Why Run Regular Vulnerability Assessments?

Why run regular security tests?

As we probably all know, information security is a broad subject and for many of us understanding the different layers that can help within this spectrum can be at times difficult. In this blog we will look at the risk and what you as a business could do about it!
Over the years when advising various organisations on the importance of regular vulnerability scanning, conversations would typically suggest that most would adopt some form of security measure including the likes of conducting a yearly manual penetration test, having a web application firewall in place (WAF) or conducting ASV PCI scanning if not a combination of the three, just to highlight a few.

What is the actual risk to your business?

The Verizon report suggests that more than 75% of attacks are actually from external sources rather than your internal disenfranchised employees. “While this goes against InfoSec folklore, the story the data consistently tells is that, when it comes to data disclosure, the attacker is not coming from inside the house. And let’s face it, no matter how big your house may be there are more folks outside it than there are inside it.” – Verizon Data Breach Investigations Report
Verizon Data Breach Investigation Report: 40% of Breaches from Web App Attacks, 5,334 total incidents (through web apps,)
908 with confirmed data disclosure. If you look at the stats they all point to the fact that external and web applications specifically is a highly likely route for a hacker to exploit.

Three common misconceptions

1) Performing a manual penetration test is important for most organisations, although this is not always easily accessible on a regular basis for various factors. An in-depth penetration test will certainly give you a thorough snapshot of your current vulnerabilities at that moment in time and allow you to make remediations before a hacker can breach any vulnerability that was discovered. However, in between your next penetration test how can you confirm that you do not have a major vulnerability within one of your websites?

2) Many organisations feel they are protected by their firewall or other forms of external ‘wrapper like’ defence. The fact is that no matter what defences you have in place you will not be un-hackable (the Dark Web Specialist Darkbeam believes that more than 98% of business have already been hacked-they just aren’t aware of it yet). And the landscape is changing every day making it impossible to be ahead of the game, to say that having a firewall will protect you unfortunately just isn’t the case. Blue chip companies will spend millions on firewalls but still have data breaches.

3) Now it must be mentioned that conducting your ASV PCI scanning is a crucial part of your compliance, however it is an important point to highlight the difference between PCI scanning and vulnerability scanning. If you were to swap your compliance hat with your security hat for just a moment it is fair to point out that passing your ASV PCI scan may give you a false sense of security. Your PCI scan will limit your vulnerability discovery to only find the vulnerabilities within PCI standards which may lead to exploitable vulnerabilities that would not fall within the PCI remit.

I am sure for many the above points will sound familiar, however, a key question to ask yourself, should you incorporate regular vulnerability scanning into this equation? Is it worth the extra costs? The areas highlighted can certainly raise potential security gaps but the simple answer is that without having regular checks you do not have consistent visibility on your vulnerability landscape and are potentially one step behind a hacker. If you would like more information on how Netshield can assist you please email info@netshield.net or call 0333 200 1636.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

e

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ld

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

are helping businesses across the UK run regular vulnerability assessments please get in touch with ourselves

Advertisements

Netshield Announce Our New Vulnerability Scanning Service, NetScan.

NetScan is a popular and capable infrastructure and web application vulnerability scanner, providing the ability to carry out regular scanning to identify vulnerabilities before they become a huge business security risk.

First Class Scanning.

Unpatched software, configuration weaknesses and software vulnerabilities also need to be managed effectively. NetScan includes a vulnerability assessment module to perform vulnerability scans across your external network infrastructure.

• Access sophisticated scanning and exploit technology designed by experienced penetration testers
• Provides a single platform to identify and manage web application and infrastructure risk
• Confirms vulnerabilities through safe exploitation to eradicate false positives and provide proof of concept
• Prioritise each vulnerability’s remediation
• Generates reports in Microsoft Word and CSV. PCI and UK Government PSN compatible formats
• Schedule scans to run at any given date and time. Scan at regular recurring intervals with email notification.

Web Applications.

Vulnerabilities within web applications pose a significant threat to your organisation’s network security. NetScan can identify all known web application vulnerabilities and provide exploit capabilities to demonstrate their impact and eradicate false positives.

Many existing web application scanners rely on parsing web pages in order to discover application components (e.g. links and forms). This approach is no longer effective when testing modern web 2.0 based applications. Components generated at runtime using JavaScript, Flash or Silverlight components will remain invisible to traditional discovery techniques.

NetScan employs two integrated crawling technologies to overcome this challenge. Our HTTP/HTML based crawler is used to components quickly and to identify hidden components through forced browsing. A second integrated crawling engine then executes web pages in the same way a normal browser would. Any embedded scripts or components then able to run as intended whilst allowing full visibility to the discovery engine. If a modern web browser such as Google Chrome can access the application, NetScan can crawl it.

