By: David Gatewood – November 2024
CEO ToriiGate Security Consulting, LLC

New cyber incidents are reported almost daily across media outlets worldwide. Many more go unnoticed or unreported for various reasons.

According to research from IBM in 2022 (http://www.IBM.com/reports/Data-breach), the average cost of a data breach in healthcare is $10.1M, with the possibility of additional General Data Protection Regulation (GDPR) fines up to 4% of the companies worldwide revenue from the previous year. GDPR is a Regulation in EU law on data protection and privacy.

According to the FBI’s Internet Crime Report 2023 covering 2022 (https://www.aha.org/cybersecurity-government-intelligence-reports/2024-03-11-federal-bureau-investigation-internet-crime-report-2023):

• 800,944 complaints reported to the FBI’s Internet Crime Complaint Center (IC3) with losses exceeding $10.3 billion.

• Phishing schemes were the most reported crime type with 300,497 complaints.

• Investment fraud resulted in the highest financial loss at $3.3 billion, a 127% increase from the previous year.

• Cryptocurrency investment fraud rose from $907 million in 2021 to $2.57 billion in 2022.

For 2022, the Internet Crime Compliant Center Statistics released in 2023 show (https://www.fbi.gov/contact-us/field-offices/springfield/news/internet-crime-complaint-center-releases-2022-statistics):

• 880,418 complaints registered with IC3, with potential losses exceeding $12.5 billion.

• Investment fraud losses increased to $4.57 billion, a 38% increases from 2022.

• Business email compromise (BEC) scams resulted in $2.9 billion in reported losses.

• Ransomware incidents increased by 18% from 2022, with reported losses rising from $34.4 million to $ 59.6 million.

According to PURPLESEC (https://purplesec.us/resources/cyber-security-statistics/):

• Small and medium-sized businesses (SMBs) are targeted in over 50% of all cyber attacks.

• The average cost of a data breach for small businesses ranges from $120,000 to $1.24 million.

• It is estimated that, worldwide, cybercrimes will cost $10.5 trillion annually by 2025.

• Enterprises experienced 130 security breaches per year, per organization, on average.

Introduction

In today's digital landscape, the need for robust information and cybersecurity measures within businesses is more critical than ever. This article aims to demystify three crucial security services: Security Assessment, Vulnerability Scan, and Penetration Test. These terms are often misunderstood and incorrectly used interchangeably.

Misconceptions and Realities

Having spent over twenty-five years in the information security industry, I've noticed persistent misconceptions, especially among non-security professionals. A prevalent myth is that a penetration test involves merely pressing a button and waiting for an automated report. However, this is far from the truth. Often, what clients truly seek is a security assessment or a high-level review of system settings within a planned deployment environment.

The Triad of Security Services

Security Assessment

A Security Assessment is a high-level review of available security settings for various elements including networks, servers, cloud environments, printers, applications, and IoT devices. It is conducted by a security team or architect, comparing these settings against the company’s security policies. Where company policies may be lacking, the reviewer may reference among others in the United States; the National Institute of Standards and Technology (NIST – nist.gov), the Open Web Application Security Project (OWASP – owasp.org), and the Cybersecurity and Infrastructure Security Agency (CISA – cisa.gov). This assessment is best performed during the design phase, prior to deployment, and should not be confused with a vulnerability assessment.

Vulnerability Scan

A Vulnerability Scan is typically conducted via automated tools to identify potential security vulnerabilities in production-ready systems and applications. These tools must be regularly updated to detect emerging threats. While useful, they can generate false positives, as they may not consider mitigating controls or layered security measures. The analogy of shining a flashlight into a dark area to check for a padlock without verifying if it is actually locked aptly describes the limitation of these scans. To enhance security posture, it is recommended to integrate automated security vulnerability scans into regular monitoring. This practice will ensure that alerts are promptly triggered if there are any changes in configurations or if new systems are introduced with missing settings or patches, thereby mitigating potential risks.

Penetration Test

A Penetration Test goes beyond identifying vulnerabilities; it involves simulating real-world attack scenarios to validate and exploit vulnerabilities. This process requires skilled security professionals who continually update their knowledge and techniques to mimic potential adversaries (criminals). Unlike automated tools, penetration testers tailor their methods to the specific environment and provide detailed recommendations to mitigate identified risks.

Challenges and Considerations

Despite the increasing awareness of cybersecurity, security services often remain an afterthought, contacted out of necessity rather than proactive planning. This reactive approach can hinder project timelines and diminish the perceived value of security. Additionally, any testing, such as vulnerability scans or penetration tests, must have explicit authorization from the entity in charge of the target to avoid legal repercussions according to the Computer Fraud and Abuse Act in the United States.

