Hi. Welcome to Ingram Micro.

Please choose your role, so we can direct you to what you’re looking for.

If you’d like to learn more about Ingram Micro global initiatives and operations, visit ingrammicro.com.

The right way to assess infosec vulnerability

May 04, 2020

The right way to assess infosec vulnerability
Did you know in the U.S. alone, SMBs are spending nearly 10 billion USD each year on security—yet in 2018 over half of midmarket firms experienced some form of data breach? How is this possible? Small businesses are investing more than ever in cybersecurity and yet large numbers of them have little to show for it.
So what’s the issue?
Part of the problem lies in the fact that many of the cybersecurity solutions touted (and infosec providers) simply underperform when it comes to:
  • rudimentary blocking
  • asset inventories discovery and management
  • systems configuration
  • patch management
It’s up to infosec managed security service providers (MSSPs) to up their game and solidify their basic security practices. How can they do that? We’ve pulled together a few key areas to focus on.
Industry standards
Looking to baseline standards within the industry is a great place to start. The NIST Cybersecurity Framework (CSF) and the Center for Internet Security's 20 Critical Security Controls (CSC 20) are excellent ways for any MSSP to measure where they and their clients are. In order to stick to these standards, MSSPs have to create a thorough inventory of client environments, including every IT asset.
Start with the hardware
Detailed asset inventories of both authorized and unauthorized hardware should be performed first, according to the CSC 20. How detailed? A good inventory should at the very least have the following:
  • Device type/model
  • Serial number
  • Description
  • Location
  • Install date or lease begin and end dates
  • Owner
  • Department
  • License
  • Applications installed
  • MAC addresses
  • IP addresses/subnets
  • System DNS names
  • NetBIOS names
  • Operating system version
  • Application headers
  • Patch status
  • Risk rating
  • Disaster recovery provisions

It’s also important to include administrative details, e.g., system purpose, asset owner name and the assigned department title for every device. Traditional IT inventory management systems, network scanning and monitoring tools, host-based agents that ‘phone home’ and network access control (NAC) solutions are all great resources for anyone building a device database.
Don’t forget software and services
Next up is software. Authorized and unauthorized applications need to be inventoried, according to the CSC 20. To execute this properly, a working understanding of every running service in the environment is necessary.
A good software inventory should at the very least contain the following:
  • Name
  • Owner
  • Department
  • License
  • Install date
  • Version and known vulnerabilities
  • Banner/HTTP header
  • Patch status
  • Ports in use
  • Privileges in use
  • Credentials in use
  • Encryption in use
  • Disaster recovery provisions

Configure and patch like a pro
The next step is creating better configuration and patch management protocols. This is done by using the newly inventoried hardware and software to evaluate security status of each item in the database. Vulnerability assessments should look at the hardware and software system configurations of:

  • desktop PCs
  • laptops
  • mobile devices
  • operating systems

Patch and configuration status of network hardware should also be assessed, including:

  • routers
  • switches
  • firewalls
  • proxies, etc.

After inventory, it’s time to ensure proper configuration via the following:

  • Establishing and getting stakeholder approval for standards of configuration
  • Outlining parameters for initial builds and remediation cycles
  • Observing the configuration and patching compliance enviros
  • Continual reassessing of risk profiles, threat models, regulatory requirements and mitigation strategies for each client
For more information on vulnerability assessments and how they can help your customers spot and eliminate vulnerabilities, contact the security experts at Ingram Micro.