I’m often asked to perform network security assessments.  There are many reasons why organizations want security assessments, but sadly, most have little to do with actually making their networks more secure. 

Assessments are often promoted by consulting firms who use them as a fishing expedition. The firms that perform them get to charge top dollar for a few weeks of effort, and it’s a nice way to get follow-on work to fix all those problems they found. External assessors have a built-in tendency (if not a downright conflict of interest) to inflate the severity of the problems they find.  The more “high priority” findings in the report, the more valuable the report is, and the more important it is to spend money to fix them.

Many IT departments use independent assessments as a budget justification.  They use the critical findings to bludgeon their finance people into giving them lots of money to buy lots of security toys.  The problem is no one ever follows up to see if security is improved. Money spent does not equal better security.

There are two reasons why most security assessments aren’t worth the paper they’re printed on.  First, security assessments often rate vulnerabilities on a simple severity scale (low, medium, high) that at best is somewhat arbitrary, and often is based on nothing more than the mood of the assessor that day.  Again, a lot of conscious or unconscious biases can inflate the results: “Your passwords are not fifteen characters long.  You’re all going to die.”

Second, most assessments focus on listing every technical or procedural vulnerability without regard to the real threat it creates (we call this context).  A vulnerability on a user workstation is one thing; a vulnerability on a server that controls your manufacturing process is another.   There are also a lot of vulnerabilities that are difficult to exploit.  Yes, your server may have a vulnerability, but if exploiting it requires someone to physically sneak into your data center, there aren’t that many people within travelling distance who have the skill and motivation to do so, just to get your latest annual report.

A good security assessment, however, can be helpful in determining where your organization needs to focus its resources to protect your electronic assets. Knowing where your real weak spots are is the first step to securing your network.

I’m going to let you in on a secret:  you can do a pretty good security assessment yourself.  Moreover, you don’t have to spend weeks gathering and analyzing data.   If you are readily familiar with your network and IT systems, you could probably do this assessment in ten minutes.

Of course, you’ll object:  “You can’t possibly test every vulnerability in only ten minutes!”  This is true.  But in ten minutes I can tell you if you have the ability to defend against attacks, and detect and respond to them if (when) they occur.   If you can, then you have dramatically reduced your risk of data disclosure or theft, and can demonstrate  due care in protecting your data.  If  you can’t, it doesn’t matter how many vulnerabilities you may or may not have — it’s only a matter of time before you become a victim of a cyber-attack.

OK, get out your number 2 pencils, and we’ll begin.

1. Do you have systems in place to log network activity, such as logins, traffic blocked by policies, DNS requests, web requests and the general state of your network?  Give yourself 5 points if you generate forensic log data .  Ten points if you actually look at that data (be honest).
2. Do you collect traffic flow data (Netflow data)?  Ten points if you capture historical flow data for your users.
3. Do you have an alerting mechanism (email, text, phone, etc)  to alert you or your staff when suspicious activity occurs?   Not to get all philosophical, but if a network gets attacked, and no one knows it, is it compromised? If you have criteria to alert someone when something bad happens, that’s five points.  If someone gets alerted 24/7 that’s 10 points.
4. Do you have an incident response plan?  What will you do when you get that alert message?  Have you worked out what your staff will do if your web site is compromised, or if there’s a major virus outbreak? Who has authority to shut down your ecommerce site, and when?  Five points if you have a plan, 10 points if you’ve actually tested it.
5. Does your external firewall filter outbound traffic? If you restrict outbound traffic to only known ports, that’s 5 points. If you block SMTP and DNS from workstations, and block your servers from Internet in general, give yourself 10 points.
6. Do you filter and segregate your internal traffic?  Do you block administrative applications like remote console between your users and servers? That’s 5 points.  If you filter traffic to critical devices like process control systems or financial servers, give yourself another 5 points.
7. Do you practice login account hygiene?  Do you restrict your local administrator accounts to only interactive logins?  Do you have separate local admin accounts on important servers like domain controllers? Do your system admins have separate logins for administrative work and normal office tasks? Do you track when accounts are created or deleted? Do your users use non-privileged accounts? Give yourself 2 points for each one you do.
8. Do you filter web traffic with a product like Bluecoat, Ironport, Websense, Barracuda, or similar?  Five points if you do.  Ten points if you block “uncategorized”  or unknown domains.
9. Do you have email (spam) filtering? That’s 5 points.  You get 10 points if it has real-time updates.
10. Do you routinely install patches to your workstations and servers?  If you stay on top of operating system AND application patches, give yourself 10 points.
11. Can your users install software themselves or do they need an administrator to do it?  Five points if you restrict your users from installing software.  Ten points if you block downloads from executing.
12. Speaking of which, do you maintain an up-to-date inventory of workstations? That’s worth 5 Points. Ten Points if you get alerted if new software or hardware is installed.

