Databases, servers, workstations, tablets, phones, scanners, warehousing technology, shipping systems, power, and site security are just some examples where vulnerabilities exist. Add in natural disasters such as fires, floods, and earthquakes, and it sometimes seems like a miracle that you can make it to the end of a working day without any catastrophe hitting.
The right vulnerability testing, security assessment, and ongoing management of your IT resources can help bring your stress level down and ensure your company will have many more working days ahead.
Vulnerability Compared to Risk
Vulnerability can be defined as a weakness or openness to attack or damage. Testing is often done together with a vulnerability assessment. This measures the potential damage by putting a value to the business on each resource (hardware and software assets, systems, data, information, and intellectual property to name a few) and estimating the likelihood of that resource being damaged or compromised.
This may sound similar to a risk assessment, but there are differences:
- Risk focuses on the likelihood of a cause and its impact (i.e. cost) on an item or resource. Risk can also be positive or negative.
- Vulnerability is focused on the opportunity or specific exposure points or resources and its implication on other resources. Vulnerability is only negative.
Following up on possible chains of events is therefore an important part of vulnerability testing.
What Should Be Tested for Vulnerability?
Although every major resource needed to keep a manufacturer, distributor, or wholesaler operational should be checked, IT resources get the lion’s share of the testing. One reason for this is that technology now cuts across almost every other activity in the organization.
Within IT, it’s important to understand which vulnerabilities should be tested as a priority. As an example, which would more dramatically affect your company: your IT server crashing or the confidential customer data it holds being stolen?
Sometimes companies fall short and only think of vulnerability of IT equipment and its immediate impact on operations rather than the valuable information it contains and the overall value impacted.
How Should the Testing Be Done?
Tools exist to automate testing to identify vulnerabilities at a technical level. They can provide a cost-efficient, but basic level of protection against known attack methods. Done in-house or as part of an outsourced IT service, this kind of testing may be sufficient for secondary or non-strategic systems, applications and data.
They should however be supplemented with checks on IT staff and employee security procedures: for example, to make sure everybody is correctly keeping their user logins and passwords confidential. Strategically important systems and data may require a penetration testing approach more like a skilled hacker deliberately targeting that system.
Chains and Fuzzing
The following two aspects of vulnerability testing of IT resources are of particular interest:
- Identifying chains of effects. Hackers are increasingly adept at leveraging a small initial piece of information to build up their knowledge of and power over a victim’s system. A user login for a print server might not seem like a big deal. But that print server might also be connected to a network that also links to a database with SQL injection vulnerability and potential exposure of administrator login credentials.
- Fuzzing. Typically, it’s impossible to run every possible test – there just isn’t time. Fuzzing is a different approach. The idea is to stumble upon unknown vulnerabilities by using random input, rather than continually retesting the standard paths through a system that have already been shown to be well-protected.
Is your LA manufacturing or distribution company using vulnerability testing? Give us your point of view in the Comments box below.
And to follow-through on the tips introduced in this short article, be sure to download your free guide, How COOs at Los Angeles Distributors and Manufacturers Get More Done: A Guide to Productivity, Data, Staffing, Delegation, and Making It Home for Dinner Most Nights.