by Security Vitals and Merit Network
Failing to evaluate digital and personnel security defenses are a major threat to any business and nonprofit. The potential risks to an enterprise extend beyond the immediate costs of lost records, including downtime and reputation damage. A recent Cybersecurity Ventures report predicts that cybercrime will cost businesses more than $6 trillion annually by 2021. A balanced approach between hardware/software solutions and their governance and the elimination of organizational skills gaps are critical to protect corporate assets consistently.
Unravelling the testing paradigm
Effective network, application and product testing delivers direct and immediate feedback regarding an organization’s security posture. It is critical to define objectives at the beginning of the process, as the best-suited approach will vary depending upon the desired outcome. Testing options include:
Vulnerability Assessments – One of the most basic evaluations an organization can conduct is a vulnerability assessment. This can be thought of as a basic perimeter check for security. If your home’s windows are open and your doors are unlocked, there is a higher probability that someone will break in. The same is true for IT infrastructure such as servers, desktops and firewalls if your software is outdated or configured incorrectly. A well-executed vulnerability assessment will prioritize findings based on criticality and provide specific details regarding how to implement security controls, such as updating software and changing configuration settings.
Network Penetration Test – This type of review is a more in-depth evaluation of network and data security. A successful network penetration test begins with finding points of access through an identified weakness (such as a vulnerability or easily guessed password) and then continues until valuable data, like a client list or employee salary spreadsheet, can be accessed and copied. It is important to note that not all penetration tests result in a successful exploit of information.
Web Application Testing – Application testing is focused on exploiting coding weaknesses to gain unauthorized access to data. One such weakness could include logging into a web-banking application as a user and gaining access to another account holder’s data by manipulating input to the code. Web application testing works to exploit code behavior in a manner that does not match its intended design. The goal of the test is to identify and prioritize gaps in application security so that they can be addressed with new and improved code.
Often, external vendors are hired to conduct testing, evaluation and mitigation plans. While the requirements for testing frequency can vary greatly from one organization to another, key factors include the rate of change (infrastructure and applications), compliance requirements and the risk exposed during prior testing. Annual testing should be considered a minimum benchmark threshold for evaluations, however, a quarterly testing plan and monthly vulnerability scan dramatically reduces an organization’s’ risk profile.
Preparing for the Inevitable
It is unlikely that all of an organization’s security staff will have real-world experience handling a cyberattack. Training staff inside a simulated environment can provide critical hands-on response training.
As the technology landscape continues to evolve, organizations are reliant on leveraging human capital as their first line of defense. A cyber range is an unclassified, network accessible, private training cloud that allows organizations to teach, test and train their products and employees. Exercises conducted in a cyber range allow teams to practice identifying and mitigating threats in a replicated environment using real-world tools. A cyber range can train teams of any size—from individual skill-building exercises to full scale missions involving both offensive and defensive teams. Instruction occurs on demand, without taking cyber defenders away from the front lines.
Cyber ranges also provide sandbox environments that are ideal for penetration testing. These encapsulated spaces prevent test results from being shared with the general public and can be easily reset to test new attack vectors. Devices are placed in the network-accessible secure sandbox, which allows authorized penetration testers the ability to access the product from anywhere in the world. This increased collaboration and security are ideal for product creation and threat remediation.
Regional Collaboration
Collaboration at the local level is helping to improve knowledge, capabilities and risk management for organizations large and small. Security Vitals (www.securityvitals.com), located in Pontiac, Michigan, and Merit Network (www.merit.edu), located in Ann Arbor, Michigan, are working together to roll out defense strategies and increase product awareness with organizations across the region.
Security Vitals is a leading cyber security services firm that provides vulnerability scanning as well as network and application penetration testing services. Their in-depth process highlights security gaps and provides detailed feedback on how to mitigate them. Recognized for market insight and resident expertise, the Security Vitals team is also responsible for conducting monthly reviews of information security products that are published in SC Magazine.
Merit Network, the nation’s longest-running research and education network, powers the Michigan Cyber Range. The Michigan Cyber Range is the nation’s largest unclassified, network accessible cybersecurity training platform. It aims to strengthen Michigan’s cyber defenses by mitigating the growing number of cyber threats and providing a more secure environment that promotes economic development.
The Michigan Cyber Range hosts the secure sandbox for the monthly product review testing conducted by Security Vitals.
For more information about the offerings at these firms contact:
Rob Cote [email protected] or Pierrette Dagg at [email protected]