How to get the best from a web security analysis
With homeworking continuing for the first few months of 2021, web security has become a top-of-mind consideration for many business owners. Denis Koloshko, CTO at IDS Group, guides us through what to expect from a web security analysis and how to get the best out of the process.
Just as you would plan to protect your home or car from malicious intent, the same principles of protecting your company’s assets should be applied to your IT processes and strategies. If you're a small or medium-sized business without the backup of an internal IT department, what practical steps can you put into place to protect your digital data from potential breaches or cyberattacks?
The most efficient and cost-effective way of managing your IT security is to engage with a firm of independently certified security experts to complete a thorough examination of your systems. They will test and identify the key areas that present a potential risk to your business.
Business benefits and legal requirements
The most obvious benefit of carrying out a web security analysis is to minimise the risk to your business. By identifying potential vulnerabilities, the necessary shields and procedures can be put in place to protect sensitive data.
With cyberattacks and data breaches continuing to rise, many businesses are now looking to only work with partners and suppliers that can demonstrate they have robust security solutions in place.
Web security now falls under many regulations such as SOC2, ISO 27001 (27002), HIPAA, PCI DSS and GDPR, so in many cases, this falls under legal compliance.
Although each firm’s requirements will be specific to their business needs, typically, a web security analysis should cover the following steps:
- Manual penetration testing
- Manual code review
- Architecture security analysis
- Infrastructure security analysis
- Automatic scanning for vulnerabilities
- Risk assessment
- Development of recommendations
- Recheck of fixed vulnerabilities
Practical internal steps that SMEs can take
Most businesses will be able to carry out the technical and organisational measures required to comply with the EU GDPR regulations without involving third-party consultants. Reading up on compliance checklists, self-assessment tools and GDPR toolkits is a good place to start.
Risk management is another area you can carry out your own internal assessment.
Key questions that need to be considered are:
- What is the impact on the business if a particular web system is down?
- What is the risk if the data in the web system is corrupted?
- What happens if backups are corrupted – how can you restore data?
- What threat does a sensitive data leak pose to the business?
Once the risks are known and understood in terms of likely disruption and cost to the business, if they were to arise, they need to be defined on a risk register. You can then implement a mitigation plan to protect your business' prioritised assets.
There are many risk management tools available on the market, or you can even use a simple spreadsheet listing out defined risks – something similar to these samples will work well.
What to look for when selecting a third-party web security analysis provider
A good place to start would be a check on their credentials. Look for international certifications such as the Government-backed Cyber Essentials, Microsoft-certified professionals, Microsoft-certified technology specialists, certified information systems security professionals (CISSP), certified ethical hackers (CEH), offensive security web experts (OSWE), ISO27001-certified ISMS lead auditors (CIS LA).
Once you’re happy with the initial background results, ask for examples of their experience and test their knowledge on the Open Web Application Security Project (OWASP) top ten cyber threats.
Penetration testing should form a major part of any planned analysis. Ensure that any proposed work covers the following areas: information gathering, identity management, authentication and authorisation, session management and input validation, data access, error handling, weak cryptography, business logic, and client-side vulnerabilities.
By identifying the key factors and creating a ‘risk register’, a final report should be presented that advises on all the necessary processes required to protect your prioritised assets, including an agreed scale of work with clearly defined actions and deadlines.