A 6 Step Guide for Network Security Assessment.
How well protected is your network against outside and inside threats? You don't know until you've conducted a network security assessment. It takes some effort, but it will uncover weaknesses that you can fix. The cost of assessing your security status is much less than the cost of a breach.
Here are six steps that a network security assessment needs to include.
Assess software vulnerabilities
Outdated and poorly written software often has serious vulnerabilities. A vulnerability scan of operating systems, applications, and services will identify known weaknesses. The report will indicate the severity of each problem, so you can prioritize them.
In most cases you can fix the vulnerabilities by installing the latest software patches. If this isn't possible, adjusting the configuration settings may make the weakness inaccessible from outside the network. If there's no way to fix the problem, you might have to pull the software out of service.
Run a port scan
The only TCP and UDP ports that should be open are the ones that need to be. The default installation of a software package may activate ports that aren't really necessary. They represent security risks, especially if you have never configured them.
This needs checking at both the firewall and system levels. The network firewall should allow only the ports that need access from outside the network. Individual systems shouldn't open ports that serve no purpose. Being safe at more than one level guards against configuration errors and backdoors.
Review outside access
Who can access your systems from the Internet, and what permissions do they have? Accounts need purging when the user is no longer authorized. Inter-network connections should have secure authorization methods and grant only the necessary permissions.
As a general principle, users should have only the permissions they need to do the job. If someone hijacks their accounts, the damage they can do should be as limited as possible. Many applications have flexible permission schemes that allow fine-grained settings.
Assess internal security
A network needs to limit the risk of both external and internal attacks. If malware takes root in a system, its ability to attack other systems on the network should be as limited as possible. The same applies if an account is hijacked. Some devices, such as point-of-sale terminals and IoT devices, are especially vulnerable and shouldn't be fully trusted.
System services such as databases should have strong passwords, even if they're only accessible from inside the network. Splitting the network into subnetworks, with the most critical information on a separate subnet, reduces the chances of serious harm.
Review wireless connections
Poorly secured wireless access points open up gaping vulnerabilities in an otherwise secure network. Employees may set up their own access points for convenience and not configure them properly. A security assessment needs to identify all access points and determine what security standards they use. An unsecured connection not only lets anyone nearby into the network, it makes eavesdropping easy. All Wi-Fi connections should use WPA2 (or WPA3 when it becomes available) and have good passwords.
If the access point has an administrator login, it most likely came with a default password. This needs to be changed, otherwise anyone can get into the account using publicly available information. Changing the administrator's username from "admin" to something else is a good idea.
Assess user training
Software and hardware security aren't enough unless the users know how to avoid mistakes. A security assessment should review training procedures. Sending test phishing messages to see how many people respond will give a good indication of how alert employees are.
Users need to learn to create good passwords and safeguard them. Testing accounts against a list of the most common passwords (such as "password") will catch the weakest ones. If employees make a lot of mistakes, it's time to improve the training procedures.
Conclusions
Taking all these steps to evaluate network security will take time and effort, but it's necessary. If it reveals no problems at all, that's wonderful news. Very few businesses are so fortunate. Most will find at least a few serious issues that need fixing to make the network safe. Knowing about them and being able to fix them makes the assessment worth the effort.
