Blog

What Is a Cybersecurity Assessment? (Podcast)

Steve Ripper, Senior Network Engineer at PCG, sits down with John Maher to talk about cybersecurity. They discuss new cybersecurity challenges in the wake of the COVID-19 pandemic, especially in relation to remote workers. Then, they explain what businesses should expect in a cybersecurity assessment and cover the key changes most businesses make after an assessment.

Portsmouth Computer Group · Cyber Security Assessment

John Maher: Hey I’m John Maher. I’m here today with Steve Ripper, Senior Network Engineer at PCG, a Managed Service and IT Provider with headquarters in Portsmouth, New Hampshire and locations in Dover, Manchester, and Portland, Maine. Talking about PCG’s cybersecurity assessments. Welcome, Steve.

Steve Ripper: Hi John, how are you today?

Cybersecurity Changes and Trends

John: Good, thanks. So Steve, how has cyber security changed in the last year? And what are some of the trends that you’re seeing?

Steve: The biggest change that’s happened is, so of course we’re all aware there was a pandemic. Right? But maybe not everybody understands how the pandemic changed IT and cybersecurity. The biggest thing that’s gone on, John, is that everybody stopped being at the company. Right?

John: Mm-hmm.

Remote Workers and Cybersecurity Challenges

Steve: They all went home, right? They’re all working from their home. So, from a security standpoint, where we were able to look at, John, like, we need to secure that one location. Right? We’re able to put, for lack of a better term, we put our thumb right on it. We can put a firewall there. We know where all the antivirus is. We know what we have to protect. Right? Suddenly, where we were looking at one network, we’re now looking at 30 networks, if a company has 30 people. Right?

So, where are they? What do they have at home? What are they doing? Are we seeing them? Are we seeing the traffic? So, that absolutely made it much more complex. As we’re discussing this today, John, I’ll call them the bad actors. Right? The bad people out there.

They are uniquely aware of that. That now they have… It’s a target-rich environment, right? They’re not trying to break into that one company’s very high end firewall. They now have users out there who are just… Who knows what they have at home. Right? Who knows what kind of a setup they’re using and what they’re doing for that traffic. So, it’s gotten far more complex because of how distributed all of these companies are.

And then you have a whole bunch of new technologies, John, Zoom, Teams, so the video. We’ve all seen stuff in the news about where meetings got interrupted or hacked. Right?

John: Right.

The Risk of Phishing Emails With Remote Teams

Steve: And all of this standard stuff that we’ve always talked about, phishing, scams, email scams, where we’re trying to trick the users. It’s actually easier to trick the users when the user is at home by themselves.

A lot of people don’t understand that or wrap their head around it, that users are actually safer when they’re in environments where they can talk to each other. Right? You can lean around the cubicle and you can go, “Hey, I got this email. Did you get that email?”

And then the other person goes, “Yeah, I got that too.” When they can compare notes, John, then the kind of… the trick is up, right? That the bad person is actually starting to run into a problem. Right? But now, you’ve got people who are working in their home office. Right? So they don’t ask if that’s real. They don’t verify.

John: Right.

Steve: So a lot of things have changed. It’s gotten far more difficult to manage the scenarios involved where, people are together, they’re not together anymore. And so that’s really gotten complex.

What Are Cybersecurity Assessments?

John: Okay. So what can a company do to respond to this new reality that we’re living in, where people are at home? And maybe they’re in an apartment and they’re on an open wifi, so that anybody can get onto their network. Or they’ve got kids using their computer and who knows, maybe putting a virus on there or something like that. What can a company do to help combat things like that?

Steve: Yeah, sure. So the biggest thing that we do and why we call this podcast The Security Assessment is, to get a security assessment. It’s very much like going to your doctor and just having checkup. So you’re not necessarily going for a specific thing, you’re going to say, “Give me the large overview of what’s going on with me.” And that’s what security assessments do for your company. You’re having us go and look at all of the things that are going on.

The National Institute of Standards and Technology (NIST) Framework

Steve: So we’re going to use what we call, NIST. NIST is the four-letter… We love four letter designations for everything. NIST is what we think of as the framework or the playbook of what we do when we look at security. It talks about concepts like, “Okay, so what do we need to protect?” So we need to know what we’re protecting.

What are we doing to protect that? What are we putting in place? Whether it’s antivirus, whether it’s training, whether it’s a firewall, whether it’s a review of the data. What are the ways that we can prevent things from happening and we specifically talk about prevention. Again, antivirus fits into that, monitoring.

