Detecting and fixing security holes before they're exploited yields broad savings.

It could be a link in an email, a compromised vendor account or a stolen smartphone. Even as organizations get smarter about guarding their information systems and data, attackers inevitably find new ways in.

Despite sophisticated security systems, many enterprises can still be vulnerable. The U.S. Office of Personnel Management learned that lesson when attackers got past its intrusion detection and prevention system and accessed the personal data of 21.5 million people. For each of the 169 million data records that were publicly breached in 2015, countless others have fallen victim to cybercriminals without detection.

One of the best defenses against intruders is to learn to play their game. CDW’s Comprehensive Security Assessment (CSA) uncovers vulnerabilities by using the same strategies to breach systems that cybercriminals use. Instead of causing irreparable damage, however, CDW shows organizations the gaps in their systems and helps them plug these holes. 

A CSA can help organizations avoid the debilitating costs of a breach and prioritize security spending. CDW’s security threat assessment experts are leaders in the field. This team has been conducting CSAs and helping businesses strengthen their overall security posture since 1998.
 

The importance of understanding your security landscape

Whenever a data breach makes the news, organizations learn new security lessons. For instance, when T-Mobile customer data was breached in September 2015 due to a compromised system at Experian, which runs credit checks for the cellular carrier, IT departments learned that they need to worry about not only their own systems but also those of their partners. 

The problem is that while enterprises are focused on their missions, attackers spend their days finding new ways to access valuable data. To stay safe, organizations need a deep understanding of emergent threats and their own security posture, but they rarely have the time or resources to keep up.

That job is made even more daunting by the breakneck pace of change in technology. Staying abreast of IT trends and their resulting new threats is a full-time job. 

Further complicating matters is the growth of shadow IT, where workers and departments deploy their own technology — everything from thumb drives to cloud-based services — without the involvement of the IT department. A July 2015 study found that a typical healthcare organization runs 10 times more cloud services than are authorized by its IT department. While shadow IT is a natural extension of the consumerization of technology (workers easily finding useful tools on their own), it raises serious security implications. 

As a result, IT departments struggle with a growing list of unknowns, from the stealth hardware and software running on their networks to ever-changing threat vectors. Organizations don’t achieve a truly secure state by checking off boxes from a list. Every organization has unique risks and threats that need to be understood and addressed.

These are just a few of the reasons nearly half of today’s organizations rely on threat assessments. By turning to CDW’s experienced white-hat hackers, organizations can get a third-party perspective on where their weaknesses are, how they’re changing and how to systemically address the security of their infrastructures.

They can also get help in prioritizing their risks from veteran assessment experts who offer in-depth advice customized to clients’ needs. Organizations are free to do whatever they want with this information — there’s no follow-up sales pitch. And the results are secured from attackers; even CDW employees will need permission from the client to view the results. CDW’s CSA can provide the necessary information to build a strong defense so organizations can focus on their missions.

What is a comprehensive security assessment?

Organizations have no shortage of ways to test their security. Some scan for vulnerable ports on network hardware or look for misconfigurations of hardware or software that create vulnerabilities. Others scan for known vulnerabilities due to missing patches. CDW’s CSA goes beyond the tool-based approach used by most security assessments. 

The CSA incorporates industry-leading penetration tests that use human expertise, creativity and logic to discover vulnerabilities that tests often miss. It provides a realistic view of what a cybercriminal could get into if he or she intentionally targeted an organization. 

For instance, CDW’s penetration testers search for passwords that meet most companies’ complexity requirements but are commonly used and exploited. A surprising number of passwords combine the season and year. So while an automated security assessment scanner will overlook passwords such as “Spring2016” or “Spring16!”, CDW’s penetration testers will manually search for them. (Season-based passwords are often popular within organizations that require users to change passwords each quarter.)

Another common vulnerability uncovered by a CSA is a weak link within a trust relationship. For instance, Windows computers have both a user password and an administrator password, the latter of which is often shared between machines on a network. If an attacker can compromise one workstation and access the passwords stored on it, he or she can use the administrator password to log in to other machines within the environment.

CDW’s security threat assessment experts use a variety of tools to aid them in their work. In fact, many of the most widely used tools in the industry were developed by CDW alumni. One such tool, called fgdump, extracts encrypted passwords from Windows systems. Another, called Medusa, is a brute-force tool that runs commonly used passwords through a list of user accounts. 

What distinguishes CDW’s CSAs from other assessments is that each is unique. The team begins with a deep dive into an organization’s security posture, and it customizes the CSA around its findings. 

CDW’s penetration testers know to look beyond workstations and servers when searching for weak or default passwords. In some cases, a major system, such as a data center battery backup or an IP camera system, is left with the default password.

During penetration tests, CDW’s teams are often successful in accessing mission-critical database servers and are able to find financial, intellectual property and human resources information, such as Social Security numbers. Even hospitals, which are governed by strict privacy regulations through the Health Insurance Portability and Accountability Act (HIPAA), often have databases housing sensitive diagnostic information with inadequate or missing passwords. During a security assessment at one hospital, a CDW penetration tester found a pharmacy application running on an Internet-accessible Unix server with a password that was the same as the host name — clearly not a best practice. Recent studies have found that many Internet-accessible radiology systems don’t even have passwords.

Remediation Strategies and Services

Penetration tests are just part of the CSA service. Once testing is complete, the CDW team extensively documents its findings. Some basic penetration testing services simply take the results of the tools they use and reformat them into a report. CDW, however, clearly spells out its findings and recommendations, prioritizing them based on cost, difficulty and likely impact.

Reports include subjective metrics, such as how important the tester feels it is to invest in a particular remedy. They also explain the likely effect on the organization’s security posture and highlight repairs that have low price tags and high impacts. 

What CDW security assessment experts do that few others do is have intelligent conversations with organizations about how to prioritize projects, not just in the near term, but over multiple years. They help enterprises determine which vulnerabilities to address now, which to address in the future, and which are so expensive to fix and unlikely to be exploited that they don’t merit a high priority. These recommendations can help determine how an organization will focus on security projects and plan for its overall long-term security well-being.

Which organizations can benefit from a CSA?

By uncovering vulnerabilities before they’re exploited, any organization can save money, time and its reputation, which more than makes up for the cost of a CSA. But those most likely to get them are larger organizations with established budgets and mature security programs. They rely on trusted partnerships with companies such as CDW to help them uncover difficult vulnerabilities to exploit. 

CSAs also make sense for organizations subject to regulations such as HIPAA, the Sarbanes-Oxley Act or the Payment Card Industry Data Security Standard. A comprehensive examination of their systems can help them if they are at risk for not meeting their requirements.

Beyond testing your compliance standards, the general notion of testing your overall security protocols is good practice.  The adage, “you get what you inspect, not what you expect” is especially true in the world of security.  CDW will work with you to customize your security assessments, which offer value to organizations no matter where they are on spectrum of security strategy maturity. Some organizations that have recently deployed security tools and processes may want to determine if they are working as expected. More experienced security professionals may want a third party to test for vulnerabilities they are missing. CDW can work with customers to customize a layered security strategy that works for them.

Often, organizations come to CDW for specialized assessments in response to high-profile threats, such as phishing attacks. Another rationale for a specialized assessment is to test a new application, such as a website developed in-house. Even if an organization is large enough to have its own programmers, it makes sense to have a third-party assessor conduct a penetration test.