Category: IT Governance

Vulnerability Assessment – Know Your Weaknesses

Relax, we’ll not be talking about personal and psychological vulnerabilities here. Instead, let’s talk about IT, its inherent vulnerabilities and their assessment.

IT Vulnerability assessment, also known as vulnerability analysis, is a conscious action aiming to define, identify, and classify the security vulnerabilities in a computer, network, or an entire communications infrastructure. Furthermore, the vulnerability assessment can be used to forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.

WHY IS VULNERABILITY ASSESSMENT NECESSARY?

Vulnerability assessment is usually the first step taken in the direction of strengthening an organization’s Information Security. Inasmuch, as it provides a picture of open doors or holes in the security landscape, the vulnerability assessment can be a starting point in rationalizing one’s security strategy, policies, etc. Ultimately, data collected and rationalized fuels the entire Risk Management process.

STEPS

Regardless of the methodology, scope, and timing that can differ, Vulnerability Assessment has to follow certain steps:

  • Determine the scope of assessment;
  • Scan entire network with all devices;
  • Identify and confirm found vulnerabilities;
  • Classify and determine vulnerability levels;
  • Prepare vulnerability report.

THE RELATION TO PENETRATION TESTING

An important part or extension (depending on the underlying philosophy) to vulnerability assessment –Penetration Testing – is usually performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process can provide guidelines for the development of countermeasures to prevent a genuine attack.

Imagine you’re in a room with many doors and you want to know which ones of all these are locked and which not. Vulnerability Assessment does just that – it provides a “list” of unlocked doors. These doors could be used to break into an organization’s communication system, inflicting damage and disrupting operations.

The scope of Vulnerability Assessment is usually all-encompassing, spreading over an entire organization or, at least over an entire critical system the organization uses.

Penetration Testing, on the other hand, may follow a narrower scope. Instead of just listing doors, it goes through each unlocked door to see how far can one reach into the system.

Also, what impact such entry can have, thus exposing possible vulnerabilities that were not seen in the Vulnerability Assessment of the first “batch” of doors.

PLAN FOR ASSESSMENT WITHOUT THESE COMMONPLACE MISTAKES:

Lack of Vision: Creating a plan for vulnerability assessment is not an easy task. As such, you need to look it over from as many sides as possible and explore every aspect of vulnerabilities found. Being narrow-minded when talking about such an assessment, is one of the biggest mistakes you can make. To adequately examine weaknesses in your infrastructure, you need to put yourself in the shoes of the attacker. What better way to do that, than to try even the most outrageous ideas for testing and to simulate even the rarest situations. Don’t exclude any idea before seriously considering it. You should also have in mind that having a member of the senior management in the room, while thinking of ways to assess vulnerabilities, is a bad idea because suddenly ideas stop flowing and people become afraid to explore different possibilities.

Inadequate Compliance: Complying with laws and regulations is not always enough to secure the information infrastructure of your business. Furthermore, in every country, there are examples of government legislation, enforced to increase business security that can, sometimes, interfere with the business environment in an incomplete fashion. The wise and legal thing to do is to address inadequacies with additional measures in order to enhance productive legislation requirements with legally permitted actions.

Bad Reporting: A problem that is often encountered is lacking a technique of reporting. It is nothing new, for an external consulting company, just to drop off a report full of vulnerabilities and problems, leaving the rest to the client. On other occasions, people focus too much on the problem itself, without providing any answers for the weak points in the infrastructure. Another example of bad reporting is concentrating only on categorizing and enumerating the problems found, again with no perspective of finding a solution. Creating a report with the detailed categorization of all problems is vital, but is only half of the work. The other half involves a detailed analysis of the report and the effort to solve problems found in it.

Knowledge Gained Does Not Enter Corporate Culture: Although there is security-sensitive information in a vulnerability assessment report, that cannot be shared lightly with employees, this is no reason to keep staff members in the dark. Security is part of the corporate culture and as such must be embraced by everyone in the company, not as a mandatory requirement, but as something they are involved in. Security staff meetings and debating of security incidents, both in the company and in other companies, will greatly affect the understanding of security as a group effort.

FROM ASSESSMENT TO MANAGEMENT

Determining the Information Security risks in a company is a complex and involving task. In a dynamic and integrated environment, locating and assessing threats and vulnerabilities is simply not enough. Therefore, what you need is not only a simple vulnerability assessment but an integrated process of vulnerability management.

