4 Kinds of Assessments

Necessary Assessments to Identify Your Liability

Since antivirus no longer works, most firewalls are almost useless, and endpoint security just doesn’t cut it anymore, we use a multi-staged approach at every step to securing systems. We have to know where our new customer’s existing systems are at, and this requires some extensive investigations and scans.

Each stage of scans and tests is critical to gaining an understanding of the level of security you currently have, determining your security needs and giving us insight into the best way to design a comprehensive security strategy for your organization.

These are four types of assessments that I recommend:

CYBER LIABILITY SCAN

Cyber Liability Scan is used to look for unsecured data across your network’s even in persistent storage. It will provide us with an estimate of the financial risk and your organization’s potential liability in the event of a data breach. Once complete, you’ll be able to identify your areas of security weaknesses including where you need work on your security including important security fixes that must be applied.

  • Data scans: Identify at-risk data and file access vulnerabilities.
  • Financial assessment: Demonstrate the potential economic impact of a possible data breach allowing you to prioritize fixes and get help as needed.
  • Liability prioritization: Yields a comprehensive overview of your at-risk data and identify where remediation is needed.
  • Easy searches: Allow you to locate specific files or file types across in throughout your entire network, including such as packages identified as a Trojan or a different kind of malicious payload.
  • Provide better security: By Identifying any at-risk data so that it can be remediated quickly allowing you to reduce the potential penalties and fines and guide your efforts to obtain data insurance.

INDICATION OF COMPROMISE SCAN

Indication of Compromise Scans. These allow us to look for existing hacks/viruses/ransomware threats and locate any activity that may have occurred that appears suspicious, and to confirm any presence of either known or unknown malware found on devices attached to or off the network.

  • Event collection: During this non-intrusive data collection technique, we can transparently capture endpoint activity information from assets both on and off the network. It is a performance-based collection versus one which depends solely on a query-based approach or log collection.
  • Actionable intelligence: By using threat identification rules, we can quickly identify indicators of compromise verifying threat intelligence, the scale of infections, first-infected asset (Patient Zero), and timeline of breaches.
  • High Levels of Detection: We look for threats, suspicious activity detection, using a definitive indication of compromise program that searches billions of active and past system events, and coupled with threat intelligence data from Cisco Talos to identify indicators of compromise as well as indicators of activity. (infiltration and exfiltration of files). We capture endpoint activity on files, processes, mutant handles (mutex), registries, and network connections.

VULNERABILITY SCANS

Vulnerability scans and vulnerability assessments search systems for known vulnerabilities. Vulnerability scans are typically automated. The scan will detect issues such as missing patches and outdated protocols, certificates, and services.

Organizations should maintain baseline reports on vital equipment and should investigate changes in open ports or added services. A vulnerability scanner alerts network defenders to unauthorized changes throughout the network environment.

By reconciling any changes we find against all change-control records, we can determine if the change was authorized or if a problem exists, such as a malware infection or the violation of your change-control policies by an employee.

PENETRATION TEST

A penetration test is a test that actively attempts to exploit any weaknesses within your environment. These types of analyses require specific levels of security expertise.

Unlike the previous tests, Penetration testing is an entirely different type of analysis. The purpose of this test is to readily identify all insecure business processes, improper security settings, and other weaknesses that could be exploited by a hacker or malware. These include such issues as unencrypted passwords in the data flow, reuse of passwords, and even databases you may have forgotten about that have valid user credentials stored in them.

Penetration tests do not need to be conducted as often as vulnerability scans, but should at least annually. Most of the time they are performed by third-party specialists, rather than internal staff. That way the Penetration test offers an objective view of the network environment and one void of conflicts of interest.

A penetration test report should be short and to the point. It can have appendices listing specific details, but the main body of the report should focus on the data compromised and how. It should offer a detailed description that the customer can understand including the methods used to conduct the attack, what an exploit of that type could cost the organization in lost revenue, fines and penalties. It should contain recommendations they can share with their information security department or their managed security services provider for improving their security posture.

Penetration tests rely on various tools, but the effectiveness of this type of analysis relies on the tester.

The tester should have:

  • A full span of security knowledge along with experience and training in specific information security topics, as well as familiarity with the organization’s area of business
  • An ability to think abstractly and attempt to anticipate threat actor behaviors
  • The focus to be thorough and comprehensive
  • The willingness to explain how and why their network environment is capable of being compromised.
Comparison of scans and tests
Cyber Liablity Scan Vulnerability Scan Indication of Compromise Penetration Test
Frequency I recommend that these be performed monthly to assure that personally identifiable information is not exposed. I recommend that these be performed quarterly at the very minimum. Always after an install of new equipment and anytime their is a significant change to your network. Should be done when starting with a new provider and Quarterly thereafter Once or twice a year, as well as anytime the Internet-facing equipment undergoes significant changes
Reports Identifies potential accessibility of Personally Identifiable Information (PII) and Personal Health Information (PHI) and Financial Violations Provide a comprehensive baseline of what vulnerabilities exist and what changed since the last report Identifies vulnerabilities that have been exploited on your systems Concisely identify what data was compromised
Focus List potential fines and penalties if this information is released in a breach Lists known software vulnerabilities that could be exploited Discovers exploited weaknesses in your system Discovers unknown and exploitable weaknesses in normal business processes
Performed By Best performed by trained security specialists who can evaluate information and eliminate false positives Typically conducted by in- house staff using authenticated credentials; does not require a high skill level Typically conducted by outside vendor who has specialised Information Security Technology Certificiations Best to use an independent third party outside service. I recommend that you alternate these tests between two or three different firms. These are specialised tests that require a great deal of skill.
Value Identifies data that should be protected that is not currently protected Detects when equipment could be compromised Identifies problems in system so that they can be treated Identifies and reduces weaknesses