This isn’t just a localized notion, but has become a critical global issue. Historically, there has been little transparency in the marketplace around cyber risks, incidents, and effects, making it difficult for businesses, governments, insurers, and investors to understand and value the cyber risk presented by a third-party vendor/supplier, insured, or investment.
In comes a Security Ratings platform. A Security Ratings platform delivers the foundational data and analytics necessary for business leaders, investors, and policymakers to begin addressing the cyber risk management challenge.
First, Let’s Understand the Vernacular
Threat
A threat refers to a new or newly discovered incident with the potential to do harm to a system or your overall organization. There are three main types of threats – natural threats (e.g., floods or a tornado), unintentional threats (such as an employee mistakenly accessing the wrong information) and intentional threats. There are many examples of intentional threats including spyware, malware, adware companies or the actions of a disgruntled employee. In addition, worms and viruses are also categorized as threats, because they could potentially cause harm to your organization through exposure to an automated attack, as opposed to one perpetrated by humans.
Vulnerability
Risk
Risk refers to the potential for loss or damage when a threat exploits a vulnerability. Examples of risk include financial losses as a result of business disruption, loss of privacy, reputation damage, legal implications and can even include loss of life.
An actual risk takes into consideration more than just known vulnerabilities, but any action that might result in an impact. An example of actual risk, said Bejerano, is sending an email that has credit card information in it.
Risk is also independent of vulnerability, and organizations have risks even if there are no known vulnerabilities. Think of a phishing scam or accidental reconfiguration.
The federal government has implemented The Risk Management Process for Federal Facilities: An Inter-agency Security Committee Standard which states,
"Risk is a function of the values of threat, consequence, and vulnerability. The objective of risk management is to create a level of protection that mitigates vulnerabilities to threats and the potential consequences, thereby reducing risk to an acceptable level. A variety of mathematical models are available to calculate risk and to illustrate the impact of increasing protective measures on the risk equation."
Threat => Vulnerabilities => Risk – The Tools of the Trade
Vulnerability assessment
Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities. For example, the software has signatures for the Heartbleed bug or missing Apache web server patches and will alert if found. The software then produces a report that lists out found vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps.
It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.
Penetration test
Many “professional penetration testers” will actually just run a vulnerability scan, package up
the report in a nice, pretty bow and call it a day. Nope – this is only a first step in a penetration test. A good penetration tester takes the output of a network scan or a vulnerability assessment and takes it to 11 – they probe an open port and see what can be exploited.
For example, let’s say a website is vulnerable to Heartbleed. Many websites still are. It’s one thing to run a scan and say “you are vulnerable to Heartbleed” and a completely different thing to exploit the bug and discover the depth of the problem and find out exactly what type of information could be revealed if it was exploited. This is the main difference – the website or service is actually being penetrated, just like a hacker would do.
Similar to a vulnerability scan, the results are usually ranked by severity and exploitability with remediation steps provided.
Penetration tests can be performed using automated tools, such as Metasploit, but veteran testers will write their own exploits from scratch.
Risk analysis
Many factors are considered when performing a risk analysis: asset, vulnerability, threat and impact to the company. An example of this would be an analyst trying to find the risk to the company of a server that is vulnerable to Heartbleed.
The analyst would first look at the vulnerable server, where it is on the network infrastructure and the type of data it stores. A server sitting on an internal network without outside connectivity, storing no data but vulnerable to Heartbleed has a much different risk posture than a customer-facing web server that stores credit card data and is also vulnerable to Heartbleed.
A vulnerability scan does not make these distinctions. Next, the analyst examines threats that are likely to exploit the vulnerability, such as organized crime or insiders, and builds a profile of capabilities, motivations and objectives. Last, the impact to the company is ascertained – specifically, what bad thing would happen to the firm if an organized crime ring exploited Heartbleed and acquired cardholder data?
The three different concepts explained here are not exclusive of each other, but rather complement each other. In many information security programs, vulnerability assessments are the first step – they are used to perform wide sweeps of a network to find missing patches or misconfigured software.
