Does My Business Need a Vulnerability Assessment?

IT research firm Gartner predicts that more than 30 percent of Global 2000 companies will be compromised by the year 2020. As organizations become more and more reliant on the Internet to do business, the threat of data breaches and cyber attacks grows exponentially. Is your business safe from malicious hackers? Should you have your business assessed for potential vulnerabilities?

What is a Vulnerability Analysis?

A vulnerability assessment, also known as vulnerability analysis, is a process used to locate and identify any security-level defects (vulnerabilities) in a network or infrastructure. Vulnerability assessments help businesses pinpoint any vulnerabilities (such as coding bugs, security holes, etc.) before they have the chance to be compromised.

The primary goals of a vulnerability assessment are to identify these vulnerabilities, document them, report them to the organization, and provide details on how to resolve the issues.

According to TechTarget.com, vulnerability analysis consists of several steps:

• Defining and classifying network or system resources
• Assigning relative levels of importance to the resources
• Identifying potential threats to each resource
• Developing a strategy to deal with the most serious potential problems first
• Defining and implementing ways to minimize the consequences if an attack occurs.

Today's Biggest Security Threats

While the types of security threats vary from industry to industry, there are some of which that are more significant than others. Reports say that of all compromises, 81.9% of them happen in minutes and 67.8% of exfiltration (removal of data) lasts several days. Some of the most well-known compromises involve large-scale, household names:

• Equifax - an outdated Apache Open Source code provided hackers easy access to millions of customers' records
• CCleaner - Hackers took advantage of a cyber security weakness to plant their malware into the base download of CCleaner, causing millions of computers to become infected
• Yahoo! - Not once, but twice. The first breach involved over 500 million user accounts being compromised, followed subsequently by another report that over one billion Yahoo! accounts were stolen. This primarily was due to lax security policies.

It goes to show that not even the biggest players are safe from malicious intent. Companies from all across the board are at risk for having information stolen. These are the most common to SMBs:

Ransomeware/Cryptoware

By now, most people in the IT industry are familiar with ransomware. WannaCry's attack in May 2017 targeted computers that ran Windows, encrypting as many files as possible in a short amount of time. WannaCry infected over 230,000 computers worldwide in less than a day.

But what is ransomware? It's when cryptoware gets into your computer's system and encrypts your data. Once the encryption has been completed it will then display a ransom note telling the user to pay a certain amount, usually via bitcoin to decrypt their files. Unfortunately, there are no valid reports of users regaining their data after it had been encrypted by WannaCry.

Ransomware is more about manipulating vulnerabilities in human psychology than the adversary's technological sophistication.” 

― James Scott

Scams

We don't mean the Nigerian prince looking to send you an inheritance of a million dollars, either. Scams are still alive and well, the scammers themselves becoming quite sophisticated in their methods. They are now spoofing e-mail addresses of those that you know and trust - for example, the CEO of your company or HR representative - asking for your assistance.

• Employees of companies have seen emails that appeared to have been sent from their HR departments asking for them to send their W2s to them. Those scammers then use the employee's W2 to submit fraudulent tax returns in order to obtain their refunds.
• Managers or accounting staff have reported receiving strange requests from executives asking for money to be wired to a bank account post-haste. They will transfer the money only to find out that it was someone impersonating the executive in question. Companies have lost hundreds of thousands of dollars with this scam.

How to Perform a Vulnerability Assessment

The first step in vulnerability management is to be aware of what your risks are. Do you maintain a list of bank accounts of your customers? What about social security numbers for your employees? A top secret recipe? Take some time to assess your organization, what it has for security protocols, and what you could potentially lose in the event of a malicious attack. After that, list them in an order of criticality - which ones would impact your business most if they were compromised.

Other things that you should identify:

• All programs that are being run on each and every asset your company owns -- If your company participates in BYoD, ensure that each employee's device is equally secure
• Notate all of the hardware - servers, computers, mobile devices, et cetera - that contains business information, documenting model number, serial number, and other pertinent information
• Ensure that there is a thorough documentation of your network's infrastructure and which applications/devices are connected to it at any given time
• Keep antivirus, malware, and firewalls up-to-date and perform regular scans

Of course, this is not an exhaustive list of the necessary steps to keep your business' information safe - it is simply a guide to help you get started. Are you unsure of how to perform a vulnerability assessment? V-Soft Consulting is willing to help. Reach out to our experienced cyber security experts for a no-pressure, no-risk consultation to discuss what kind of data you need to protect and what methods would be best to guard it.