The Arcus Journal

Cutting through the noise
Blog Image

Posted on by jgm

Vulnerability Scanning vs Penetration Testing

One of the most important security processes any organization can undertake is the discovery, assessment, and mitigation of vulnerabilities in their IT systems. While both vulnerability scans and penetration tests are used to discover vulnerabilities in systems with a good deal of overlap, they approach the process slightly different and perhaps even with different goals in mind.

First though, what are vulnerabilities and why should we care about them?

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.”

Source: https://en.wikipedia.org/wiki/Vulnerability_(computing)

Now that you have an idea of what vulnerabilities are, what are the important differences between a vulnerability scan and a penetration test? And, why should you care?

The biggest, and most important, difference between vulnerability scanning and penetration testing is the depth in which they go. Both discover and identify potential vulnerabilities in systems and may even use similar tools such NMAP, Nessus, and open source intelligence. Where they really differ is in what they do they with the collected information and who is involved in the process.

Vulnerability Scanning

  • Discovers known vulnerabilities
  • High-level identification
  • Generates a list based on signatures and system info
  • Risk of false positives
  • Identified vulnerabilities must be confirmed or ruled out
  • Find the low-hanging fruit to help improve general security stance
  • Can be manual, on-demand, or automated
  • Shorter turn around time
  • Generally non-invasive
  • More affordable

Penetration Testing

  • Discovers known vulnerabilities
  • Takes a hacker perspective
  • Manual process – may confirm whether vulnerabilities are exploitable or not (rules out false positives)*
  • More targeted and focused
  • Can identify a greater set of risks
  • Must be scheduled due to longer engagement time, scope of testing, and rules of engagement
  • Can be disruptive
  • Higher costs

Vulnerability scanning takes the information gathered from the tools and creates a nice looking report that highlights the main issues and concerns the organization should take a look at. These issues and concerns may not be valid (false positives), could miss issues (false negatives), or they may be valid, but addressed through other security controls. A major benefit of vulnerability scans is the fact they can be automated and performed on a regular basis, allowing you to easily track changes in vulnerabilities and system baselines over time.

Penetration testing uses the same kind of information gathered from vulnerability scanning and takes it a step farther by attempting to exploit the vulnerabilities the tester discovered. The benefit of this is you should learn whether or not the vulnerabilities identified during the test are real and exploitable. The drawback is a pentest can be expensive and highly involved, and if you haven’t already gone through a series of vulnerability scans and remediation, it may not be very difficult at all for an experienced pentester to compromise your systems.

So, which option should you choose? Well, it all depends on how mature your security and patching practices are. If you’ve hardened your systems and environment by patching all of your software, disabling unneeded services, disconnected old systems you no longer use, and mitigated everything you can think of, maybe you’re ready for a pentest. If you haven’t even covered the basics, you should start with a vulnerability scan and assessment.

Starting with a vulnerability scan and assessment allows you to find the low-hanging fruit and fix issues before your organization becomes the low-hanging fruit for a malicious actor. Vulnerability scanning is the first step along the path to better organizational and system security.

If you’re interested in beginning your organization’s security journey, reach out to us today. Arcus Consulting provides a variety of products and services to support you in protecting your critical assets.

Blog Image

Posted on by jgm

3 reasons you need an infrastructure assessment

When is the last time someone in your organization inventoried and assessed all of the infrastructure you think you have?

  1. So you know what you have
  2. Identify systems for patching, upgrades, consolidation, or decommissioning
  3. Ability to better plan for the future

Reason #1 – So you know what you have

Identifying and inventorying your organization’s assets is the first step in any successful assessment. A thorough discovery process will identify the devices and services you know you have, while discovering old and forgotten ones and even ones that don’t belong at all like the random Wi-Fi router an employee brought from home and plugged in to extend the wireless network to the warehouse.

Once you’ve inventoried everything and know what you have, you can move on to actually assessing your infrastructure.

Reason #2 – Identify systems for patching, upgrades, consolidation, or decommissioning

This is the hardest and most time consuming part of an assessment. Once you have a completed inventory, you need to review the details of the systems and services you identified to begin asking questions and making decisions about them.

  • Are the systems up to date?
  • If they’re not updated, what is the reason?
    • Are automatic updates misconfigured?
    • Was it a forgotten system?
    • Support contracts expired?
  • Are the systems still supported?
  • Have they reached their end of life?

Although not a complete list by any means, you can understand the kinds of things you need to be looking at when you begin to make decisions about them. Do you really need multiple web servers when you can use virtual hosts to meet your needs? When was the last time you actually used FTP or Telnet to connect to a system? Can you disable those services? Can you use something more secure in their place like SFTP or SSH?

Now is the time to really assess what you have and what should be done about it.

Reason #3 – Ability to better plan for the future

Once you’ve completed the inventorying and system/service assessment, then you are prepared to plan for the future. Knowing what you have and where you are starting from today, allows you to plot a better course for the future.

