Explained: Firewalls, Vulnerability Scans and Penetration Tests
Many organizations choose to implement just three fundamental safeguards to protect their organization from unexpected cybersecurity threats. The implementation of a secured perimeter and internal firewall network architecture and conducting Vulnerability Assessments and Penetration Tests (VAPT) are often seen as enough to protect critical business information. However, as we will discover and despite this approach being a good start, there is substantially more to information security than firewalls and VAPT.
Firewall and VAPT
The firewall is the first line of defense of a computer network; its purpose is to restrict unauthorized traffic from different layers of the network. A perimeter firewall is the entry point for incoming (ingress) and outgoing (egress) network traffic. An internal firewall protects the internal network layers by allowing or denying traffic. Securing the network architecture creates segregation that will only permit approved traffic across the network; all other traffic is blocked by default, this prevents unexpected data from traversing the wrong network segments.
A Vulnerability Assessment is a technical safeguard that aims to discover weaknesses within an organization’s IT infrastructure. The scan targets the entire network identifying all devices, servers and endpoints by IP address. The scan will identify the applications and operating systems that are in use. Gathered data is cross-referenced against a security database for known exploits and vulnerabilities. This will help to identify if a device is vulnerable or not.
Any non-compliant device is flagged and added to a vulnerability report. The report is used as a baseline for post-assessment activities. Identified weakness in the organization's environment needs to be resolved. Fixing issues with, for example, scheduling patching, software updates, firmware updates or blocking network ports should follow the vulnerability scan.
Organizations also undertake penetration testing; this is a real-world scenario when a specialist security engineer (often external) will attempt to breach your organization's computer network. This may be a physical ‘attack’ on the organization's premises, but it is often an ethical hacker attempting to compromise the internal computer systems. Penetration tests target known vulnerabilities and exploits in operating systems, software applications, misconfigured systems or weak end-user protection – such as passwords or AV.
The penetration test is a vital tool that helps intelligently manage IT vulnerabilities. It may help to achieve regulatory compliance or help preserve customer loyalty and protect the value of your brand. Both the VAPT should form part of a continuously evolving cybersecurity strategy.
Ensuring your network security and performing VAPT assessments is only a small part of what is required to create a progressive and robustly secure InfoSec strategy. There are many other facets needed to introduce substantive protective measures. A cybersecurity framework is required that is able to Identify, Protect, Detect, Respond and Recover to security threats.
Identify Security Risks
The first task to complete is a thorough Risk Assessment; the aim here is to identify all company assets such as the data, devices and hardware and software platforms. It will also identify business processes (governance), such as organizational communication flows, business resources and existing cybersecurity roles and responsibilities.
The data from the risk assessment is used to identify asset vulnerabilities and threats, both internal and external. An assessment of the potential business impacts will identify the organization's priorities, constraints and risk tolerances.
The next step is to create a remediation roadmap; a major step towards incorporating tighter security controls. The roadmap dictates how to protect the organization's infrastructure, highlights the priorities and recommends the sequence to complete the tasks. Much of the protection will initially relate to identity and authentication, ensuring that the identities and credentials of all users are valid and verified to protect physical and remote access to sensitive data.
The roadmap will also identify data security weaknesses and make recommendations about how data should be protected at rest and in transit. Security policies will be created to advise how to harden the organization's internal processes and procedures, including change management process, backup and restore procedures and the data destruction policy. Key recommendations are made within a Threat Advisory Bulletin, as well as advice on improving business continuity and disaster recovery procedures. It is here where the Information Security Awareness training requirements will be drafted for each department within the company.
The detection stage is conducted using vulnerability scans and penetration tests; this will help to pinpoint weaknesses in the computing and network infrastructure. These steps include identifying any additional technical and physical cybersecurity risks; it may also include the assessment of external third party’s providers such as managed service providers or security services.
Respond and Recover
Response planning and recovery processes are created to formulate an action plan which is to be followed in the event of an emergency or serious cybersecurity attack. It works similarly to disaster recovery or business continuity strategy where a pre-defined response is followed and each team member knows his or her roles and responsibilities.
A plan is drawn up that includes how to handle communications during a major incident, understanding who manages public relations, who manages internal communications. The technical processes that the engineers need to follow are also drafted at this stage.
The processes must be tested regularly and the results reviewed, analyzed and revised if necessary. Any mitigation activities must be drawn up for failures discovered during the tests, and the response plan and roadmap are updated accordingly.
There is much evidence to suggest that a firewall implementation and scheduling testing should be part of a much wider, all-encompassing cybersecurity strategy. The network security and penetration testing elements serve a key purpose overall, but they only make up a small part of a much larger security framework.
We have only scratched the surface on what information security is, but an ever-present theme is that InfoSec is part of a continuous improvement initiative, constantly tested and improved upon. Many organizations choose to outsource this responsibility to a security vendor who manages InfoSec for a large customer base.
The services you receive vary but often come with additional benefits such as Trusted Advisor check-ins to ensure your business is on track with its cybersecurity progress. Other key benefits include annual internal audit and roadmap check-up, disaster recovery testing, incident response testing, Phishing and social engineering tests, training and unbiased external penetration testing.