Concerns about security are escalating. Nearly every day, new malicious attacks, Phishing attempts and malware are identified. In addition, new vulnerabilities, such as the exploitable vulnerability recently identified by Microsoft, continue to be discovered. It all leads to the same challenge: How do you create a strong security posture to protect your business?
Leveraging the Center for Internet Security’s (CIS) Critical Security Controls is a solid place to start and is part of the evaluation provided with OneNeck’s vCISO service. The controls—which OneNeck leverages to complete annual security assessments and third-party audits—are a series of cybersecurity actions prioritized by their criticality in preventing cyberattacks. In particular, the first six controls (referred to as the Basic Control set) focus on cybersecurity "hygiene." Studies show that implementation of these first six CIS Controls can provide an effective defense against about 85 percent of the most common cyberattacks.
In addition to leveraging the CIS controls, using third-party penetration (pen) testers offers businesses a way to ensure the controls put in place are effective. OneNeck leverages third-party pen testers at least annually. A recent pen test revealed OneNeck has “Strong External Network Security Controls” in place and that our systems and services are well-patched and maintained.
In large part, this positive commentary is due to the fact that we scan our external facing services multiple times a month. We also perform detailed internal security scans, which provide a holistic understanding of the security of our environment. Don’t take our word for it though; contact your Account Executive to request a copy of our penetration test report.
Security Rating Services (SRS) reports are another tool many businesses rely on to evaluate the security practices put in place by potential IT partners. Generated by companies such as Bitsight and RiskRecon, the SRS reports are similar to a “credit score” in that the scores vary based on the data available. Instead of reporting on a provider’s full environment, SRS reports only include external facing data (e.g., web servers that face the internet). In fact, a provider’s internal practices are completely overlooked, primarily because the SRS aggregators don’t have access to a provider’s internal-facing data.
In addition, most SRS reports assess all IP addresses assigned to a company through ARIN. For a company like OneNeck, because we offer colocation services, we have IP addresses assigned to company-owned and controlled devices AND customer-owned and customer-managed devices. In these instances, where the customer owns and manages their devices, OneNeck does not have authority to access or make changes to devices. This scenario became very evident recently. An SRS report identified more than 2,000 IP addresses (affiliated with OneNeck) had been scanned; however, nearly two-thirds belonged to customers in which OneNeck did not have access or authority to make changes to their environment. Of the OneNeck controlled devices, all of the vulnerabilities had been previously discovered through our own internal scanning and being actively addressed or retired.
The bottom-line: Creating a strong external security posture is critical. There are many tools and steps businesses can leverage to protect their data and environments. As, always, it’s important to understand the details, verify the reports, and ensure equivalent data is being compared.
Want to learn more? Check out additional security resources here.