Cybersecurity risk assessments verify how the organization's security posture is designed and configured to reject attempts by different types of attacks and threats. To understand the risk to our network and our systems, it is important to conduct a thorough security assessment. These security assessments include vulnerability assessments, penetration testing, internal and external audits, self-assessments, password analysis, and many other types. Each type of assessment is going to serve a different purpose and provide a unique perspective on the security posture of the network. For example, a vulnerability management scan is a cyclical practice to look across the entire enterprise network to identify, evaluate, treat and report vulnerabilities using a fully credentialed and authorized scan from within the network. On the other hand, a penetration test is an authorized simulated cyberattack from outside the network which helps to identify weaknesses of the enterprise network and provide a viewpoint that would be similar to when a potential attacker is going to have when they attack over the Internet. These assessments may be conducted as part of your overall risk analysis or may be required due to some contractual, legal, or regulatory requirements.
Security Assessments
There are two main types of methodologies that are used with security assessments. They are active and passive. An active assessment utilizes a more intrusive technique, like scanning and hands-on testing, and probing the network to determine what vulnerabilities might exist. While, a passive assessment, on the other hand, utilizes open-source information, the passive collection and analysis of network data, and other unobtrusive methods without ever making direct contact with the targeted networked systems.
Normally a security professional may not choose to do something strictly active or strictly passive. They may start with a passive posture, and then move into a more active posture as they need more and detailed information. Passive techniques have a limit to the amount of information and the type of information that can be learned while the active techniques help surface all the details and the system weaknesses and the vulnerabilities that exist.
Types of Risks
In this section, different types of risks an organization can come across will be discussed. This includes external risk, internal risk, legacy systems, multiparty, intellectual property theft, and software compliance and licensing.
- External Risk: This is a type of risk that is produced by a non-human source and is beyond human control. Some good examples of external risks are wildfires, hurricanes, earthquakes, floods, etc. These risks are going to occur and we as humans can not stop them. But we can try to mitigate the risk by putting additional things in place like building stronger buildings, having backup power systems, etc. These are naturally occurring risks and are non-man-made risks.
We may have also man-made external risks like blackouts as it depends on man-made systems that generate power but if a fault occurs in the power generation, distribution, and transmission system then it could result in a blackout. We also have hackers which are considered as an external risk. This is considered external as it is coming from outside the organization and it is beyond human control to stop them. If a person wants to attack an organization, they can attack them, and therefore, it would be considered an external risk.
- Internal Risk: These are formed within the organization itself. They arise during normal operations and often they are forecastable and therefore the organization can plan around them. An example could be a server crash or a router failure or a switch failure. This could be something that can be foreseen as going to happen based on mean time between failures. Therefore, the organization can identify and mitigate the risk by having the means to purchase replacement equipment before they are going to fail.
- Legacy Systems: This is another area of risk that organizations overlook. A legacy system can be defined as any old method, technology, computer system, or application program which includes an outdated computer system that is still in use. For example, it is well known that Windows operating systems like XP and 7 have reached their end of life and end of service from Microsoft. Microsoft does not release security patches for these versions of the operating system but many organizations continue to use them as they have invested in the creation of applications that are expensive to transition each time the operation systems reach the end of life and service. A security professional has to identify these legacy systems within a network and put mitigations in place so the organization can keep operating them until they have monetary funds to replace them. Some ways to mitigate the risk associated with such systems would be to keep these systems disconnected from the internet and/or have additional firewalls in place.
- Intellectual Property Theft: One of the most important things that makes a business valuable today, is the ideas behind the business. Intellectual property theft involves risks associated with business assets and the property being stolen from an organization. A lot of times when hackers are breaking into networks, it is not because they want to cause harm or takedown an organization's systems necessarily, it could be because they want to steal knowledge and information an organization may possess. This will cause economic damage, the loss of competitive edge, or a slowdown in business growth. One of the most recommended ways to protect against IP theft is making sure an organization has data loss prevention (DLP) systems. DLP systems can see when people are trying to take data out of an organization, data from the shared drive, data from the database, data over email, and act as a surveillance system if people are trying to steal that data from an organization.
- Software Compliance and Licensing: There are risks associated even when software purchased with proper licenses is getting installed on an organization's network. The software installed on the network has to be controlled, monitored, and vetted as bugs in the software can bring vulnerabilities to the network. This makes software compliance a significant area of risk. On the other hand, improper software licensing methods can add additional risk where the software may be crippled and/or pirated which introduces additional risk to the organization, including the possibility of getting sued or fined for not having the right licensing in place for use of the software.
Conclusion
The right cyber risk assessment report will provide an organization with a comprehensive view of the prioritized risk within their organization and required remediation to close any glaring gaps. Every successful cybersecurity program starts with a need to assess existing systems and new security risk management processes being implemented. It is healthy to question the security posture of an organization and to review it for possible vulnerabilities. It is also a worthwhile exercise to re-assess and validate systems and assets when new compliance standards or regulatory actions surface. All are part of an effective cybersecurity risk management program.