By Arturo Romero, Senior Security Engineer, Secur-Serv
Here we are again. Every year, October is National Cybersecurity Awareness Month sponsored by the Cybersecurity & Infrastructure Security Agency (CISA). This year the emphasis is “If You Connect It, Protect it.” Now this is a blanket statement, so what is the first step to “Protect It?” How do you start? Where do you start? Once you’ve Identified where to start, when do you start? But before you start, you also need to know why to start.
The best ways to assess what security measures are to be employed in protecting your connected assets and when to implement those fixes come down to doing a security audit to capture all the pertinent information regarding security for each device. Your security audit plan should cover these major areas of concern:
- define a scope
- define the threats
- define the likelihood and severity of vulnerabilities found
- identify how each device rates by weighing the probability of the vulnerability happening with the impact of it being exploited.
Conducting your own security audit can be daunting, and the key to its success is ensuring you have a proper scope set in place before you begin. What this boils down to is finding the devices/systems/assets that need to be audited. You’ll want to make sure to do this, as it becomes very easy to take on more and more tasks as you go into your audit, which will ultimately make it unmanageable and likely unable to finish. Make sure to narrow down the audit scope and stick to it to avoid going off target. Furthermore, as you define the scope, you’ll want to keep your goal in mind of what the intent of the security audit is—whether you are trying, in general, to secure devices, or whether you are trying to meet a specific regulatory compliance need such as FFIEC, HIPAA, FERPA or any others.
Once a good scope has been identified, start the next portion of the audit by identifying the threats to the device. Now, a shortcoming most people have at this point is the fact that most threats, if not all, only take in to account physical threats. While it is pertinent that these items be identified, we should not forget to take the time to identify their cybersecurity threats. Threats such as malware, DDoS attacks, insider attacks, or even rogue device attacks are just a few of the attacks you might face. All threats, both physical and logical, need to be accounted for to best provide the security the device would need.
As we’ve identified the threats to the device, now we begin to quantify important information regarding the likelihood and the severity of a cybersecurity breach. This plays an integral part in readily identifying the cost of losing access or control of the device, or even having sensitive information being disclosed. As you move forward, this information helps determine the types of security mitigations to have in place or if the device is even allowed in the organization.
At this point once you’ve identified the scope, its threats, the likelihood and severity, we can now move forward to quantify this information to get a proper setting on how natively secure the item is versus where its security level should be. From here we can start identifying the correct course of action to take, whether it’s doing network segmentation, adding in some anti-virus software, changing some policies, or simply applying patches. Now you are well on your way to securing the device and increasing the overall security footprint of your organization.
Keep in mind this is a very high-level overview of what a security audit should be and does not dive in deep to the details required to complete one on your own. This is to provide a general guideline of what a Security Audit would do and how it benefits your entire organization. If you are looking to have a Security Audit but are concerned about the scope, or you might miss important aspects, or you don’t have the resources, Secur-Serv has the experience and expertise to help design and execute your audit no matter what size organization.