What to Expect on a Security Assessment
One of our engineers, Dave Russell, is fond of telling folks “nobody likes to have their baby called ugly.” What this means is that security assessments can sometimes feel intimidating – you’ve spent a great deal of time building a company, its network and systems and training its people. To have someone come in and say, “you’re doing this and that wrong” can be disconcerting.
That’s not what we do.
Our goal is not to call your baby ugly, but to help keep it healthy. As such, our reports, while certainly focused on recommendations, also call out some of the positives we found. What worked out well? Which systems resisted attack? Where did investments in security pay off? We spend time making sure we answer questions like that, too. This makes it not only easier to deliver recommendations, but helps those who pay for security and manage risk to understand just what they’re getting for existing investments.
For nearly every security assessment, the process is similar, and at a high-level looks like this:
- Introductions and contact information exchange
- Understanding the business drivers for the engagement as well as any relevant history for the project
- Explaining the scope of the project and rules of engagement
- Describing what the report will look like, and getting feedback on who will be consuming it
- Logistical matters (travel, schedule, etc.)
- Question and answer period
Our goal is to give you a sense of ease at the conclusion of a project kick-off discussion such that any feelings of dread have gone away, replaced by confidence that you’re taking a valuable step toward securing your environment. If at any time concerns occur, we are committed to remaining accessible 100% of the time, and in fact we encourage our clients to reach out with questions even after the engagement is done (we sometimes get questions from engagements we performed years ago, and that’s OK!)
We want you to feel at-ease during the process. We’re not auditors. We’re there at your behest to help, and we make sure that’s the message we’re delivering to the folks we work with. A positive attitude and well-defined approach are key factors to making your project successful, and making sure we live up to that is our commitment to you.
Sidebar: Will Scanning Break Our Systems?
This is a good question! The short answer is: probably not.
“Wait, only probably?!?!” Unfortunately, yes, we can’t guarantee zero problems. That said, we have seen very, very few disruptions over the recent past and those that have occurred tended to be minor. We also take several steps to help reduce risk and handle any issues that arise, including:
- Letting you know just before scans are to begin, and letting you know when they are over
- Providing our source IP addresses so you can know it’s us and not some ACTUAL attacker
- Providing contact information that can be used immediately should a situation arise
- Watching the scans as they run – we don’t start scans then run off to dinner with no way to handle a problem
- Letting folks know to contact us if anything unusual happens, even if it’s not likely our scans. We’d rather err on the side of caution and pause a scan than have a critical system become unavailable
- Tuning scans to reduce risk – we would rather a scan take twice as long than saturate your server, WAN link, etc. We also disable useless and dangerous scans, and do not conduct denial-of-service type scans
- Contact you if we’re seeing anything unusual or unpredictable
Often, customers will request scans be done after-hours. While we can build this into a project, we find that this is rarely necessary for the following reasons:
- Your external systems are being scanned every day, like it or not. We at least are respectful while doing it!
- Modern scanners and systems are used to being scanned and typically don’t have any issues. When security scanning was still relatively new, this could be a source of problems, but nowadays this is almost always a thing of the past
- If a situation arises that requires your staff, we might be waking someone out of bed, which tends to make people…let’s just say unhappy
- Or worse, a situation arises that no one detects until the next morning when folks suddenly are complaining because a key system is down!
- For internal scans, a lot of workstations and other systems may not be powered on or connected
We strongly encourage scanning during normal hours, ideally non-peak such as morning or late afternoon. It is less expensive and produces better results. So while we cannot guarantee zero-problem scanning, we do everything we can to ensure a smooth, non-disruptive scanning process.