When most people think of cybersecurity, they think of anti-virus and firewalls. While that is part of cybersecurity, it is equivalent to thinking of a tire or a windshield when thinking about an automobile. Cybersecurity is the comprehensive ability of an organization to identify, protect, detect, respond and recover from cyberincidents. These cyberincidents have the potential to damage brand integrity through data loss or leakage. Cybersecurity assessments are an important compoent to any greater cybersecurity strategy. This article discusses what happens in a cybersecurity asessment.
A Cybersecurity Posture Assessment is standardized process used to define, evaluate, assess and document the cybersecurity readiness, proficiency, and awareness of a given organization. A posture assessment is a ‘static’ evaluation. It is a point-in-time review to create a baseline of an organization. This is part of the NIST 800-53 Priority 1 tasks. It is a passive process that does not include active penetration testing. The assessment is done by observation and no changes are made to any configuration or systems. There is no attempt to impact operations or seize tangible, relevant demonstration of flaws beyond passive means.
There is always a pre-engagement meeting that will begin the process. A Master Services Agreement, Non-Disclosure Agreement and Scope of Work that will define a schedule. Deliverables will be discussed and executed in a timeline that legal and management review permits on both sides.
A kick-off meeting starts the project. The assessor will be onsite and will interview various personnel. The assessor will need to determine engagement, training, awareness and proficiency. Passive inspections are made in various control systems. Functions and various configurations are reviewed. It preferred the assessor be escorted by a subject matter expert. The assessor should NOT access systems directly or be given any direct admin credentials. Instead, the assessor ask questions and be shown the status of configurations and settings. Depending on the scope of the assessment, the assessor may review the maturity, effectiveness in some or all these areas:
Read More: Cybersecurity Trends you Need to Know >>
Read More: 6 Questions to Ask a Potential Cyber Security Hire >>
Read More: 5 Recent Cyber Security Threats in 2018 >>
Read More: Download Our Cyber Security Self Assessment >>
- Governance – Confirm that management understands the risks to the organization and how to manage them.
- Cybersecurity Policy – Review or determine the existence of various policy document such as:
- Acceptable Use Policy
- Data Retention Policy
- Data Classification Policy
- Staff Review – Determine the staff proficiency when it comes to:
- Understanding of their job roles
- Written job descriptions that include cybersecurity
- Identity Management – Review the Identity Lifecycle Management, creation, access control, suspension and termination of the user IDs
- Asset Management – Review to determine if the data, personnel, devices, systems, software and facilities are identified, inventoried and managed
- Risk Assessment – Determine whether the company understands the cybersecurity risks to organization, in the order of individuals, mission, assets and reputation
- Risk Management – Determine if the company has identified risks, natural, unintentional and intentional and has calculated Risk as Probability x Harm
- Data Retention + PII, PHI and PCI assessment – Evaluate how sensitive data is stored, secured, accessed, transmitted and how long it is maintained and how it is disposed of
- Training and Awareness – Determine to what extent cybersecurity training and communication of current events is provided to the rank and file
- Access Control – Evaluate the controls (EX: review file server shares, encryption, AV or tools to prevent Ransomware through large write request recognition) designed ensure confidentiality and integrity
- Data Leakage Protection – Evaluation the controls designed to prevent data leakage via transmission or exposure to an unauthorized or unintended recipient. (e.g. review O365 DLP policies, PIN to Print, encrypted transmission of HIPAA data, limited or controlled use of USB ports)
- Intrusion Detection and Prevention – Determine if tools or processes exist to identify and prevent unauthorized access onto the network. (e.g. review Fireeye, Darktrace, Meraki monitoring tools)
- Network Infrastructure Security – Evaluate the tools and controls in place to prevent unauthorized intrusion from the outside (review Firewalls), the LAN (IDP, MAC address filtering) or the Wireless network (Confirm WPA2 Enterprise, or strong passwords with limited guest access)
- Configuration Control and Patch Management – Confirm that there are configuration standards in place for network, servers, end user computers and mobile devices. Determine whether change management is used to deploy patches to critical infrastructure in a test environment and communicate and log changes. Ensure that High and Critical patches are deployed to end user devices on a timely, regular and automated basis
- Business Continuity – Review plans and personnel tasked with continuity of operations. Confirm that mock DR drills take place on a regular annual basis. Ensure that staff members understand their roles and there is 80/20 cross coverage
- Backup and Restore – Review the backup routines and architecture. Confirm that mock recoveries take place on a regular annual basis. Ensure that confidentiality is maintained during backup and restore
- Data Security – Review how data is stored, handled, labeled, transferred and disposed of
- Physical Security – Review the electronic and physical security of the building, sensitive areas, the data storage areas and network closets. Confirm areas have appropriate security and can still be accessed during emergencies
- Auditing and Vulnerability Scanning - Determine whether there is any internal auditing of vulnerabilities to ensure compliance with policies or best practices, or if there is management review of access control lists or HR oversight of the Identity Lifecycle
- Security Event Information Monitoring – Ensure that events detected by the Incident Detection or Incident Prevention tools are aggregated and there is a system, automated or via manual review to alert responders of an incident
- Incidence Logging, Response and Communication – Confirm that there are business-day and after-hours incident response protocols and first responders/backup responders
- Ensure that responders have the tools and skills to log incidents, identify and mitigate threats, incidents and breaches
- There is and escalation plan with formats for communicating both internally and externally
- Individuals are trained and designated to speak externally
- Post Mortem Root Cause Analysis and Continuous Improvement – Confirm that there is a Root Cause Analysis after action review that includes Continuous Improvement.
- Risk Mitigation – Ensure that as part of recovery Continuous Improvement includes updates to risk planning and training.
- Risk Conveyance – Determine whether the T.O. has Business Continuity or Cybersecurity Insurance.
Upon completion of the assessment a “Findings and Recommendations” report will be generated and a final meeting to discuss the report will be held.
The report can be used as the basis to create an Implementation Plan. A project manager is normally assigned to generate the Implementation Plan and then manage its successful delivery into the production environment.
The assessment itself is not an unpleasant experience because it is not a traditional “audit”. It is rather a healthy form of introspection in which both the personnel and the organization come out on the other side more professional, knowledgeable and secure.
It is important to note that the assessment, even if it includes assistance with implementation should not thought of as the final steps. This process is intended to be followed up by a more rigorous assessment. The later will examine the robustness and effectiveness of the corrections made by the original inspection. It is recommended to do this in parallel with actual penetration testing. Just like Business Continuity Plans, the organization should have annual reviews. Static defenses are static targets and we need to be highly cognizant of the fact that we face a determined and evolving adversary. In a year, the cyber attackers will refine their techniques and add new ones.