Organizations have no shortage of ways to test their security. Some scan for vulnerable ports on network hardware or look for misconfigurations of hardware or software that create vulnerabilities. Others scan for known vulnerabilities due to missing patches. CDW’s Comprehensive Security Assessment goes beyond the tool-based approach used by most security assessments.
The CSA incorporates industry-leading penetration tests that use human expertise, creativity and logic to discover vulnerabilities that tests often miss. It provides a realistic view of what a cybercriminal could get into if he or she intentionally targeted an organization.
For instance, CDW’s penetration testers search for passwords that meet most companies’ complexity requirements but are commonly used and exploited. A surprising number of passwords combine the season and year. So while an automated security assessment scanner will overlook passwords such as “Spring2016” or “Spring16!”, CDW’s penetration testers will manually search for them. (Season-based passwords are often popular within organizations that require users to change passwords each quarter.)
Another common vulnerability uncovered by a CSA is a weak link within a trust relationship. For instance, Windows computers have both a user password and an administrator password, the latter of which is often shared between machines on a network. If an attacker can compromise one workstation and access the passwords stored on it, he or she can use the administrator password to log in to other machines within the environment.
CDW’s security threat assessment experts use a variety of tools to aid them in their work. In fact, many of the most widely used tools in the industry were developed by CDW alumni. One such tool, called fgdump, extracts encrypted passwords from Windows systems. Another, called Medusa, is a brute-force tool that runs commonly used passwords through a list of user accounts.
What distinguishes CDW’s CSAs from other assessments is that each is unique. The team begins with a deep dive into an organization’s security posture, and it customizes the CSA around its findings.
CDW’s penetration testers know to look beyond workstations and servers when searching for weak or default passwords. In some cases, a major system, such as a data center battery backup or an IP camera system, is left with the default password.
During penetration tests, CDW’s teams are often successful in accessing mission-critical database servers and are able to find financial, intellectual property and human resources information, such as Social Security numbers. Even hospitals, which are governed by strict privacy regulations through the Health Insurance Portability and Accountability Act (HIPAA), often have databases housing sensitive diagnostic information with inadequate or missing passwords. During a security assessment at one hospital, a CDW penetration tester found a pharmacy application running on an Internet-accessible Unix server with a password that was the same as the host name — clearly not a best practice. Recent studies have found that many Internet-accessible radiology systems don’t even have passwords.
The Benefits of a CSA
If an organization is looking to check off a box on an audit list, it can opt for a simple security scan. A CSA from CDW, on the other hand, is for those who want to take meaningful steps to improve security.
Regardless of an organization’s size, resources or security budget, a CSA will uncover issues that wouldn’t otherwise show up on an automated scan, because CDW’s security threat assessment experts use their creativity and expertise to provide a complete picture of an organization’s security posture.
A CSA offers a clear view of an organization’s vulnerabilities. It also includes a thorough report that suggests remediation projects based on the degree of vulnerability, complexity, cost and other factors of importance to the organization. This helps the organization prioritize not only its security efforts but also its security budget.
CDW’s security assessment experts explain strategies to address threats uncovered during penetration testing and help organizations address compliance issues. But they also go a step further to educate organizations so they can build ongoing programs, improve their security training programs and raise their overall security awareness.
Training is essential for enterprises to realize the full benefit of a CSA. It’s far easier for attackers to exploit users rather than technology. Even if an organization patches all of its software, all it takes is one uninformed employee to compromise its information resources.
Learn more about CDW's experts and CSAs by downloading the white paper "Comprehensive Security Assessment."