When doing a security risk assessment it is helpful to know what will hurt your risk score. This way you can prepare before you get a high risk score and you suddenly feel that your network is a disaster. You don’t need to panic. Most practices have a high risk score. Just use it as a starting point to put the policies and procedures in place to secure your network.
The Risk Report
The risk report will be comprised of various detection, like domain controllers, local mail servers, time servers, network shares, major applications, missing security updates, password strength, external vulnerability scans, internet access, event logs and more. A scan of your systems will look for all of these things. Each discovery will assess a risk score with it. Some of the things that will increase your risk score are:
- Passwords set to never expire – User accounts with passwords ste to never expire present a risk of use by unauthorized users. They are more easily compromised than passwords that are routinely changed.
- Users have not logged in in 30 days – Users that have not logged in in 30 days could be from a former employee or vendor and should be disabled or removed.
- Inactive computers – Although this is not a high risk, they could be from a former employee or vendor and should be removed.
- Operating System out of compliance – This could be a huge risk, as operating systems like Windows Server 2003 and Windows XP are no longer supported by Microsoft, therefore they do not have any current updates, patches or critical security updates that are regularly performed. They are a very easy target for hackers.
- Antivirus not turned on, or out of date – Each day, as new attacks are identified, it is crucial that your antivirus is licensed, current, and able to receive the latest definitions to fight the most current attacks.
- Insecure listening ports – Sometimes there is a legitimate reason for insecure ports to be open, i.e. printers. It is always good to verify if the ports should, or should not be open.
These are just a few things you can do to be proactive. Make sure all of these things are in order so that your risk score will become lower. Simple maintenance and policies will go a long way in keeping your medical practice secure.
Sheryl Cherico is the CEO of Tier3MD, a medical IT support company.
What will hurt your risk score?