As an outsource security partner BAI provides managed security, managed firewall, managed ids, content filtering, internet security, network security, penetration testing, and vulnerability testing.

The traditional IT budget now has a line item for information security at most companies today.  In fact, many companies are developing an entirely separate budget for security matters, incorporating physical and data security expenses.  Budgeting for security has certainly become a priority with the growth of security threats and the increased awareness of the problems at hand.

One of the most common and necessary tasks included in today’s security budget is external security auditing.  With the rise in denial of service attacks, website defacement, and malicious attacks targeted at gaining access to corporate networks, it is not hard to see why a significant focus has been made in this area.  While internal threats continue to be the highest cause of corporate data loss, the external attack is rapidly becoming more and more common and is causing significant negative effects on business continuance. 

Due to the lack of available resources in many IT departments, as well as the substantial cost and training required to effectively perform security audits; many companies turn to outsourcing.  Several security vendors and a multitude of non-security-specific firms have stepped to the plate with auditing services that use a wide range of techniques in determining security risks.  Unfortunately, many of these firms offer security auditing that purely focuses on finding the highest number vulnerabilities without determining if those vulnerabilities really impact on the overall security posture of your organization.

Finding as many vulnerabilities as possible is an important factor in a successful security audit.  However, simply presenting a list of vulnerabilities can often lead to misrepresenting the efforts of internal staff, unnecessary expenditures for internal remediation efforts and possible negative impacts on production systems.  It is critical that any vendor or internal IT department professionally evaluate the significance of each vulnerability, as well as the risk it imposes when combined with other vulnerabilities.  Many vulnerabilities that appear to be a low risk level on their own can created a significantly elevated level of overall risk when combined with other particular vulnerabilities.  Without properly correlating key groups of vulnerabilities the value of an external audit diminishes significantly.

Many common outsourced external security audits are described as either Vulnerability Testing or Penetration Testing.  Traditionally, Vulnerability Testing refers to the practice of simply scanning for vulnerabilities and presenting the near raw results.  This method of auditing is far less valuable than what is commonly referred to as Penetration Testing.  Penetration Testing not only includes extensive scanning for vulnerabilities, but should also include correlation of specific vulnerabilities and exploit testing to accurately identify the real world risks.  It is nearly impossible to provide an accurate and valuable evaluation of a companies overall risk without using these techniques.

The most valuable security audits not only include deliverables that detail vulnerabilities, but also include a clearly articulated executive summary.  The report should highlight the overall level of risk to the business and include executive-level action items that are intended to improve and/or validate the consistent focus on information security.