And then, what are the responses? So what happens when something security wise breaks? If you get hacked, you get breached, what do we do to fix that? Things like backing up, right? So, recovering from backups are all a part of that. And then the last one is, review. What happened? A post-mortem right? How did that happen? Where did we fail in our security, and how do we fix it?

So, NIST is where we look at this whole holistic way of looking at things and apply it to what’s going on at the company. We’re going to talk and ask lots of questions. We’re going to do some scans and some probes, right? We’re going to try to pretend like we’re the bad actor and see if we can get in. Okay? We’re going to add lots of questions that are saying, “What data do you need to protect? Why are you doing this?” That’s a big question. “What is your company do for work? What is its focus?” Those types of things, John, are going to tell us where we should be looking.

There’s things that we need to think about, if you’re a financial services company, that may be different than if you’re a manufacturing company, or if you’re a medical company. So you have like an EMR software that has patient data. That’s different than say, what, again, that manufacturing company is. So, the security assessment is going to kind of go through all of the different questions that we have to understand what your risks are and what we can do about them.

Factors Driving a Security Assessment

John: Okay. And so what are some of the factors that would drive a security assessment?

Steve: Yeah. So, I kind of touched on it a little bit, John, but it’s interesting to me… One of the first questions I always ask when I do a security assessment for company is kind of, “What brought you to us in the first place?”

It’s not unlike how a doctor does it. The doctor will kind of go, “Look, I know you’re here for a checkup, but tell me, is there anything I should know right away?”

John: Right.

Steve:  For some companies, they’re being told they have to. They didn’t really come across it themselves. So if they do manufacturing for say like, The Department of Defense or a city or state government, or a sector of their industry, there may be a specific policy requirement that requires they go through and shore up their security. So they’re coming to us for an assessment that’s saying, “Where are we not meeting the policy?”

So when we do those, John, we actually have policy requirements that we can then look at. Maybe it’s SOX, maybe another CJIS for the law enforcement groups, where the policy is clearly defined, right? Or a DOD policy where the policy says, “You need to have this, this, this, and this done. And if you don’t do it, we cannot do business with you.” So, that gives us a framework against where we need to look at what’s happening and go, “Yes, you meet some of this and you don’t meet the others.” Okay?

Other companies, John, will just come to us and go, “We’re worried about this.” Right? “We had… Two people had their passwords hacked.” Okay. “They fell for a phishing scam.” Okay.

And so, that prompted us, as leadership, to go, “Maybe we need to start looking at this in the big picture.” And that’s why… So some companies just come to us and go, “We need this done. We need to know the answers to these questions.” Other companies are being… It’s a requirement that they have to meet.

What to Expect With a Cybersecurity Assessment

John: And so, what does this look like? What can a company expect when they’re going through an assessment?

Steve: Yeah, sure. So the assessment, it’s going to be in stages, right? It’s not just a one-time thing. It’d be nice if it was, but it’s not. So you need to go through stages. Takes about, maybe three to four weeks. Right? And it looks like… So stage one is going to be just the introduction stuff. What does your company do? Why are you coming to us? What do you think your vulnerabilities are?

1. Getting to Know the Company

Steve: If I asked you, and it doesn’t matter that you’re not IT related or cybersecurity related, but maybe as a company, president or a financial… a CFO or a security… You’re tasked with this project, what do you think your problems are? Do you know what they are? Because a lot of companies will come back, will inform our choices and where we’re going right away. They’re like, “Listen, we know our passwords are terrible. Right? We’ve never really enforced them. Everyone just has like a five letter password, and sometimes it’s their grandchildren.”

John: Right.

Steve: Right? So, they’ll come back right away and just tell us immediately where the problems are. So that first section is just getting to know them, getting to know their business. What are they doing? You’re in financial, you’re in manufacturing. Right? What are your applications? What are the programs that you use that are specific to your industry that you’re in, and then we can go look at those. Right? So that’s going to be step one.

2. Reviewing Existing Cybersecurity Tools

Steve: Step two is going to be just, where we do scans. We try to pretend like we’re the bad actors, John. We’re going to do a scan of the outside of their network. Can we get in through their equipment? What vulnerabilities do we come across? And we have tools for that. We’re going to run a scan on the inside of the network. We have tools for that as well. That’s going to tell us where datasets are, what programs are there, what patch levels are not where they’re supposed to be. All kinds of things like that. Usernames, passwords, where the vulnerabilities are.

