October is National Cybersecurity Awareness Month (NCSAM). Now in its 15th year, NCSAM is co-led by the United States Department of Homeland Security (DHS) and the National Cybersecurity Alliance (NCSA). It is a collaborative effort between government and industry to ensure that every American has the resources they need to improve online safety and security. Each week throughout October, many cybersecurity stakeholders, including DHS and NCSA, will share tips and techniques to improve our nation’s cybersecurity.
Throughout October, AHP will be releasing several blog posts that look at the concept of cybersecurity from several angles. These posts will include practical takeaways to improve cybersecurity whether at your business, organization, or home. Today’s post looks at the concept of understanding several corporate or organizational cyber risks.
One area of cybersecurity that many businesses and other organizations have questions about is the concept of assessing risks and vulnerabilities within their own organization. So often, organizations want to focus on implementing the latest security technology without truly identifying and understanding the risks they are facing. Furthermore, how do we quantify those risks so we know which risks are the most important to address?
While the process of assessing IT and security risks involves many areas of a business and may include topics as diverse as password strength or the risks of environmental catastrophes, I’d like to focus on one fundamental area – understanding the systems on your network.
Before you can secure your network and systems, you need to understand what is on your network. This may include servers, workstations, firewalls, routers, wireless controllers, mobile devices (connected wirelessly), printers and copiers, scanners, telephones, fax machines, and a multitude of controller devices (such as those that control door-lock systems or heating and cooling systems). An organization needs to have a way to understand what systems are connected, and ideally this method should update in real-time.
Once you understand what types of systems are connected to your network, you can start to refine that understanding. This may include systems that are beyond manufacturer support periods, identifying rogue or unknown systems, and other matters.
Continuing to refine and “drill-down” on that understanding would next include understanding what types of software applications are installed on those systems, and how those systems are configured. Gaining visibility into the software that’s installed involves analyzing if those software applications are current, supported by the vendor, still needed, and up-to-date.
Many security professionals discuss the importance of staying “patched,” and rightly so. Maintaining secure, up-to-date software is a critical element of a cybersecurity program. But it is important first to understand what types of software are installed on your systems. Each individual application often has a separate update process based on that application’s vendor. So, you could have several applications that are installed on your systems that are not patched, because the IT group doesn’t have any insight into what’s installed.
There are many automated systems that can identify hardware devices connected to your network, as well as provide information about the installed software. Many of these applications can provide reports about unpatched or vulnerable software, out-of-date systems, and many other attributes.
Understanding what systems are on your business’s or organization’s network along with what software applications are installed on those systems, is a key element of assessing your cybersecurity risks and is the foundation to developing a plan to improve the security of your network.