Threat Center Security News Why do You need a Vulnerability Risk Assessment?
Why do You need a Vulnerability Risk Assessment? Print E-mail
Written by Rebecca Mints   
Tuesday, 25 March 2008 08:27
Frequently the decision to employ new technology is made hastily in an effort to maximize profitability without giving consideration to securing the new technology. The network architects design what’s needed and the IT department builds it. New technology is constantly added as well. Added to what may be an already weakly secured frame, thus making it weaker with every new addition. As the environment becomes more and more complex, if things are haphazardly thrown together it becomes more and more difficult to secure the environment. It’s not only much more susceptible to cyber criminals, but also to technical failure such as unpatched software with published security flaws remaining in use or any other number of security lapses.

At some point IT techs or security managers will request to have revenue allocated to securing the cyber environment, but if the practice of overlooking security has gone on for too long then the resources needed to truly secure the environment can become quite costly, and often times the more attractive decision will be to spend the resources on what will be perceived to gain profit rather than provide a more secure environment.

It is important to understand the risks associated with a poorly secured cyber environment and to utilize the correct strategy from the ground up to avoid this situation, as well as anytime additions to the network are made or new software is deployed. It cannot be assumed that a new application will be secure – proof is required. And a third-party verification provides the necessary proof.

Hefty fines can be incurred when certain business standards are ignored regarding the privacy of secure data, not to mention the risk of losing clients’ trust because their personal data was not held under lock and key. The world of business is headed in a direction in which, if your security is compromised or data is lost you will be held accountable. At this point let the lawsuits begin; the lawyers will have a field day. All because what was once thought to be not cost-effective, your security, was never given the necessary financial resources. In hindsight it’s easy to see the error in judgment, but now of course it’s too late.

Employing highly qualified third party auditors to make certain the security of your cyber environment is at or exceeding where it needs to be is becoming the standard throughout the industry. Seeking the advice of the best in the industry and having confirmation that your environment is truly secure goes a long way to providing piece of mind and a good night’s rest.

Often times the design and implementation of security measures are viewed not only as something that can be overlooked or put off to the side, but even as an obstacle. Rather than helping in the advancement of new and exciting technology, proper security measures can be perceived as something that slows its deployment to the mainstream, and it’s also not as easy to see the benefits of securing an environment versus allocating the revenue to something that will likely increase company earnings. At least not until it is too late. While the reasons to dedicate revenue strictly for securing an environment may be hard to see at first, they become quite transparent after an attack has taken place.

Who are the top attackers? Generally attackers fall into two categories: EXTERNAL and INTERNAL. The EXTERNAL cyber criminals would include your standard hackers, organized crime, and terrorists. Their modi operandi include Point-of-Presence attacks and direct attacks on your website. INTERNAL cyber criminals can manifest as but are not limited to: angry or unethical employees or consultants, outsourced employees, and software and hardware vendors. Their means of exploitation will typically be attacks on your internal network.

The attacks executed by these cyber criminals can lead to a myriad of Public Relations nightmares:

  *  Theft of credit card data
  *  Identity theft
  *  Extortion based on threatening to make public a person’s personal
  *  Extortion based on a threat of a Denial-of-Service
  *  Altering data on Web pages or other “trusted sources” for economic gain
  *  Exploitation of operating systems for remote control for spam, Distributed Denials-of-Service, or spyware installation
  *  Theft of information for commercial purposes (stealing insider secrets such as secret recipes or financial forecasts)
  *  Theft of defense secrets for national interests (this is where terrorists or other political activists come into play)
  *  Exploitation of computers for physical attack
  *  Production downtime (e.g., the software controlling your conveyor belt is attacked and now your creation of widgets has ceased, costing your company $500,000/hr while it is down)

While it is standard practice to implement a security standard set forth internally, in today’s world the value of a second set of eyes cannot be overstated. A third party vendor such as Gtron Solutions, LLC is an excellent choice because security is all we do; we are the experts. Utilizing our services allows you to put more of your focus on what you do best by letting us evaluate your environment quickly and discretely and then providing you with comprehensive knowledge of your current security baseline.
 

WTW Threat Level