Your company’s network security is based upon a myriad of firewall, device and software settings. If even one of them is improperly configured, it could expose your business to a variety of internal and external threats. That’s why you ought to invest in a vulnerability assessment at least once a year, to ensure that you’re not unwittingly leaving the doors to your network wide open.
What is a vulnerability assessment?
The Vulnerability assessment software process looks for open holes in your computer network, such as firewall misconfigurations, exposed ports and the services that sit behind them, and much more. Typically, it looks for both internal and external vulnerabilities; examples of each include:
Internal: This part of the assessment identifies the services that would be vulnerable if a hacker penetrated your network, via a social engineering exploit or other internal weakness. It determines the data they could steal and network services they could compromise, so you can estimate the potential business impact of each.
External: This part of the assessment tests your network’s defenses from the outside in. It checks to make sure that email, web hosting, collaboration tools and other services that sit within the firewall are properly configured, so that only appropriate requests and data packets can reach them.
The software engineer then creates a report that identifies problem areas and rates them on a numeric scale, based on potential business impact. This data enables you to:
- Ignore those firewall ports that are open intentionally to support specific services you need (referred to as false positives), and
- Develop a prioritized remediation plan, so you know which problems need to be taken care of ASAP and the relative importance of the other problem areas it has identified.
How often should you run a vulnerability assessment?
The recommended frequency of a vulnerability assessment depends on several factors. First, how often is the network changing? Is there a lot of high-value data stored on it? Are you subject to industry compliance or cyber insurance that requires these assessments to be done on a certain timetable? In addition, does your firm have high employee turnover? This could result in numerous employee logins and network shares that are no longer being used, but could be leveraged by a hacker to access your network.
Should you partner with an IT services vendor?
Once you’ve decided to proceed with a vulnerability assessment, your next decision is whether you should perform it yourself or hire an IT services firm to do it for you. We recommend the latter approach, because a vulnerability assessment only lists potential problems; it doesn’t tell you which ones could be false positives, how to correct actual problems, and which ones require immediate attention. It also doesn’t tell you how many man-hours will be needed to fix them. An IT services firm can help you work through these gray areas and transform the data contained in the assessment report into a practical action plan.
At River Run, we believe vulnerability assessments are so important that we recently started including a lightweight version of them as a part of our Findings and Recommendations (F&R) onboarding reports for new clients. It gives us a high-level overview of your network and identifies any potential problems that need to be corrected before we can begin other client work.
In addition to securing your network, vulnerability assessments can help you solve a common challenge, especially in small companies: justifying the investment in new network hardware and software upgrades to your company’s senior management. Often, older equipment and software reach a point where they cannot be securely patched or upgraded any longer.