Conclusion

Understanding the distinct purposes and processes of Security Assessments, Vulnerability Scans, and Penetration Tests is crucial for effectively safeguarding your business. Each service plays a unique role in a comprehensive security strategy, contributing to layered defenses that adapt to evolving threats. Clear communication and precise scoping of these services ensure that businesses receive the most value from their security investments.

By: David Gatewood

In a recent review of our team metrics spanning the past two decades, we conservatively estimated that we have evaluated and consulted on the security of between 5,000 to 10,000 vendor applications, solution systems, and hardware devices. This extensive experience has highlighted recurring security concerns, particularly when products necessitate modifications to enterprise firewalls.

A frequent issue arises when vendors request that ports be opened in the enterprise firewall. From the vendor’s perspective, opening a few ports may seem trivial. However, for a large enterprise, each request to open up to 20 ports represents a significant security risk. This issue was recently underscored in a discussion with a vendor whose application, designed to meet a clinical need, was more suited for a small physician clinic rather than a large enterprise. The vendor was adamant about not supporting a B2B connection, which compounded the security concerns.

From the enterprise security standpoint, firewall rules must be configured across multiple firewalls, not just one. Each hole in a firewall potentially serves as an entry point for threat actors. With thousands of vendors on the network, each with unique requirements, the cumulative effect can quickly transform firewalls into Swiss cheese, leaving the company vulnerable.

After several weeks of negotiations, the division requiring the vendor’s product arranged a conference call. During this call, I was able to articulate the security concerns from both perspectives. I emphasized that by enhancing their services as requested, the vendor would not only meet our security standards but also position themselves to offer a more secure product to other clients. The vendor ultimately agreed that it was in both companies’ best interests to implement the enhancements and establish a B2B connection.

This case underscores an important lesson: as the client demographic grows, so do the security concerns. Vendors must consider the target environments and not just the system or application developed in a controlled environment. By doing so, they can ensure their products are secure and suitable for deployment in large enterprises.

By - David Gatewood

In the ever-evolving landscape of cybersecurity, the team at ToriiGate Security Consulting stands united by a common purpose: to serve and protect. Our journey is driven by a profound sense of duty and a commitment to leveraging our collective expertise for the greater good.

A Call to Serve

While I cannot speak for everyone in the cybersecurity field, I can confidently share the ethos that binds our team. We are driven by a calling to serve, a mission that transcends the boundaries of a typical business. In a world where vast amounts of data (Big Data) have become fertile ground for cyber threats, our combined experience becomes a beacon of hope and security for our clients.

Diverse Backgrounds, Unified Purpose

Many of our team members have proudly served in the armed forces, bringing with them a wealth of diverse skills and training. These varied backgrounds have equipped us with a unique set of capabilities that are invaluable in the cybersecurity arena. Our military experience has instilled in us a sense of discipline, resilience, and strategic thinking that we now apply to safeguarding your business.

Beyond Business

Yes, we started a business. Survival is a fundamental need for everyone. However, our journey is not solely about commercial success. It is about fulfilling a shared need to serve and utilizing our vast combined experience to build a safer digital world. Our services are crafted around this core principle, ensuring that we are always ready to understand and address the unique challenges your business faces.

Ready to Protect

At ToriiGate Security Consulting, we stand ready to help your business navigate and survive the growing landscape of cyber threats. Our commitment to service, combined with our extensive experience, positions us as your trusted partner in cybersecurity. Together, we can build a resilient defense against the ever-present dangers in the digital world.

By - David Gatewood

Integrating Business Continuity into Cybersecurity Strategies

In the wake of the global repercussions of the CrowdStrike incident, the importance of robust business continuity plans has never been more evident. As organizations worldwide navigate the complexities of cybersecurity threats, the integration of business continuity measures into security frameworks is crucial.

The Interdependence Dilemma

The recent events serve as a stark reminder of the vulnerabilities inherent in our interconnected digital ecosystem. Businesses must ask themselves a critical question: “How long can we sustain operations during a service disruption, especially when resolution depends on external parties?”

This question is not posed to cast aspersions on any specific third-party service providers. Instead, it highlights a reality in today’s business landscape—dependency on external entities for essential services or products. This dependency makes the inclusion of business continuity not just a supplementary topic but a cornerstone of contemporary security dialogues.

A Dual Focus: Security and Sustainability

As we reassess our cybersecurity postures, it is imperative to ensure that business continuity planning is not sidelined. It should be discussed with the same rigor and priority as security measures. After all, what good is a fortress if it cannot sustain itself in the absence of its support systems?

In conclusion, let us take this moment to reflect on our preparedness. Let’s fortify our strategies not just for defense but for resilience. By doing so, we can safeguard our operations against the unpredictable, ensuring that our businesses thrive, even in the face of adversity.

Need assistance in this area, contact us.