It is certainly no mystery that cyber attacks are on the agenda.

Cyber criminals continually seek and exploit new challenges to be more effective in their criminal actions.

In addition to this, there is the rapid evolution of computer systems now widely used, which should be updated promptly.

If our networks and systems grow rapidly, it can become complex to identify and keep under control any problems that could expose us to cyber attacks and data loss.

So, let’s see what are the three essential checks that we should periodically carry out on IT systems.


1) VULNERABILITY ASSESSMENT

The Vulnerability Assessment is the verification of the problems (vulnerabilities) affecting the company’s IT systems.

These vulnerabilities can include the absence of system or applications updates, mis-configurations, design flaws, incorrect protocols, malicious shares, users no longer in use, etc.

These issues, if exploited by a malicious attacker, could lead to systems breach resulting in malware infection or data loss.

It is important to carry out an in-depth Vulnerability Assessment of corporate systems (servers, PCs, mobile devices,) at least once a year, preferably more frequently.

The continuous and regular management of the vulnerability assessment cycle is referred to as Vulnerability Management.

This would be ideal for systems monitoring and early identification of issues.

But it also requires dedicated resources to this process and, in the absence of these resources, it is essential to rely on a good Cyber Security expert who can carry out a Vulnerability Assessment of the systems at least every 6-12 months.


2) PENETRATION TEST

The Penetration Test is the verification of the exploitability of the problems detected with the Vulnerability Assessment.

In practice, if the Vulnerability Assessment finds system vulnerabilities, the Penetration Test tests how much and how these issues could be used by cyber criminals to violate the same systems.

This is a complex test, conducted from the perspective of a potential attacker by simulating a cyber attack (while ensuring that it does not cause real damage to the systems being tested, but evaluating its potential effects).

It is carried out by Ethical Hackers with in-depth knowledge of systems and protocols.

Although the Vulnerability Assessment often seems like a sufficient verification, it is only through the Penetration Test that the degree of exposure of the company to cyber attacks can be really assessed, but also the data and systems that a criminal could reach once access is obtained.

It is essential to carry out both checks and to rely on long-time Cyber Security experts who will be able to ensure high reliability while conducting effective tests.


3) CODE REVIEW

The Code Review is the verification of the code used to write software applications and websites to search vulnerabilities and quality issues that could be exploited to violate these systems or that could in any case affect their correct functioning.

The code review is performed to find defects, incorrect or dangerous functionality, any presence of malware, but also to improve the quality, the performance of the software and verify compatibility with security standards.

It is very important that this activity is carried out by different personnel than the author or authors of the code being tested, and that the person running it has an excellent knowledge of systems and programming languages.

Often ignored among the checks of IT systems, the Code Review activity should instead be mandatory in particular in the presence of critical software, applications (including mobile ones) that process sensitive data and e-commerce portals.

It is good practice to perform code reviews before applications and sites are put into operation, in order to mitigate any problems found.

But it is also important to repeat the check periodically to ensure that there are no new defects (such as malware injected into the code).

Good job!