Have you ever had that sick feeling in your stomach because you weren’t sure if you locked the front door before you went on vacation? Or maybe you weren’t sure if you left the stove on?
I bet you never got sick to your stomach wondering if there were open ports on your firewall though, right? (It would be pretty weird if you did.) But isn’t that as important, or more important, than your locked door at home?
A problem with the security of your network can invite fraud, theft, malice, ransomware and fines (I’m talking to you, HIPAA and PCI regulated companies). Yet, how many of us actually check to see if we left the front door of our network unlocked?
It turns out that proving your network is secure is not difficult to do.
You’re a typical business. You have a small in-house IT staff or perhaps you outsource to a local MSP (Managed Services Provider). Your IT support maintains firewalls, updates your antivirus, patches your PCs, trains your users and performs countless other tasks to keep your company secure. In a perfect world, that’s all you’d need.
However, if that were the norm, we wouldn’t read about ransomware in the news.
It’s not the norm. Sometimes the measures you thought were protecting your network aren’t impenetrable. How do you know? Get a security audit.
A security audit is a somewhat loose term for checking the security of your network. Or maybe, checking to see that the people that promised to protect your network are living up to their end of the bargain.
Internal and external security audits vary in scale and effectiveness. A good audit should detect (but not exploit) holes in your security and should always include a well-written report outlining areas in which you are vulnerable.
External Security Audit
The external audit looks at your IT from the internet: akin to looking in your house through a window. If the curtains are drawn, no one can see in. But what if those curtains are open just a bit? Can we see in?
One component of an external audit is a penetration test (commonly called a pen test). A pen test is an attempt to penetrate, but not exploit, security holes in your firewall.
Some firewall holes are necessary to receive email and browse the internet. Proper security, however, requires that you eliminate any vulnerabilities. In this type of audit, if a vulnerability is found that would allow access to your files, that vulnerability is reported, but the files themselves are not accessed.
Other components look for outdated software (called firmware) running on your firewall and report the vulnerabilities associated with that specific outdated firmware.
A newer type of external security audit is often classified as security awareness. Security awareness audits the ability of your users to distinguish good email from bad email that contains malware or fraudulent instructions to wire money. In this type of audit, a purposely deceptive email (using the same methods as hackers) is sent to your users attempting to trick them into clicking something they shouldn’t. In this case, however, no harm comes to the user that took the bait, but that attempt is reported, giving you the chance to better educate that user.
Internal Security Audit
Internal security audits focus on the equipment sitting next to you in your office.
For example, your IT department tells you that all PCs are patched with the latest software patches. But aside from their word, how do you know? How can you tell that 200 PCs are patched? An audit will tell you that. Trust but verify.
An audit will tell you if your wireless network is set up incorrectly or your guest Wi-Fi is not properly separated from the company Wi-Fi. It may find that your wireless encryption adheres to year 2008 standards and is easily penetrated with current technology.
Here’s a few other questions an internal security audit can answer:
• Is antivirus running on every PC on your network, and is it updated?
• Did one of your employees plug in a wireless hotspot under their desk to make their own wireless network called Ed’s Cafe?
• Is one of your users using three times the internet bandwidth of all your others? (And for what reason?)
• How many users on your network have administrative rights?
• How complex are your users’ passwords?
• Who has access to the accounting folder?
The Good News
The results of a security audit, whether internal or external, will likely be eye opening. There aren’t many, if any, perfect networks out there. But, the good news is the fixes are generally easy to implement.
Fixing password policy, closing firewall holes, updating firmware and most other remediation measures are painless. And many audit companies will rerun portions of the audit for free to verify that the fixes in place truly solved the problem.
You should consider some type of audit of your IT systems at least annually. The days of being able to say, “I didn’t know” are over. It’s not enough to hire the right people. It’s imperative to verify, test, remediate and maintain.
Kurt Simione is owner of Technology Seed, an IT support firm in Salem. He can be reached at 603-458-7190, email@example.com or TSeed.com.