3. Assessing Cybersecurity Processes

Steve: Once we have those two pieces, step one is getting to know you, step two is running scans and try to figure out where the vulnerabilities are, we’re going to do us a third session with you again, where we’re going to ask all of, as I described, the NIST framework questions. There are specific questions that are going to ask, what is… Do you have a password policy? Do you have software on your PCs that protect you, such as antivirus? Right? Do you have a security system in your building? Do you escort visitors? Okay?

We’re going to go through all of the questions. There’s about a hundred, maybe more. We’re always adding and changing because the security requirements change. Right? And we’re going to go through all of those questions and get your honest answers about them. And then, once that’s done, John, we’re going to do… we’re going to take those three phases and put them together into phase four, which is, create the report and submit the report.

4. Creating the Cybersecurity Assessment Report

Steve: So that report back to you is going to have what we found out when we first met you. It’s going to be what we found out when we tried to do penetration testing and scanning of your network. It’s going to be what we found out from you when we just asked you the serious questions. We’re going to put that into a report that reports back what we found.

5. Reviewing the Cybersecurity Report

Steve: And then, you’re going to review that report, and we’re going to go to stage five, which is just… The review of the report is very much just a, did we get it right? Does that make sense? Does that reflect reality for your company? And just come back and say-

John: Right. Is there anything that I disagree with, or something like that.

Steve: Exactly. It’s a fact checking. It’s like, you’re going to go through it, John, if I’m doing one for you and you’re going to go, “Yeah. That part isn’t true. I know that you asked that question, but that’s actually not real.” Once that happens, we go to last five, which is, we’ll submit the report again, John, but also our recommendations, because, just saying that you don’t… that your password policy is bad, isn’t necessarily useful. So a lot of times, you need our expertise to go, “This is what we suggest you do to remediate this.” Okay? “This is how you’re going to meet that policy. This is how you’re going to get secure.” Okay? “We think you should do this, this, this, this, and this.” And then, that’ll be done. So, that’s basically the five steps through, and that’s what it’ll look like.

Typical Recommendations From a Cybersecurity Report

John: What are some of the typical recommendations that you see that come out of a security assessment or some of the most common ones?

Antivirus Software and Firewalls

Steve: A lot of companies will have some of this stuff nailed down pretty good, john. It’s rare that I come across a company that doesn’t have any antivirus across the board.

That’s an obvious recommendation right away. You should. You should have security type software. Most companies have some kind of a firewall. Right? So, those are things that most companies… They’re locking their front door. So those are standard recommendations, and most companies meet those.

Training Users

Steve: But there’s quite a few that are common in the recommendations where they don’t do things like, are you doing training for your users? Are you doing regular training sessions to teach them what to do and what not to do? Most companies are just, “No, we’re not really.” Most companies don’t think about interrupting the productivity of their users-

John: Sure.

Steve:  To do training is a common recommendation that comes back.

Surveying Remote Worker About Cybersecurity at Home

Steve: Other common ones are, are you doing surveys to your users to find out what they’re using at home? To go back to where I led with this, John, you know what you have at the company, but do you know what your accounting person has at at his or her house? You probably need to find that out.

So maybe surveys. Survey everyone with a list of questions that they can answer with what equipment they’re using at home, is a standard recommendation that comes back. Backups aren’t being doing regularly, get better scheduled backups.

Improving Backup Protocols

Steve: Or more common with backups is, it’s not necessarily, are you backing things up, but are you testing your backups? Do you know that your backups work? As I mentioned earlier, when you get to that NIST part of it, if you have to do a recovery, do you know you can do a recovery?

So, those are common recommendations. Maybe stronger antivirus software, better intrusion prevention, maybe some of the tests that we ran, John, will uncover things like, this port is open. Why is it open? You don’t know why. It’s been open for years. We should close it. Things like that. So, recommendations that really shine a light on some sections that the company never really looked at. Okay?

Schedule a Cybersecurity Assessment Today

John: Yeah. That’s great information, Steve. Yeah, thanks, again, for speaking with me today.

Steve: Yeah. No, it was great. Security is the idea that you’re shining a light, so anytime somebody comes and asks, “Well, what should we be doing?” That’s our chance, right? To try and get out there and talk about it, because if you don’t, then, John, we get the call when you’ve already been breached, and that’s a terrible call, right?

John: Absolutely. All right. Well, that’s great, Steve. And thanks again. And for more information, visit the PCG website at pcgit.com, or call 603-431-4121.