Have you ever had that sick feeling in your stomach because you weren’t sure if you locked the front door before you went on vacation? Or maybe you weren’t sure if you left the stove on?
I bet you never got sick to your stomach wondering if there were open ports on your firewall though, right? Yah, it’d be pretty weird if you did! But isn’t that as important, or more important, than your locked door at home?
A problem with the security of your network can invite fraud, theft, malice, ransomware and fines (I’m talking to you, HIPAA and PCI regulated companies). Yet, how many of us actually check to see if we left the front door of our network unlocked?
It turns out that proving your network is secure is not difficult to do.
You’re a typical business. You have a small in-house I.T. staff or perhaps you outsource to a local MSP (Managed Services Provider). Your I.T. maintains firewalls, updates your antivirus, patches your PCs, trains your users and performs countless other tasks to keep your company secure. In a perfect world, that’s all you’d need. However, if that was the norm, we wouldn’t read about ransomware in the news.
But that’s not the norm. Sometimes the measures you thought were protecting your network aren’t as impenetrable as you were led to believe. How do you tell?
With a security audit.
A security audit is a somewhat loose term for checking the security of your network. Or maybe, checking to see that the people that promised to protect your network are living up to their end of the bargain.
Internal and External Security Audits vary in scale and effectiveness. A good audit should detect (but not exploit) holes in your security and should always include a well-written report outlining areas in which you are vulnerable.
External Security Audit
The External audit looks at your IT from the internet – akin to looking in your house through a window. If the curtains are drawn, no one can see in. But what if those curtains are open just a bit? Can we see in?
One component of an External Audit is a Penetration Test (commonly called Pen Test). A Pen Test is an attempt to penetrate, but not exploit, security “holes” in your firewall. Some firewall holes are necessary to receive email and browse the internet. Proper security, however, requires that you eliminate any vulnerabilities. In this type of audit, if a vulnerability is found that would allow access to your files, that vulnerability is reported, but the files themselves are not accessed.
Other components look for outdated software (called firmware) running on your firewall and report the vulnerabilities associated with that specific outdated firmware.
A newer type of external security audit is often classified as “security awareness.” Security awareness audits the ability of your users to distinguish good email from bad email that contains malware, or fraudulent instructions to wire money. In this type of audit, a purposely deceptive email (using the same methods as hackers) is sent to your users attempting to trick them into clicking something they shouldn’t. In this case however, no harm comes to the user that took the bait, but that attempt is reported, giving you the chance to better educate that user.
Internal Security Audit
Internal Security Audits focus on the equipment sitting next to you in your office.
For example, your IT department tells you that all PCs are patched with the latest software patches. But aside from their word, how do you know? How can you tell that 200 PCs are patched? An audit will tell you that. Trust but verify, right Ronald?
An audit will tell you that your wireless network is setup incorrectly and your guest WiFi is not properly separated from the company WiFi. It may find that your wireless encryption adheres to year 2008 standards and is easily penetrated with current technology.
- Is antivirus running on every PC on your network and is it updated?
- Did one of your employees plug in a wireless hotspot under their desk to make their own wireless network called “Ed’s Café”?
- Is one of your users using 3x the internet bandwidth of all your others? For what reason?
- How many users on your network have administrative rights?
- How complex are your users’ passwords.
- Who has access to the “Accounting” folder?
An Internal Security Audit can answer these questions and many more.
The Good News
Is there any good news?
The results of a Security Audit (Internal and/or External) on your network are likely going to be eye-opening. There aren’t many (any?) perfect networks out there. But, the good news is the fixes are generally easy to implement. Fixing password policy, closing firewall holes, updating firmware and most other remediation measures are painless. And many audit companies will rerun portions of the audit for free to verify that the fixes in place truly fixed the problem.
You should consider some type of audit of your I.T. systems at least yearly. The days of being able to say, “I didn’t know!” are over. As business-people, it’s not enough to hire the right people. It’s imperative that we verify, test, remediate and maintain.