Vulnerability Assessments and Analysis (VA)
What are Vulnerability Assessments?
VA is a process that theoretically defines, here identifies and classifies security holes within an organisations physical security measures and information and communication infrastructure. VA’s can also be used to assess the effectiveness of proposed security controls and countermeasures.
VA’s are carried out in an audit style fashion, about it with employee interviews and client site investigation.
Vulnerability assessment generally consists of these stages:
- Defining critical assets, both physical and logical. Customer Data, company servers etc.
- Prioritising assets in order of importance.
- Analysis the organisations current threat profile using threat intelligence. What attacks are most likely for each asset?
- Analysis of what the impacts could be if certain attacks are successful. Financial, reputational, legal etc.
- An analysis report encompassing all findings is then complied, along with remediation and mitigation recommendations for client consideration.
- The report is then delivered in a presentation to the board.
At BIT security, we believe that you need to address security holistically. Having the best firewalls in the world mean nothing when the server room is never locked.
We have often found disjoints between physical security and IT security that can leave large vulnerabilities. For example, unencrypted wireless CCTV cameras that are connected to the organisations network, access control systems connected to the networks.
Areas of assessment include:
- Perimeter security. Fencing/walls - CCTV coverage etc.
- Immediate area outside building - CCTV coverage, defensive obstructions etc.
- Building exits and entry point security - Doors, windows integrity etc.
- Internal doors - Access control, door integrity etc.
- Physical Security Processes - Night guard patrol routes, key signing in process etc.
- Physical security checks of IT assets, such as servers, switches etc.
- Systems and network port scanning
- Data at rest and Data in transit Encryption
- Firewall strength and patching procedure
- Systems, applications and program updates and patching.
- Wireless router protection
- Operation Technology Security - Printers, Scanners, Smart technology etc.
- Industrial Control Systems (ICS) and SCADA security - Sensors, monitoring technology etc.
- Mobile device security – Bring your own device (BYOD)
- Cyber security checks of physical security technology – CCTV, access control systems etc.
- General organisations security culture - Do staff think of security as important?
- Employee security diligence - Would employees recognise an unauthorised persons?
- Employee diligence to social engineering - Phishing, spear phishing, whaling etc.
- Employee digital footprint and data leakage - Social media etc.
Why do I need a Vulnerability Assessment?
VA’s are a way of focusing your security budget, in order to properly allocate resources where needed. VA’s not only highlighting areas that need stronger security controls, but can also save you money, by highlighting where you are spending unnecessarily.
It’s difficult for organisations to assess security gaps, as we become blinked and don’t have the needed oversight to be able to identify the sometimes obvious vulnerabilities within our own organisation.
This is where BIT security can help give that expert view on how effective your security controls really are. We look at your organisation from an attacker’s point of view and analyse impacts based on similar incidents within your industry.
How much does it cost?
There are many variables that affect the cost of a VA. Such as size of organisation, how many assets need assessing, how many attacks need analysing etc. It really comes down to what your risk appetite.
You may just want assessments done on your three top critical assets and analysis done the three most likely attacks. Or you may want a full assessments on all assets and analysis of each possible attack.
Assessments are charged on a day rate. Day rates are negotiated within the initial consultation based on estimated amount of days needed to complete the assessment.
Create a more intelligent security strategy, enquire about our Vulnerability Assessments and Analysis today!