Annual Security Assessments? Well, It’s a Start

It’s time to change how we as an industry view security assessments. Many organizations rely on regulatory requirements to drive their testing frequency, which usually leads to performing testing once per year. Some organizations have a semi-annual test for their payment card industry (PCI) environment, but this testing is typically scoped to a subset of their overall environment and is focused on confirming their network segmentation controls.

While performing a test annually will satisfy most regulatory or contractual requirements, this should be seen as the low water mark when working to secure the environment against modern attackers.

Before I get into the improvements I think we can and should be making, I must admit the idea of an annual test is not all bad. One of the major benefits of a longer testing window is that a longer time between tests allows smaller teams to make meaningful progress on remediation efforts before a whole new list of issues to fix is dropped on their plate. Security assessments differ from audits in the sense that the yardstick you are being measured against is changing constantly, versus a set standard that usually has years of lead time.

Now on to how I think we can take a different approach which will lead to greater security of the organization.

Instead of a single large annual test, you’ve broken it down into several more manageable security assessments. You don’t have the pesky low-hanging fruit present (LLMNR, NBNS, weak SMB, etc.), and you’re probably wondering what you could be working on next. The unfortunate answer for many is that you’ll be waiting 10-12 months to learn what the latest attack techniques are, and how those may play out in your environment. Some folks have both the skills and the bandwidth to try and keep up with the firehose of information, but chances are there are 10 other plates you must keep spinning before also learning how to hack your network.

This approach also helps to level out the remediation efforts needed. If you’re having testing performed once per year, it is likely going to have a larger scope. And with a larger scope typically comes a laundry list of things to fix. By breaking one large test into several smaller tests, you will avoid a huge spike in issues, and instead have a more manageable remediation workload spread throughout the year.

We’ve started to see organizations split their annual test into more frequent, smaller-scoped tests. These tests are being designed with a few things in mind:

• Reduce the dwell time between attack techniques being announced and tested in their environment
• Reduce the time between remediation efforts and validation testing
• Shift the view of testing to be a proactive security exercise instead of a compliance project

These goals fit well into a cyclical testing process:

Some of the questions to consider when looking at your testing frequency include:

• How long has it been since your last test?
• How many findings are still open from that test?
• How many significant changes have been implemented in your environment since the last test?
• How many new attacks have made headlines since your last test?

Be sure to adjust your testing frequency appropriately to ensure that you’re allowing adequate time for remediation, as well as keeping yourself agile when it comes to proactively testing out new tactics, techniques, and procedures. If you’re looking for someone to assist with your testing and validate your current methodology, reach out to our experts at DenSecure today.