How’d you do?  Here’s how you stack up:

0 – 25 points.  Not to be too blunt about it, but you’re a sitting duck.  Not only are you likely to be compromised, but you would have very little chance of ever detecting or responding if you were.  An attacker could steal all your data, and you would have no idea until you saw your company’s name in the the news.  You’re deaf, dumb and blind.  You’re easy pickings.  I could go on and on with the cliches, but you get the idea.

30 – 60 points.  You have some basic protections, but you probably lack the ability to respond effectively if — I mean when– you are attacked.  You are fairly safe against the “drive-by” sort of attack, but if anyone targets you in particular for what you have or who you are, you’re likely to be working a lot of nights and weekends.

65 – 90  You have some good defenses and a reasonable chance to respond and mitigate an attack when it occurs.  There are a number of things you can improve on to make your network more secure, however, so don’t get complacent just yet.

95 -120 You are the rare organization that really “gets” network security. You can successfully thwart lots of attacks, even some fairly sophisticated ones.  Unless you are in the defense or finance industry or are politically controversial, you are probably doing enough to protect your data assets.  You need to stay vigilant against new threats, but you’re doing the right thing.

Need more in-depth analysis?  Call Sami or Ron at 240-452-1337 or rtrunk@networkingdoneright.com

Now that some of the dust has settled from the news that millions of credit card numbers were stolen from Target and Neiman Marcus, there are a few lessons that you can apply to your own organization. These lessons will help you protect your network from attack -- even if you aren’t a major retail chain.

1. Small companies are targets too. You don’t have to be a major retailing chain to be victim of a cyber theft. Criminals go after assets like customer credit card information, patient records and especially bank accounts. Anything you have that can be sold for cash is fair game. You may be a small business with just a few dozen employees, but on payday, your bank account is a tempting target.
2. You won’t find intruders if you aren’t looking. Remember the goal of these criminals is to remain undetected. There are probably other victims of these attacks besides Target and Neiman Marcus, they just don’t know it yet. Most victims don’t discover thefts until someone else, usually law enforcement, tells them. Even Target didn’t find the attack themselves: the credit card processing companies and banks did.
3. Relying on antivirus software to protect you is a fatal mistake. Cyber criminals test their malware with all the major antivirus brands. They tune their malware until it is undetectable by antivirus. So when you download their malware, your antivirus software will tell you everything is OK. It isn’t.
4. Regulatory compliance does not equal security. Target and Neiman Marcus were both PCI compliant. It didn’t help. Compliance has its place, of course, but merely following the rules is clearly not sufficient. Someone waggishly observed, “We’re not good at defending against cyber-thieves, but we’re very good at defending against auditors.” Target and Neiman Marcus may escape some liability because they were PCI compliant, but you can be sure this incident is costing them lots of time and money.

5. Buying security products is no substitute for monitoring your network. Many companies think if they buy enough security products, they will be protected from attack.  I’m sure Target spent lots of money on security products. The only way to reliably detect and stop intruders is to monitor your network, so you can spot unwanted activity.

6. These attacks were preventable. Some people will throw up their hands and say, “If a big company like Target can’t stop attacks, what chance do I have? The thieves that stole the credit card information were not evil-geniuses or arch villains. They used common techniques and the malware they used has been around for at least five years. A little common sense and a well-thought out plan will prevent attacks like this.
7. You can find these kinds of attacks and stop them -- if you know what to look for. This wasn’t a “smash and grab” theft. The thieves were disciplined and methodical. They knew what they wanted and planned their attack. The good news: they left lots of clues to what they were doing. You can detect and stop them in their tracks.
8. Expect more attacks like these. The software and techniques the thieves used are being carefully studied and copied by lots of other criminals. Other thieves want to make money too, so they will try these same attacks on other companies .

Want to know more? Download my 10-minute network assessment to see how well you are protecting your company’s assets. It’s free, and it will show you if you’re prepared for future attacks.

Have more questions? Call me at 301-943-0173, and let’s make your organization more secure.

About me: Ronald Trunk, CCIE, CISSP, CPHIMS helps organizations protect their electronic assets from theft or unauthorized disclosure. Ronald Trunk designs, builds and deploys reliable, flexible, cost-effective networks.  His goal is to improve security while allowing organizations to deploy new technologies that increase profits and allow them to better serve their customers.

Using his years of experience and expert internetworking knowledge, Ronald Trunk applies his network architectural experience to a wide variety of complex large-scale networks. His expertise including wireless, remote access, data center virtualization and converged voice and video networks.

Ronald Trunk’s nationwide clients include healthcare providers, civilian and defense government agencies and high-tech manufacturers.