Were you able to identify virtual or physical server infrastructure resources you could reclaim, that can be re-provisioned in a more effective way? Maybe you found cloud services you no longer need and can save money on or, you discovered a critical server wasn’t being monitored and has an almost full drive which could cause a major outage if it went crashed?

These types of things exist in every environment. Knowing about them lets you prepare for the future before an unexpected surprise happens.

Arcus Consulting helps small and medium sized businesses build more secure and resilient IT systems. If you’d like to learn more about the services we offer and how we can help your organization, contact us today.

Posted on
by jgm

Arcus Consulting announces official company launch

Denver, Colorado – September 1, 2023Arcus Consulting is proud to announce our official company launch and will immediately begin offering professional services and information technology solutions focusing on core infrastructure, cyber security, unified communications, and managed services to customers.

Arcus Consulting was started to provide essential IT expertise, knowledge, and services to small and and medium sized businesses looking to benefit from professionals who know how to apply the lessons learned from working with large, global enterprises to their businesses. We want SMBs to have access to the same levels of professional support as larger organizations.

“Technology is no longer optional in day to day operations, it is a must have and as a result, organizations can no longer ignore their IT needs and strategies. That’s why Arcus is here, to provide the expert services and trusted guidance every organization deserves to have on their side.”

About Arcus Consulting

Arcus Consulting helps companies build more secure and resilient IT systems. We will collaborate with you on winning strategies to improve your processes, systems, and infrastructure so you can focus on what matters most. Arcus Consulting is a registered partner and authorized reseller of Cisco Systems.

Contact
Justin G. Mitchell
jgmitchell@arcuscg.com
+1 (316) 305-9943

Blog Image

Posted on
by jgm

6 things you can do to improve your security today

There are some basic things any computer or technology user can do to improve their security by spending a few minutes here and there. All six things should take you about 30 minutes or so depending on how long it’s been since you installed updates (hint, hint). So get to it and before the end of the day, you’ll be in a better situation than you were this morning.

Install system and software updates

Time required: 5min to several hours

Most people ignore installing updates until their computer tells they have to be installed. And when that reminder comes along, it’s never at the best time for it, like when you’re getting on a meeting or need to get real work done. So, avoid the frustration and do it right now.

Then put a reminder on your computer to download and install updates regularly.

Just understand that if it has been a while, it could take a while for the updates to download. The good thing is you should be able to continue working while they download and probably even while they are installed. Once they’re finished installing, move on to restarting your computer. You’ll be glad you did.

Restart your computer

Time required: usually less than 5min

Think about it, when was the last time you restarted your computer? Last Friday when you went logged off for the weekend? 2 months ago when you were forced to install updates? Can’t remember? Now is your chance!

Restart your computer and use that time while it’s doing its thing to stand up and stretch, grab a glass of water, and daydream about your upcoming vacation.

According to York College/CUNY restarting your has a number of benefits including security and performance. Restarting your computer releases system locks on files that may need to be patched or updated to fix problems. So if you installed updates, even if your computer tells you it’s not needed, go ahead and restart your computer.

Restarting your computer also causes applications and services that you may not even realize are running in the background to shut down. If any of these are programs you launched intentionally and they didn’t close properly, this will solve the issue for now. This process can also stop malware that may only be loaded into memory from a malicious website or other method.

Regardless, it’s always a good idea to restart your computer at least once a week, if not more often.

Delete unused apps

Time required: 5min

When was the last time you played “Subway Surfers” on your phone or used any of the dozens of apps and games you downloaded because you were looking for something or just bored and needed to pass the time? If they’re not specifically work related or used on a regular basis, you should delete them now.

It will be okay, you can always download Angry Birds again when you’re sitting in the waiting room of your doctor’s office with nothing to do.

Restart your phone

Time required: 2min

Just like restarting your computer, this is something most people only think of when they are forced to do it or something is not working right. But, just like your main computer, mobile phones are computers with all the same kinds of issues. Apps constantly running in the background. Services get stuck opening or closing, consuming valuable processing power. Malware can get loaded into memory.

Don’t waste money or give away data by using a memory manager, Google and Apple know what they are doing most of the time. Just go ahead and restart your phone. It only takes a couple of minutes to do and it’ll run better afterwords.

Install a password manager

Time required: 5min

Secure passwords are hard to create and remember. Because of this, lots of people of re-use their passwords over and over, for work and personal uses! Worse yet, they’ll use the same password everywhere. I always recommend people use a password manager. Using a password manager for the first time can seem intimidating at first. Give one a try on a few of the websites where you enter a username and password. You’ll be amazed how easy and flexible it is. In fact, it’ll save you time logging in, remembering passwords, almost everywhere.

My favorite password manager is Bitwarden. It’s open source and free, but also has paid options that get you additional features. You can install it on any device, add it as a browser extension, or use their web app if you don’t want to install anything. Before you sign up though, use their password generator, to create an easy to remember passphrase. If you don’t like what you get at first, regenerate it until you get one that makes you happy and then use it as your password/phrase for Bitwarden.

