Top 5 Security Assessment Findings

Even organizations with solid cybersecurity programs will have findings from a security assessment.  After all, cyber attacks and attackers continue to learn and evolve, always trying to be one step ahead of their prospects.  Through our years of performing security assessments, here are the Top 5 areas that we have found to need remediation work post-assessment.

1) Security Awareness Training

We do security assessments constantly and have for years.  In half the cases or more, we find that the clients do not have a cybersecurity training program in place.  While we understand that such training is a cost center and a wee time suck, this training really is an investment and goes a long way toward reducing business risk.  Even if you could, you wouldn’t drive a car without insurance, and we think that cybersecurity training falls in the same vein.  A well-trained staff is your FIRST and BEST defense against cybercriminals.  There are even some free resources for cybersecurity training – even if you are not doing DoD or related work, the DoD Cyber Awareness Challenge is superb.  Kick off your training program today and have all your employees take it.

2) Inventory

A company's IT landscape tends to be in a constant state of flux, and most companies can’t tell you what they really have at any given time.  In one assessment the client told us they had 500 endpoints, and we found about twice that.  We can’t protect the environment if we don’t know what is factually IN the environment.  Inventory everything – all hardware, all software, all accounts, and at a minimum what traffic is allowed in and out of your firewall for starters.  Keep this inventory current and accurate at all times.  There are numerous forms of automation available to do this.

3) Patch Management

The overwhelming majority of companies do a lousy job of patch management, and hackers know it.  They are looking for you.  While this may sound ominous, it is definitely true.  It’s very rare to find companies doing a good job, much less a great one, and that is because of the lack of a vulnerability scanner which is not cheap or easy to use.  In most cases it’s probably better to get an MSP (Managed Services Provider) to bring in a vulnerability scanning capability and the have them monitor for vulnerabilities, which can pop up literally at any time.  This is why “zero-day” exploits can fetch a six-figure price on the dark markets.

4) Protective Technologies

In the 90’s, we used a firewall, anti-virus, and some form of automated OS patching to keep networks reasonably secure.  Many companies are still following this very outdated model, and it’s not enough to keep out even hobby hackers, much less real ones.  You’ll need to move beyond this and bring in a UTM (Unified Threat Management) type solution.  Think of a UTM as being like an AWAC (Airborne Warning and Control) aircraft – the ones you see flying over the battlefield that have the giant rotating disc on the back.  UTM watches everything in your “battlefield” and then provides intelligence to a SOC (Security Operations Center) so they can take action BEFORE the tanks roll across your border.

5) General Lack of a Plan

Most companies have some form of policies and procedures which govern whatever thing, but it’s not uncommon to find clients which have no IT or cybersecurity plans at all.  Ad hoc should never be an option here. The good news is that you don’t have to start from scratch – there are tons of existing best practice frameworks out there which can be readily adopted.  If you are a small company, a good start is NISTIR 7621, Small Business Information Security:  The Fundamentals.  If your company is a little larger, for example 50 to 100 workstations or more, a better fit would be the NIST CSF (Cybersecurity Framework).

Rather than bury your head in the sand, it is worth taking an honest look at your organization’s security before, during, and after (continually) an assessment.  While there are free resources (listed above) to help get started, you may have some areas that could use the expertise of outside assistance.

Jason McNew  

Senior Engineer, Cybersecurity Risk and Compliance, Appalachia Technologies 

Jason McNew is a CISSP and a CMMC RP (Registered Practitioner).  Jason, a United States Air Force veteran, holds a Master’s degree from Penn State University in Information Sciences, Cyber Security and Information Assurance, in addition to a Bachelor of Science and two Associate of Science degrees. Penn State’s Cyber Security program has been reviewed and endorsed by the National Security Agency (NSA) and the Department of Homeland Security (DHS).  He also worked for the White House Communications Agency from 2003 until 2015.  In 2017 he founded Stronghold Cyber Security, which was acquired by Appalachia Technologies in 2020.