Network audits can save businesses a lot of headache. Imagine for a moment, you own or manage a small business that provides the option to pay with credit cards; storing card numbers and payment history that go in a database. Or, you run a dental office that takes x-rays of patients that get put into a folder containing personal information. Or, imagine for a moment, you are the maker of a product that contains a special recipe or blend of ingredients that need to be kept secure and confidential (I’m looking at you Colonel Sanders with your secret ingredients).
Do you know if that credit card information is being stored in a secure location? Do you know if those x-rays are only accessible to those who absolutely need to see them? Are you confident the correspondences sent outside your network (or within for that matter) are secure or cannot be leaked or exposed?
Business exposure; Not the good kind
Every day, businesses are at risk of having their data compromised. Target Stores, Home Depot, Equifax, JP Morgan Chase, Adult Friend Finder, Ashley Madison and several other big businesses have been compromised in recent years. Aside from having to pay huge fines, several of these companies lost business from both clients and affiliations. People were forced to resign or were summarily dismissed, with their reputation along with that of the business, tarnished. In the case of Ashley Madison, after they were hacked, peoples names and account information were publicly disclosed. Sadly, some people took their own lives because of this event. Morals and judgement aside for a moment, life is precious, regardless of the flaws we may contain.
It is not just large businesses that are at risk
Cyber criminals are also finding the value in attacking smaller businesses as well. After all, they do not have the financial means to invest in security like larger organizations can. Not to mention, most small businesses tend to think they are safe or off the radar. Sorry, to be the bearer of bad news. A report conducted by Small Business Trends, posits cyber attacks have increased from 18% in 2011, to 43% in 2015.’ That number is only expected to grow. Statistics released by Barkly, reflect as much. From 2016 to 2017 that percentage jumped from fifty-five percent to sixty-one.
I am not promising that a network audit would have resolved all of the threats these companies faced. Nor am I presuming that none of these companies utilized network audits adequately. But I will presume they either did not know of the vulnerabilities they faced, or they were aware and did not care or think of the ramifications. Irresponsible behavior and questionable ethics aside, audits can help a business be better equipped to address issues by knowing what is exploitable, how it can be resolved, or mitigated to a level deemed acceptable.
Using Network Audits for Compliance
If your business deals with medical records, financial or credit card information, you are likely familiar with the acronyms HIPPA or GLBA. Certain standards as presented by a governing authority need to be met to ensure the company is abiding by acceptable standards.
In order to be HIPPA, PCI-DSS, SOX, or GLBA compliant, you can’t just decide to start a business, connect a bunch of computers together, and think that everything will be hunky dory. People’s privacy and information are at stake, as are the integrity and functionality of your business. Network audits are a great way to determine the current and potential posture of a business.
What is a network audit? How does it work?
Techopedia.com describes network audits succinctly as, “collective measures done to analyze, study, and gather data about a network with the purpose of ascertaining its health in accordance with the organizations requirements.”
A network audit is meant to aid in providing adequate response to potential vulnerabilities, threats, or flaws before an attacker exposes them. By using audits, businesses can align their infrastructure and/or security to address any concerns appropriately. For you business folk, a network audit is often used in conjunction with a business impact analysis (BIA). Once a network audit is conducted, the organization can decide on an acceptable level of risk as well as the potential impact each node (device) on the network represents.
Network audits generally consist of automated scans that run in the background so as not to slow network traffic or to go undetected. However, site surveys are not uncommon and are also a good practice to incorporate. Site surveys help the auditor/analyst understand the layout of your network and determine how physical security can be strengthened or improved upon to maintain or preserve the data on each device.
Needless to say, it is wise to have vulnerabilities and flaws pointed out to you by someone ethical so they can be addressed.
Who performs network audits?
If a company is large enough, the duties fall upon an in-house technician to perform the audits. Generally, it is conducted by a security analyst or administrator who has more privileged access to the network than a general IT employee. For smaller businesses, a managed IT service provider (MSP) can assist by utilizing proactive security mechanisms. Or a third party can be contracted to come in and perform an audit. You may know these people as penetration testers or as certified ethical hackers.
How valuable is your data?
This may seem like a silly question because all businesses depend on the reliability of their data for their business to thrive. Payment information, customer information, secret recipes or proprietary blends, payment or medical history (you get the idea), are integral to every business. They should be considered priceless. But if forced to attach a dollar value, where would you begin? Unfortunately, determining the value of your data will differ based on a few factors. However, some business guru found a pretty good way to determine the general value of assets and/or devices along with the potential impact on the assets.
You may have seen this formula before: ALE = ARO X SLE
But what does it mean? ALE stands for Annual/Annualized Loss Expectancy and refers to the loss or impact on productivity accumulated annually. ALE is determined from the product of the annual rate of occurrence (ARO) with single loss expectancy (SLE). Annual rate of occurrence, refers to the amount of times an issue occurs annually. And SLE pertains to the expected loss from a single risk or occurrence.
Since you can look this information up, I won’t bore you with anymore. But needless to say, this is good information to have.
How secure is your network and its contents?
Once you have determined value, you are forced to face the question, how secure is the network and the devices connected to it? Do all nodes (devices) have antivirus installed? Are all employee accounts configured to have only the proper access they need? Are all ports that are not in use closed? Is sensitive information stored onsite or offsite and is it encrypted? There are a myriad of questions that may seem intimidating. But working with a professional can remove the burden of not knowing what to do or how to respond.
How secure is your 3rd party vendor?
Even if you have the latest and greatest security, does your business partner? Maybe you are sending data securely, but are your affiliates responding with the proper security? Are they storing your data as securely as you would hope they are?
Not all breaches are directly against large corporations. In recent years attackers have gone after third party vendors or affiliates who were exploitable, and escalated their attacks to a bigger company. Target Stores for instance, one of the largest companies in the US, had their customers credit card information compromised. But Target was not attacked directly. The attack was conducted on a HVAC company who provided services to Target and had external access to Target’s network.
Although Target Stores actually had pretty robust security in place, they were still compromised from a company they do business with. So it is imperative to know who you are in business with, and what security or assurance they can provide.
How often should a network audit be conducted?
Every business is different, so there is not a cookie cutter response. However, it is generally a good practice to have them performed at least once a quarter or bi-annually. The main reason for this, is new exploits are found on a daily basis. New threats are constantly emerging and attackers are constantly coming up with new ways to infiltrate networks and wreak havoc. The longer you procrastinate in conducting a network audit, the longer you remain in the dark about how an attacker can get into your infrastructure. On the other hand, if you have this information, you know what avenues attackers will try to take and be in a position to deter or prevent these attacks before they become an issue.
Things to remember
When it comes to network audits, a physical site inspection or a site survey will likely need to be conducted. This is for a few reasons. The auditor needs to perform a walkthrough to map out all the devices on the network. A physical inspection also helps the assessor gather information as to what devices might be particularly valuable (servers) or vulnerable (devices accessible to public) and make any recommendations based on the physical layout of the network.
Remember, managed service providers (MSPs) are an affordable and effective way to provide proactive security measures to your small business. Unlike in-house technicians who must react and respond once an issue has occurred, MSPs are able to actively monitor and contain vulnerabilities before they become an issue.
Finally, network audits are not meant to degrade or mock the posture of a company. Rather, they are designed to boost the posture of a businesses infrastructure through security and awareness. Getting a report full of vulnerabilities is a great way to determine how to better secure a
Network audits should be done consistently. New employees come and go, file permissions change, user access/permissions can be altered or set incorrectly. Network audits are designed to catch these kinds of issues so that they can be addressed accordingly.
If you are in need of assistance or have any questions, don't hesitate to contact us.