• Thorough assessment of all known web application vulnerability classes such as those defined within the OWASP top ten.
• Advanced detection of DOM based Cross Site Scripting (XSS) vulnerabilities through JavaScript taint analysis.
• Decompilation and static analysis of Adobe Flash files.
• HTML5 postMessage analysis. • Confirmation of discovered flaws through safe vulnerability exploitation

Identifying False Positives.

A false positive is where a vulnerability scanner indicates there is a vulnerability when in fact there isn’t one. Sorting through scanner results to determine which reported issues are real and which are false positive is a time-consuming process. To eliminate false positives, and to provide proof of concept evidence, NetScan employs safe custom exploit techniques to actively confirm discovered vulnerabilities.

Third Party Applications Download custom filtered results and view via HTML, Docx or CSV. NetScan includes a simple JSON data API for retrieving, aggregating, processing and reporting raw vulnerability data for use in third party applications.

Complex authentication schemes are supported when NetScan is supplied with the minimal information, such as a username and password pair. Optionally, a login URL may be provided to direct the scanner where to use the credentials and for scenarios such as single sign-on. The scanner may easily be adapted to support bespoke authentication schemes that require non-standard credentials or processes.

NetScan can provide comprehensive vulnerability assessment and analysis against remote hosts to determine if a misconfiguration exists that could allow an attack to get behind the application and into sensitive data.

Please call us to discuss any aspect of your IT Requirements on 0333 200 1636 or visit our website http://www.netshield.net to find out more about the ways that our expert support and advice will improve the health of your IT.

Netshield Lowers The Up Front Fees Of Cyber Security.

Netshield are happy to be providing Firewall as a Service. This counteracts these massive costs.

This service is a minimum 12 month agreement. The monthly cost includes a new firewall, security subscriptions, proactive support and management by Netshield. After 12 months you have the option to continue to pay the monthly fee and keep the existing firewall or upgrade to a new firewall, the new firewall would also be a minimum of a 12 month agreement.

We have a fantastic support team who will guide you through the configuration and installation of the firewall as part of the monthly fee. So for a bargain price you are receiving, a brand new firewall configured and installed, expert management and support from our amazing team, no extortionate up front costs and of course protection for your infrastructure.

Why not speak to us further and learn more about how this service can help your business? Call 0333 200 1636 or email info@netshield.net.

 

GDPR READINESS SERVICE.

 The dreaded four letters: GDPR. For those who aren’t aware of the impact this could have on your business, this is the General Data Protection Regulations. The GDPR will apply in the UK from 25th May 2018. Despite originating from the EU, the UK government has confirmed that Brexit has not impacted the decision to implement this new law. GDPR is designed to replace the Data Protection Act 1998. It applies to all ‘data controllers’ and ‘data processors’. So, if you process or control personal data as part of your business, you are subject to the GDPR.

 The GDPR places specific legal obligations on data processors;

  • You are required to maintain records of personal data and processing activities
  • You have significant legal liability if you are subject or responsible for a data breach; data must be processed in ways that ensures maximum security, such as protecting against loss of data and data being stolen.

Ensuring security of personal data you hold, whether it applies to employees, clients, or the general public, is one of the provisions that is getting business owners and data processors so worried, as the Regulation doesn’t state specifically what it constitutes to be secure. So how can you be sure you’re a) compliant with this new law, and b) ensure the security of all personal data?

Over the next month Netshield will be supplying, information, offerings and technical advise on GDPR.

We understand the pressure and stress that GDPR holds and in true Netshield style we want to take it all away.

Please stick with us over the coming weeks as we announce our GDPR Readiness Service plans.

 

PROFESSIONAL CONSULTANCY SERVICE

Aside

 

Do you have any projects, in the near future, which will require Professional IT Consultancy Services?

Look no further. Here at Netshield we are now offering these IT services at a discounted rate until 22nd December 2017. These IT consultancy days are brought with a vision to the future. Ask yourself, have I got any projects scheduled which will require consultancy days? Do I require on site assistance? Would professional IT consultancy benefit my business?

Our IT consultancy days, when brought, are ‘banked’ and can be used at any point in which you need them. Perfect for long and short term IT projects and can be used for any onsite assistance your business may need.  The benefit of purchasing IT Consultancy Days in advance is that you will provide the business with a big saving from the normal ad-hoc rates.  The site visits are done by some of the best IT Professionals in the industry, our team will ensure that your objectives are met to the highest possible standards and that you are satisfied with the service received.  Netshield also have a number of IT Professionals and therefore we can provide our IT Professional Services Worldwide if required.

Special offer from ourselves, complimentary of our amazing consultants, if you buy a bulk load of ten plus IT consultancy days then we will provide you with an extra day free of charge on us as a thank you.

For anymore information please do not hesitate to get in contact, 0333 200 1636 or Email info@netshield.net.