From there, one can either perform a penetration test to see how exploitable the vulnerability is or a risk analysis to ascertain the cost/benefit of fixing the vulnerability. Of course, you don’t need either to perform a risk analysis.
Risk can be determined anywhere a threat and an asset is present. It looks agnostic-ally from an outsider perspective – in other words, it doesn’t require privileged access to determine risk.
It’s important to know the difference – each are significant in their own way and have vastly different purposes and outcomes. Make sure any product you buy, or company you hire to perform these services also knows the difference.
A New Sheriff is In Town...
Up to recently, Risk Analysis was a periodic thing that was run by a team of technical staff using a variety of tools to provide a metric report that summarily assesses your potential risk with your current environment.
Today, there are a series of automated solutions that provide up to the minute risk ratings based on threat intelligence, your current stance of vulnerability, and a combinatoric list of parameters that determine your overall risk in the eyes of the outside world.
Logic
So, let's say you have a dollar to spend on your security – you have a choice, scan internal systems / devices for vulnerabilities and call it a day, perform a penetration test to see if someone can get in, or assess what risks are seen from the outside world?
Naturally, you want all three, and eventually, that may be the achievement, but that’s not how life, nor budgets work, you have to prioritize. So, how does one do that?
- The internal scan, well – if history tells us anything, it wouldn’t be a stretch to say that any seasoned IT Executive isn’t familiar with a vulnerability assessment report. These are long a laborious to wade through and from the reports would take a few years to review, assess, weed out the false positives and then prioritize. Then the real labor kicks in, I.e., trying to remediate the massive anomalies identified, so there’s that.
- Penetration tests are finite in their findings and usually are more clear and direct in their purpose. However, once again, review, assess, weed out the false positives and then prioritize. Remediation may involve purchasing software, changing processes in your organization, which between IT to IT guys, takes longer than addressing that internal scan mentioned above. The net, requires external staff hiring, review of the subsequent findings, and remediation is subject to internal staff, budgets, culture, and tolerance.
- Cybersecurity Risk Rating Solution is an automated 24/7 live assessment of risk that reviews your risk from the outside world using outside world access and intelligence. In other words, it doesn’t need your participation, review, access, or staff to make its determination. It’s a zero real estate solution. It basically identifies holes in your defenses and walks you through the remediation.
So what do you do with your dollar? Any swat team, or military expert would tell you first,
secure the perimeter. Fortifying your internal systems, or sealing the cracks in the piggy bank in an open field is useless without a safe perimeter. With an impending hurricane, do you seal your windows first, or reinforce that levy that can put you under 6ft of water?
No one is going to care about how your server is hardened if your network is down. As they say, prioritize, food, shelter, clothing. Shelter before clothing.
In other words, mend your fences before vaccinating the herd, no one wants to hear how healthy your cows are that escaped. Just say’n...
So What Do I get With a Security
Risk Rating Solution?
“Once more unto the breach, dear friends, once more;”
___________________________________________
We would like to thank our sponsors, for without them - our fine content wouldn't be deliverable!
About Rick Ricker
An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 399-6085 x502
For more information, contact Rick at (800) 399-6085 x502
Source(s)
- https://www.prnewswire.com/news-releases/bitsight-recognized-as-a-leader-in-cybersecurity-rating-solutions-report-by-independent-research-firm-300749641.html
- https://www.bmc.com/blogs/security-vulnerability-vs-threat-vs-risk-whats-difference/
- https://www.csoonline.com/article/2921148/security/whats-the-difference-between-a-vulnerability-scan-penetration-test-and-a-risk-analysis.html
- https://www.nist.gov/news-events/news/2012/07/software-features-and-inherent-risks-nists-guide-rating-software
____________________________________________________________
About Rick Ricker
An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.
For more information, contact Rick at (800) 399-6085 x502
No comments:
Post a Comment
Thanks for your input, your ideas, critiques, suggestions are always welcome...
- Wasabi Roll Staff