size of your network, taking as little as a few hours to many weeks to complete. They are designed not only to emulate someone trying to find a way in, but also to assess the damage someone who already has access to your network can do.
Because a vulnerability assessment is mostly automated, it is relatively affordable. That said, the test can take a decent amount of time to complete, depending on the size of your business. The more computers and devices there are, particularly when spread out over multiple regions, the longer and more expensive the task will be.
A vulnerability assessment is generated after these tests are complete and using that information, the appropriate remedies (patches, installation of alternative software, device replacement, etc.) can be taken. Automated tests aren't perfect, but they’re low hanging fruit in the cybersecurity game. They’re often first thing a hacker does to find a way into your network, so doing it yourself before they do is vital to tie up any digital loose ends.
Also called pen testing, white hat hacking or ethical hacking, penetration testing tries to evaluate a system's security by hacking into it in a controlled manner.
A pen test can be automated like a vulnerability assessment, but typically takes a more active approach and a person uses various tools to try get access to your systems. Think of it like a bank hiring a thief to see if they can get into a vault, or an aircraft manufacturer getting a test pilot to push their new machine to the limit before giving it to an airline.
There are various types of penetration tests:
External - a tester will try to gain access to a system from outside the system, like a stranger who may want to attack your business. Sometimes your employees might be given a heads up about the tester's intentions, sometimes they can be taken by surprise. Both are valid methods to see how your business reacts to such an event.
Internal - an internal test is typically done once an external test has taken place. In this scenario, it's assumed a hacker already has access to the system, or an employee has gone rogue. Internal systems are put through their paces to see how they hold up in an attack.
Social Engineering - a hacker befriending an employee with high level system access, overheard conversations in public places, blackmail and other attempts to take advantage of people to gain access to computer systems fall under social engineering. Employees may or may not be given a heads up about this activity.
Physical - a physical penetration test might sound rough, but it's a method of testing if there's any gaps in your real-world security that could lead to someone gaining access to your digital world. For example, breaking in (perhaps via a stolen or cloned access card) and creating a digital hole in your network they can exploit later from the comfort of their home.
Website - your company website is likely hosted offsite, but it is still a vector of attack for a hacker. Defacing a website, or taking it down entirely, can have major impacts on your business and its reputation.
A popular example of penetration testing is a USB Drop Attack. A hacker leaves a USB drive containing malware somewhere near your business where a curious employee picks it up, then plugs it in to a computer at their desk to see what’s on it. Little do they know they’ve just let Greek soldiers into the city of Troy.
Doing this type of hacking in a controlled manner and with supervision, allows you to spot which employees are suspectable, then and implementing training programs to educate employees on why plugging random things into computers is a bad idea.
Usually a budget and timeline, along with a risk assessment (detailed later in this blog) dictates how thorough a penetration test is
carried out. The bigger the budget and the higher the risk, the more testing takes place. The costs of a penetration test are higher than a
vulnerability assessment as it is conducted by a person, often with considerable skill.
Dark Web Scanning
You may have heard of a nefarious online hideout called the dark web. We will explore the dark web and its cybersecurity impact on your business in later chapters, but part of a cybersecurity assessment can include scouring the dark web for any information on there that potentially may have been sourced from your business.
Credit cards, drivers’ licences, IP addresses to hacked computers, personally identifiable information (PII) and more are traded like commodities on the dark web, and they come from hacking activities known as data breaches. The source of those data breaches are businesses like yours.
If data on your customers, employees or business appear on the dark web it's a sign there's a leak somewhere in your organisation that needs
to be stopped. Like vulnerability assessments, not everything can be found and due to the dark web's secretive nature, not everything can be
searched. However, any results can be added to a cybersecurity assessment for further investigation and remediation.
Some businesses will have security requirements forced upon them by professional bodies, other businesses, and the government. Failure to meet security compliances can result in large fines or stripping your business of access to certain services. Common compliance requirements include:
PCI Data Security Standard - required of all entities that store, process or transmit cardholder data (i.e: Visa/Mastercard). Not adhering to these standards can see your business stripped of card payment facilities.
Privacy Act - Australian organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act to protect personal and sensitive information of customers and employees. Not complying can result in penalties of up to $10m or 10% of annual turnover.
Notifiable Data Breach – a recent addition to the Privacy Act makes it mandatory for businesses to report any data breaches (i.e: when personal information is accessed or disclosed without authorisation or is lost) to the government. Failure to do is punishable via the Privacy Act.
Supplier Requirements – if your business supplies products or services to a larger organisation, it can be a requirement (often contractual and audited) that your cybersecurity affairs are in order. Failure to meet those requirements could result in your deregistration as a supplier.
If your business needs to adhere to regulations such as these, including them in a cybersecurity assessment is vital so compliance requirements are outlined as part of an overall cybersecurity posture.
Not all businesses have the same appetite for or exposure to risk. What may be a huge threat to one business may not be a realistic threat to yours. By carrying out a cybersecurity assessment, risks can be weighted, and action taken appropriately. Some examples of various cybersecurity risks:
Email phishing - you've seen all those suspicious emails in your spam folder, right? The vast majority are attempts to gain access to your computer network. Some of those emails even look legitimate! The frequent attempts combined with the increasing realism of phishing emails makes them a high risk for any business.
Disgruntled employees – as wonderful you are as an employer, it’s not unheard of for an employee to go rogue. They can take data with them on the way out and hand it over to a competitor. This happened to giant biotech company CSL, with an executive taking thousands of documents and trade secrets with him to a new job with a competitor. Depending on the industry you operate in, this is a high risk and worth taking the time and effort to mitigate.
Natural disasters - floods, fires, extreme cold, extreme heat and other effects of global climate change are real and are taking place more frequently than in the past. While they might not happen every day like phishing attempts, they do take place and when they do, the effects are severe. Planning how your business responds should a natural disaster happens is prudent for most businesses.
Corporate/state espionage - does your business trade in secrets another country might want to know? Do you have competitors willing to bend the rules and spend big to steal your secrets? The measures required to counteract the top 1% of hackers are much tighter and expensive than the most common threats, so unless your business is uniquely exposed, extreme efforts can be a waste of time and money.
Civil war – this is something that can certainly happen (and has happened in some countries), but highly unlikely in a place like Australia. Spending money and time to prepare your business this for a civil war would be much lower on the priority list than common occurrences like email phishing attempts or natural disasters that have a more realistic chance of taking place.
Your plan of attack
FortiTech are here to guide you through the maze that cybersecurity policies and procedures can be.
All the information collected through various questionnaires, scans, tests, compliance requirements and assessments are collated and used by a FortiTech to come up with a plan of attack.
A security assessment may look like an overwhelming task, but it doesn't need to be all done at once. Our job is to translate these technical tasks to business outcomes, outline the costs and timelines to tackle the highest risk items first, then work their way down the list as time and budget allows.
Like any plan, it's important to refer to it regularly to make sure you're on track. A cybersecurity assessment should be a living document and should be updated to include new risks as your business changes, new vulnerabilities as technology changes and different ways to tackle those problems based on real world experience in your business.