There are a few general truths in cybersecurity. The first is that it is not a matter of if you will face a threat to your information systems, but when. A second truth is that no information system is completely secure. Vulnerabilities will always exist because technologies change, flaws emerge, people make mistakes, equipment breaks, and environmental factors always have a say in our business operations. For most businesses, information technology such as email, databases, cloud storage, and the internet, is first and foremost, a means to an end. But with nearly every aspect of modern business operations conducted or supported by computer and networking, a loss to this technology can range from a minor perturbance to complete devastation to a business.
Cybersecurity is concerned with ensuring information remains unaltered (Integrity) and is accessed only by authorized personnel (Confidentiality), when they need it (Availability). How we protect our information systems is a business decision that balances the cost of protecting these tools with the cost that would result from an event that would impact our ability to use them. In this blog, we will discuss the various assessments that will help your organization know how to best allocate resources to protect your information systems, to include a risk assessment, security control assessment, vulnerability assessment, and penetration test.
As already mentioned, information systems always have weaknesses. Before you invest in cybersecurity, you should try to assess the impact to your business if a system weakness is exploited.
Anything that can negatively impact the Confidentiality, Integrity, or Availability of your information systems because of a system vulnerability is considered a threat event. Threat events may be adversarial (e.g. organized crime, disgruntled employees, competitors), accidental (e.g. a system administrator accidently deletes critical data), structural (e.g. a hard drive breaks and data is lost) or environmental (fire, power outage). You can let your imagination run wild come up with any number of threat events but the National Institute of Standards and Technology (NIST) already provides an extensive list of threat sources and events.
At the end of the day, risk is based on the financial impact. Even the less tangible loss of reputation ultimately leads to lost revenue A common formula for describing risk is –
RISK = PROBABILITY x IMPACT
Probability is the likelihood (often qualitatively defined as low, medium, high, and very high) a vulnerability will be exploited and impact is the harm to business operations, assets, people, and external organizations should the vulnerability be exploited. The highest risks are the things that will have the largest financial impact on your business.
The results of the risk assessment support decisions on what security measures to employ in order to reduce risk to your business. If you are in an industry that has prescribed cybersecurity standards, the risk assessment is not a critical first step because security controls are dictated to you.
Security Controls Assessment
Now that you have an idea of the risks your organization faces, you need to assess its current cybersecurity posture against a security “framework”. A security framework consists of individual security controls that, when implemented, can reduce vulnerabilities. You can use the results of the risk assessment to develop your own security framework or you can use one such as the NIST Cybersecurity Framework. Some cybersecurity frameworks have several hundred specific requirements, so the security control assessment is not a trivial matter. The security control assessment will identify which controls you are compliant, non-compliant, or that do not apply to your business. Put together the results of the risk assessment and the security control assessment and you will have a good idea of where to focus your efforts.
The vulnerability assessment verifies that your selected security controls are not only implemented but that they are maintained and updated correctly. The vulnerability assessment is often performed by software that scans your system against specific standards. For example, if you have anti-virus software on your system to protect against malware but it has not been updated to the latest version, the vulnerability scans can notify you that the anti-virus software needs to be updated.
Not all cybersecurity controls can be checked by vulnerability scanners. Some controls must be visually inspected. For example, a common security practice is to limit access to a network server by placing it behind a lock and limiting who has access keys. A vulnerability assessment should check if the server rack is locked and that only authorized personnel have them. It is a good practice to perform periodic vulnerability assessments to verify that your security controls are in place and functioning.
A penetration test (“pentest”) is an effort by a security assessor to compromise your information system in order to test the effectiveness of the security controls, confirm the exploitability of discovered vulnerabilities, and to test the ability of the organization to detect attack. A pentest is not cheap and should only be done after you have implemented all necessary cybersecurity controls. If the system already has unremediated vulnerabilities, a pentest won’t tell you anything you didn’t already know.
Cybersecurity is Ongoing
An effective cybersecurity program is never complete. Changes to your information systems, emerging technologies, and evolving threats mean you will need to periodically assess your risk and the security controls. Vulnerability assessments will give you confidence that your security controls are properly implemented and maintained. As your cybersecurity program matures, a pentest can help you know how well your security controls protect you against realistic threats.
If you are just starting your cybersecurity journey and aren’t ready to do a deep dive into it, you can get your feet wet by focusing on the basics. Please don’t hesitate to reach out to the Totem Technologies team if you have questions about your cybersecurity program. Good luck!