What is vulnerability management and how is it different from vulnerability assessment?

Vulnerability assessment will tell you where and what the vulnerabilities are, while vulnerability management will make sure these vulnerabilities are addressed by actionable measures, such as but not limited to the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), educating users about social engineering, etc.

 

Vulnerability management is the ongoing, cyclical practice to identify, classify, remedy, and mitigate vulnerabilities. The process is especially important when treating issues related to software and firmware. Vulnerability management is integral to computer security and network security and is accompanied by vulnerability assessment, which provides the initial “food for thought”.

Although vulnerabilities are classified by their severity, they are not directly translated to risks in an organization. A high severity vulnerability may or may not be regarded as a critical risk. The risk definitions are handled in the risk assessment process, part of Risk Management activities.

Outsourcing Your Internal Audit Function May Be a Viable Proposition

According to The Institute of Internal Auditors,

internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

OUTSOURCING?

Today, you can outsource almost everything. Including your internal audit function. There are two scenarios you may want to consider here, outsourcing and co-sourcing. With pure outsourcing, you’re looking at a comprehensive service, where the entire function is performed by the service provider with a focus on risk. With co-sourcing, some sharing occurs. Usually, you would employ this service if you need assistance with, say, non-routine engagements that could require deeper and more profound experience and expertise.

Through outsourcing your internal audit function, you benefit from a number of otherwise hard-to-get results. Your organization stands to be evaluated in a more independent and unrestricted manner, thus management will receive more objective and unbiased assistance and advice. You will also benefit from a new level of assurance and coverage of risks and will probably be able to reduce costs in the short and in the long run as well. If you want to align organizational governance with risk and compliance and be able to proactively identify and manage emerging risks, then you may want to consider outsourcing. Last, but not least, you may be able to free up some of your people to other, more important tasks.

KNOWLEDGE TRANSFER

Outsourcing is always good for situations when a broader skill set and deeper industry specialization are needed. You could receive additional intellectual capital that will give you insights and recommendations on leading practices through access to leading-edge tools and methodologies. All of these will effectively transfer new knowledge and build new capabilities into your company.

IS INTERNAL AUDIT OUTSOURCING NECESSARY?

There’s quite a debate over the pros and cons of outsourcing the Internal Audit function. The concerns are mainly derived from the risk, responsibility, and reliability issues connected with the choice of external consultants. And that’s exactly how it should be. A good team would address these concerns by giving you and fulfilling a checklist of things to demand from an outsourced internal audit service arrangement where:

  • All objectives are clearly defined;
  • The scope of the service will be transparent;
  • The expertise level needed will be properly identified;
  • You would be able to review and agree on the performance metrics;
  • Together you will be able to plan for and establish who does what for remediation and follow up;
  • You get assistance to create your own quality assurance and improvement programs;
  • Define clear rules for deliverables, i.e. the work papers when the service terminates;
  • You are in control to limit, if applicable, the work your vendor may do for your competitors.

With the right people, methodologies, and technologies, the process and the professionals involved in the outsourcing should represent a true and objective alternative to an in-house solution. Through a business approach and cost-efficiency, the service company you hire should become your partner in risk for your business.

THE PROCESS

A typical outsourced internal audit project will have five phases:

 

  • Selection – organization-wide or pre-selected area/project risk assessment to define audit surface and objective;
  • Planning – gather relevant information, stipulate chain of command/reporting, and draft plan with scope and timing;
  • Execution – fieldwork commences, with regular status meetings to discuss observations, potential findings, and recommendations;
  • Reporting – communicate draft and final report of findings, conclusions, and recommendations;
  • Follow-Up – on findings and approved remediation action plans; and re-audit where applicable.

WHAT TO LOOK FOR IN TERMS OF PRICING

The costs for an outsourced internal audit service will depend on the size, project complexity, and the industry sector of your company. Based on an initial and ongoing assessment, the vendor should provide flexible, tailored pricing to achieve and maintain internal audit standards.

The service ideology should be based on affordability with a maximized value-for-money approach. Depending on your company’s needs for internal audit involvement, and the complexity of one-time or ongoing projects, you should look for a vendor that will devise the most cost-effective plan to make sure your business model is adequately protected.