As businesses gather and store more and more data, the security of it has never been more critical, especially for small businesses. Any data breach can have a significant effect, destroying confidence in the business as well as incurring the wrath of regulatory forces. Both eBay and Spotify have recently announced significant exploits of their systems, highlighting the fact that any system is ultimately vulnerable.
In light of this, it is advisable that businesses routinely perform rigorous security checks to highlight potential security weaknesses before hackers do, and to protect against data breaches in relation to the Data Protection Act (1998). A security audit will provide a snapshot of network security, will also help the business understand any vulnerabilities and will recommend solutions to resolve the issues.
Examining the technical infrastructure remotely with vulnerability scans and penetration tests is widely accepted as an essential factor in maintaining the integrity of information systems. However, management practises, controls and checks also need to be in place to review and monitor the results, and manage the risks.
The following is an itinerary that businesses should undertake to make sure that their data, networks and organisation is as secure as possible.
1. Network Health Check
A Network Health Check service can deliver prompt identification of significant configuration and patching issues that may compromise the security of a network. This approach is most suitable for small organisations on a budget, satellite offices, rapidly evolving networks, or as an interim check between full Penetration tests.
2. External Infrastructure Penetration Test
A Penetration Test is a comprehensive examination of a company’s external security, and is a valuable exercise in evaluating system security and preparing an organisation’s defences against attack. It is suited to organisations that want real assurance about their security system. The tool kit used is much more comprehensive than that of a Network Health Check, and includes a large percentage of manual (human) interaction, broadening the scope to provide a more thorough picture of the perimeter security.
3. DMZ Testing
This test uses a very similar approach to that of the External Infrastructure Penetration Test, except in this instance the consultant connects directly on the DMZ, bypassing the controls imposed by the router and firewalls, allowing the consultant unrestricted access to the systems on the DMZ – providing a more thorough test than would otherwise be possible from the internet.
4. Internet Application Testing
Application testing is the process of actively evaluating software to ensure that it has been developed within security best practises. Applications are analysed for design deficiencies and technical flaws in the code and at the interface itself. Application vulnerabilities can allow an attacker to gain access to confidential information or activate a denial of services attack.
5. Gateway Security Review
A gateway security review is a combination of auditing, testing and general consultative practices to ensure that an organisation’s eBusiness infrastructure is suitably robust and secure. This should consist of a review of network topology and equipment in place and a combination of policy, firewall rule base configuration and security testing. This will help provide a solid platform from which to further improve the organisation’s security posture.
6. wLAN Testing
A two-phase test should identify and examine the business’ access points and evaluate any foreign wLANs for potential issues and risk to the network, including the ability to authenticate with the wLAN, intercept or divert wLAN traffic and denial of service.
7. Gap Analysis
A gap analysis provides a review of a company’s existing procedures and controls in relation to ISO27001 (the international standard replacing BS7799-2). Not only does this highlight any potential issues within the current information management systems, it also provides an accurate measurement of the length of time and amount of effort required to achieve the ISO27001 standard.
8. Internal Audit
This is a more technical review of existing policies and procedures ensuring that they are in line with best practices. A key feature of this service should be the examination of systems and ensuring that policies are being adhered to. Critical servers should be tested for security vulnerabilities, authentication mechanisms audited and data storage systems tested for appropriate access controls. This service is appropriate for organisations that wish to understand the effectiveness of their internal security, policies and controls and those that may be preparing for or have just undergone organisational change.
9. Firewall Policy Review
This aims to provide companies with a review and a recommendation report regarding the present security policies for their firewalls. This will help any company to understand what is missing from their current policies and what changes need to be implemented to ensure more secure networking environments.
10. Policy & Build Reviews
A high level review of all security policies should be performed to ensure that they are in line with appropriate legislation and industry guidelines, and that they are appropriate for an organisation’s business procedures. As an additional option, this may include the creation or reworking of security policies. This is appropriate for companies that are undertaking the creation of security policies or who may wish to have them examined by a knowledgeable third party.