What is the Purpose of a Network Security Assessment?
The purpose of a network security assessment is to keep your network, devices, and sensitive data secured from unauthorized access by discovering potential attack vectors from inside and outside of your internal network.
Additionally, you may have a regulatory responsibility to do them, depending on your industry. For example, credit card processors need to comply with PCI DSS and health care organizations need to comply with HIPAA.
Network security assessments can answer questions like:
- What systems are likely to be breached?
- What are the common entry points for security breaches
- What would the impact of a cyber attack be on a specific asset?
- What sensitive data, personally identifiable information or protected health information would be exposed in a data breach or data leak?
- What can we do to mitigate this type of attack?
What are the Types of Network Security Assessments?
There are two types of network security assessments:
- Vulnerability assessment: A vulnerability assessment shows organizations where their weaknesses are. Read more about vulnerabilities here and vulnerability management here.
- Penetration test: Penetration testing is designed to mimic an actual cyber attack or social engineering attack such as phishing, spear phishing or whaling.
Both are great methods to test the effectiveness of your network security defenses and measure the potential impact of an attack on specific assets.
How to Conduct a Network Security Assessment
A network security assessment is just another type of cybersecurity risk assessment. The process is as follows:
- Take inventory of your resources
- Determine information value
- Assess the vulnerability of your IT infrastructure
- Test your defenses
- Document results in a network security assessment report
- Implement security controls to improve cybersecurity
- Continuously monitor for issues and changes
Take Inventory of Resources
The first step is to identify assets to evaluate and determine the scope of the assessment. This will allow you to prioritize which assets to assess first. You may not want or need to perform an assessment on every wireless network, web application, and Wi-Fi access point. And you might not have the budget even if you wanted to.
That said, it can help to take stock of all your networks, devices, data, and other assets so you can determine which assets you wish to secure. This process will provide you with an overview of your overall network and the IT security controls around it.
Determine Information Value
Most organizations don't have an unlimited budget for information security (InfoSec), so it's best to limit your scope to the most business-critical assets. Additionally, you should think about what regulatory and compliance requirements your organization may need to comply with.
To save time and money, spend time developing a data classification policy that defines a standard way to determine the value of an asset or piece of data. See our guide on data classification for more information.
Most organizations will include asset value, legal standing, and business importance. Once the policy has been formally incorporated into your information risk management program, use it to classify each asset as critical, major, or minor.
Other questions that may help you determine value include:
- Are there financial or legal penalties associated with exposing or losing this information?
- How valuable is this information to a competitor?
- Could we recreate this information from scratch? How long would it take and what would be the associated costs?
- Would losing this information have an impact on revenue or profitability?
- Would losing this data impact day-to-day business operations? Could our staff work without it?
- What would be the reputational damage of this data being leaked?
Assess the Vulnerability of Your IT Infrastructure
Vulnerabilities are anything that can be exploited in an otherwise secure network.
Cybersecurity risk can come from anywhere including inside and outside your organization, internal personnel with poor security habits, or third-party vendors with inadequate information security policies who have access to your network.
Because risks can be so varied, a robust security risk assessment process should include:
- Network scanning: A comprehensive scan of all your network's ports and other attack vectors. Read more about the dangers of open ports here. This should include Wi-Fi, Internet of Things (IoT) and other wireless networks and will identify accessible hosts and network services (such as HTTP, FTP, SMTP, and POP-3).
- Internal weaknesses: Many organizations will opt to hire outside security consultants to test both personnel and security consultants from the outside.
- Network enumeration: The discovery of hosts or devices on a network that can fingerprint the operating system of remote hosts. Once an attacker knows the operating system, they can check CVE for a list of known vulnerabilities to exploit.
- Third-party review: A review of all third-parties and their level of access to your internal network and sensitive assets.
- Information security policy review: Review of policies around employee training, BYOD (bring your own devices), and email usage.
Other threats you should consider too:
- Natural disasters: Floods, hurricanes, earthquakes, lightning, and fire can destroy as much as any cyber attacker. You can not only lose data but servers too. When deciding between on-premise and cloud-based servers, think about the chance of natural disasters.
- System failure: Are your most critical systems running on high-quality equipment? Do they have good support?
- Human error: Are your S3 buckets holding sensitive information properly configured? Does your organization have proper education around malware, phishing, and social engineering? Anyone can accidentally click a malware link or enter their credentials into a phishing scam. You need to have strong IT security controls including regular data backups, password managers, etc.
- Adversarial threats: third party vendors, insiders, trusted insiders, privileged insiders, established hacker collectives, ad hoc groups, corporate espionage, suppliers, nation-states
As this can be time-intensive, many organizations opt for outside assessment services or automated security solutions.
Test your Defense
Once you've assessed your organization's vulnerabilities, you want to test whether your security controls and risk mitigation techniques prevent attackers from being able to exploit them.
Document Results in a Network Security Assessment Report
Now you need to develop a report to support management's decision-making on budget, policies, and procedures. For each vulnerability, the report should describe its risk, exploits, and value. Along with the impact and likelihood of occurrence and control recommendations.
As you work through this process, you'll understand what infrastructure your company operates, what your most valuable data is, and how you can better operate and secure your business.
Implement Security Controls to Improve Cybersecurity
Chances are you have found a gap or weak spot in your network. Make a list of them and develop a plan to remediate them.
Controls can be implemented through technical means, such as hardware or software, encryption, network intrusion detection mechanisms, two-factor authentication, automatic updates, continuous data leak detection, or through non-technical means like security policies, and physical mechanisms like locks or biometric access.
Additionally, classify controls into preventative and detective measures. Preventative controls are designed to stop attacks from happening, e.g. continuous vendor security monitoring, while detective controls try to discover when an attack has occurred.
Continuously Monitor for Issues and Changes
In addition to manual network security assessments. Many organizations are investing in security ratings to provide continuous monitoring of not only their network security but their overall security posture too.
Security ratings are also commonly used by third-party risk management teams to assess the quality of vendors' security practices.
Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform making them valuable as an objective indicator of an organization's cybersecurity performance.
Security ratings complement traditional risk management methods by providing continuous, objective, actionable, and always up-to-date data.