December 23

0 comments

Security audits: Not the kind of threat you should fear

Running a security audit on your IT infrastructure means you’re one step ahead of hackers

‘Audit’ is a word laden with significance, impact, gravitas, formality and consequences. And, we freely admit they are frequently slanted towards the negative side of the fence – audits are often seen as a threat, an intimidating challenge.

Actually an audit will help you avoid a Judgement Day, by reviewing and understanding the state of your infrastructure you can make sure you avoid any potential security incidents. It’s a tool to collect information used to plan and execute changes to your infrastructure to make it more secure, to improve on it.

Let’s have a look at what that entails

Despite its potentially negative semantics, we use the term ‘audit’ to convey that the security and vulnerability reviews follow a well developed and structured process to the point of being formalised. This ensures no nooks and crannies are overlooked and all audits are performed to the same high standard. It is as simple as that.

There are many ways to carry out vulnerability and security audits, and quite a few aspects may be involved. Our approach to vulnerability scanning is solution-oriented tailored specifically for the needs of our customers.

A secure IT workload needs to address five domains of IT security architecture:

  1. Identity and Access Management – Identify who and which services are allowed to access your system, with which privileges, and the levels of authentication required for each of the identified principals
  2. Monitoring and Detection – Having components in place that monitor, analyse and detect what is happening in your infrastructure, is important for protecting your infrastructure and the data you handle and process in it. Intrusion Detection Systems, Firewalls, and other systems are well-known tools.
  3. Infrastructure protection – Compartmentalise your infrastructure and IT workloads into smaller, well-defined elements with clear access and communication pathways between them so as to avoid cross-contamination and smaller “blast radii” of any potential security breach you may encounter
  4. Data protection – Not only PII (personally identifiable information, in relation to GDPR) must be protected and held securely and safely, any kind of business data you are storing and processing is at stake here. Data at rest and in transit needs to be protected from prying eyes, and recovery in case of data loss or disaster must be planned, tested, and automated.
  5. Incident Response – What are you going to do in case of a security breach or incident? What do you do if you detect a “smoking gun”? How do you contain the incident, or prevent any further data leakage? Which tools and process do you have in place?

Having only scratched the surface a little, there is a lot which can be done in each of these five domains – and it quickly gets very confusing what set of security and vulnerability tests and analyses are necessary or desirable for your use case.

Therefore, we have packaged up well-defined sets of scanning and testing profiles based on typical use cases.  Do your workload(s) fall into any of these categories? 

  1. Vulnerability Scan – A surface scan of your IT estate or workload, seeking to detect any known vulnerabilities. This is a multi-purpose set of scanning and probing tests applicable to all types of IT workloads. Run as a black-box text, no internal probing or analysis of your data and applications is necessary. We then discuss the actionable report with you and monitor progress with a series of subsequent scans with the same profile.
  2. PCI Vulnerability Scan – Are you storing, processing or otherwise in contact with financial and credit card data? Then this scanning profile ensures that your system is compliant with the provisions and requirements of the PCI standards (e.g. PCI DSS, P2PE, 3DS etc).
  3. Deep Vulnerability Scan – Executed as a white box test, deep vulnerability scans also cover checking misconfiguration of access rights for file systems, common web application misconfiguration scenarios, vulnerabilities for SQL-Injection and XSS (cross-site-scripting) and other common sources of IT vulnerabilities. 

We are not covering everything in our pre-packaged vulnerability scan offerings – nor should we (or anyone else for that matter) as that is rarely necessary, if at all.

However, we also conduct bespoke custom vulnerability reviews that are tailored to your specific needs. In collaboration and agreement with you, these reviews can be as succinct or comprehensive as required, and can go far beyond the level of detail and coverage pre-defined packages can provide.

Why bother, you might ask? 

In 2019 the most popular passwords were “123456”, “123456789”, 2qwerty” and “password” – and nothing has changed since 2018.

Yes, it’s true and is one of the most common threats as a successful login from an illicit person is virtually undetectable. Whilst this is possible with pure password guessing (and there are tools available to detect that), it is far more common attackers to break into the system only to obtain sensitive information. The easiest way is to obtain password information, and then sail through open gates and be near undetectable. 

Protecting your infrastructure does not stop with only enforcing strong passwords. It is an ongoing process to harden and secure your entire infrastructure in as many ways possible and required.

And it all starts with a security and vulnerability scan. You can sign up for a free Cloud Health and Vulnerability scan by clicking here.

Why not give the Digital Craftsmen team a call to find out more about our ranges of services and consultancy we offer to businesses and start your New Year knowing your infrastructure and business are secured.

Contact us on +44 (0)20 3745 7706 or email us on [email protected]

Digital Craftsmen is verified by ISO 27001 and Cyber Essentials Plus which means we can deliver services you can trust.

 

VMware Partners


Tags


You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Keep up to date with the latest developments in server security