Try a password manager today and the next time you hear about a company being compromised and needing to change your password, you can do it in mere seconds and not have that feeling of dread about needing to change your password on all the countless places you’ve previously used it!

Update your passwords

Time required: varies

When was the last time you changed your account passwords? Any of them?

Now that you should have a password manager installed and available, start changing your passwords as you visit services. Visit Have I Been Pwned to see if there are accounts that have been leaked and go reset those. Change your Google, Microsoft, Facebook, and Twitter passwords. Change your computer password.

I honestly only remember four passwords since I started using a password manager for everything. My computer’s encryption password. My user account password to sign in to my computer (you do use a password to sign in right?). My work password. And of course, my Bitwarden password. They’re all complex, and as long as I can recall my Bitwarden passphrase, I don’t have to recall the others!

Get in touch with us!

Don’t feel like keeping up with that after you’re done? Schedule a free consultation with us to discuss your IT needs and how Arcus Consulting can help your organization be more productive and secure. We assist organizations of all sizes by developing better IT strategies, allowing them to reach their goals and use their IT budget and resources more efficiently.

Posted on
by jgm

The importance of accurate & consistent data

When was the last time you reviewed all of your systems and the data they store? Things like Active Directory, phone systems, LDAP, employee contact details, disaster recovery plans, vendor contact information… the list can go on and on. Regularly reviewing your organization’s information systems for accurate and valid data is important for a variety of reasons.

Recently while working on a project for a customer, I was asked about the validity of some spreadsheets I was generating. Fair enough question. The output was combination of five different spreadsheets pulled from two different systems, one a custom database used for billing and the other, an older version of Cisco Unified Communications Manager (CUCM). When looking at the final output and then comparing it to a third system, is when the confusion set in.

The engineer asking was confused because the third system had more in it than the final output I created, but it did have some overlap with the source data, while the CUCM should have the most up to date information since that is what end users access.

So, which system had the correct data?

The four tables from the billing database all have a different piece of the puzzle but don’t rely on a shared primary key between them. The CUCM data may be somewhat out of date because if Active Directory is not up to date, old users don’t get removed. The third system should be accurate as it is used to manage CUCM but it also had data in it that wasn’t in the CUCM database.

My recommendation to the engineer was to review all of them and decide which one they wanted to use. After reviewing all the different sources, I concluded there was just too much invalid and out of date information causing the confusion when looking at the final output.

Garbage in, garbage out.

I’m not saying the data was garbage but it definitely was not 100% reliable. If the data you rely on isn’t accurate and up to date, how do you know it isn’t garbage? Can you really trust what you’re looking at?

Do you have a single source of truth in your organization or does data get placed into different systems through cut and paste, manual entry, or importing and exporting? Every time you have to “touch” your data there’s a chance for errors to be introduced.

This is why it is so important for your organization to regularly review the data you rely on.

Start reviewing and fixing

Pick a system. Any system. Active Directory and LDAP are always good places to start. AD and LDAP should contain all of your organization’s end user and service accounts, computer and server accounts. When was the last time someone reviewed it to make sure there weren’t long gone users still in there with active and usable accounts? What about domain controllers? DNS servers?

Regular auditing and review of these systems can identify forgotten accounts that need to be disabled and removed, services that are no longer used or needed, and even server infrastructure that needs to be migrated or decommissioned.

Another great reason to review AD regularly is if you allow end users to enter or update their own information. How many different ways can a phone number be entered? Just depends on how you look at it:

  • +1 (720) 295-0552
  • +1 720-295-0552
  • 1 (720) 295-0552
  • (720) 295-0552
  • 720-295-0552
  • 7202950552
  • 720 295 0552
  • 7 – 295-0552

That’s eight right there. Replace the dashes with periods and you have at least thirteen. And, I could make even more formats if I really wanted to, just because people make typos as they type. We all do, to err is human.

These are the kinds of things you want to look for and fix. By fix, I mean normalizing. You want all your data in a standard format. As pointed out, phone numbers are a great one to start with. Do you have international users? If not, you probably don’t need a country code at the start. If you do, include it.

Same with dates:

  • Apr 5, 2023
  • April 5, 2023
  • 4/5/2023
  • 04/05/23
  • 20230405 (my preference YYYYMMDD)
  • 04052023

Six formats. Once again, depending on whether you are working with individuals outside the United States, the last four formats could be misinterpreted as May 5, 2023. Pick a format and use it consistently.

Why normalize your data as you are reviewing? Easy, once you have everything in a consistent and normalize format, you can manipulate it to more easily meet your needs. It is easier to match when searching or collating data from multiple fields, tables, or databases.

Fill out as much as possible, too. There’s nothing wrong with blank fields. Not everyone has multiple phone numbers or a second part to their street address, but in your organization, they probably have a title, work location, and department. Make sure those fields have data in them. You may not need it today, but you might tomorrow. Feel free to think of it as a test where you get credit even for trying.

Need some help and guidance on where to start? Feel overwhelmed at the thought of assessing all that data? Contact us today to discuss your organization’s needs and let us help you make the most of your data.