Last month I talked about the essential nature of third-party auditing and pen testing. It's smart security policy, good business, and, more likely than not, a regulatory requirement. The problem, though, is that it tends to be pricey, time-consuming, and invasive.
Fortunately, there's a solution that's free, non-invasive, and requires very little of your time: Let a security vendor do it. I know, I can hear the protests now. "I don't want to let some vendor bring their hardware and software on my network!" Or "How can a vendor actually do a decent security audit?" Or "Do I get a free mug? 'Cuz the last guys offered me a free mug but Bill in Accounting stole it."
I can't make any guarantees about free mugs, but I can say that there are some definite advantages to letting a vendor do a network security audit. First and foremost, they're often free. Even for larger organizations, IT budgets are rarely growing. The do more with less mantra is alive and well whether you're in a large enterprise or an SMB and a free audit can provide you with a wealth of information about your network, letting you hang onto dwindling resources for the CEO's new laptop...er...I mean, for a critical technology refresh.
More importantly, no matter how savvy your IT group, no matter how much you've already invested in network security, everyone needs an extra set of eyes. It doesn't hurt if those eyes are available for free, but the real value comes from an outside engineer taking a critical look at your infrastructure, your traffic, and the applications on your network. Chances are, many of the big breaches in recent years happened at organizations that were fairly confident in their security. They certainly had dedicated security teams in place and investments in hardware and software were far from drops in the proverbial bucket. And yet they still got hacked. This is why PCI-DSS standards, among others, require regular third-party audits and security testing.
"But wait!" you exclaim. "Isn't this just a cover for a sales pitch?"
This is a completely reasonable question and we all know that there is no such thing as a free lunch (or, for that matter, a free mug). But if the audit is done well and the vendor is savvy, there are only a couple of relatively painless outcomes:
If we're talking about the Fortinet Cyber Threat Assessment Program, you get the report regardless and it's quite comprehensive. Getting the data for the report is also remarkably painless. An engineer will place a FortiGate inline on your network as shown in the diagram below and essentially let it run for a few days. They will make sure that the firewall's throughput is such that you and your users won't notice a hit to network performance.
When the assessment period is over, they will prepare a detailed report from the data the FortiGate collected including
Not only will you be able to benchmark the effectiveness of your existing network security solutions, but you'll also get a detailed picture of how your network is performing with existing policies and applications. All you'll need to do is decide what to do with the information. Update your security hardware and software? Optimize application controls? Nail Bill in Accounting for watching YouTube all day and stealing your mug? File the report under "Get out of jail free cards for upcoming compliance monitoring"? It's up to you.
And while you're at it, ask about that mug...you might get lucky. Those FortiMugs are pretty snazzy.