Highlights of the May 24, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, and featuring Justin Krentz, Principal, Business Development, Vertilocity, and Chris Bowman, Director of Security Service, Vertilocity
Watch webinar on-demand.
Purposes of a cybersecurity risk assessment:
Identify threat sources.
Identify threat events.
Identify vulnerabilities: where are the blind spots?
Determine the likelihood of exploitation: low or high risk for an attack.
Determine probable impact of an attack on business or operations.
Calculate risk as a combination of likelihood and impact.
Start with a framework:
Establish a common language so everyone in the organization is using the same controls and terminology, thereby eliminating confusion.
Have a cybersecurity framework that is a system of standards, guidelines, and best practices to manage risk. Has to be updated regularly, on a recurring cadence, to stay current with changes in your organizations.
Standards should be flexible, repeatable, and cost-effective to promote protection and resilience.
Framework should support communication between technical and non-technical employees, all individuals within the organization.
Need to be able to benchmark and know where you stand relative to previous periods.
Cybersecurity risk assessment refers to the process of identifying, estimating, and prioritizing security risks. Covers technology but also includes policies, processes, and employee training used to protect users and data. Involves a deep dive into how are the organization is accessing data, who is accessing data—all the components that make up a risk posture.
Network assessment includes:
Internal systems: Critical to know what you are measuring; have to identify that first. Assess your internal systems, the machines in your networks, servers that are system-critical, the computers in your system, the mobile devices that are connecting into your system.
Backup and recovery plan: How you backup data to protect against data loss; if a server fails, have a plan around restoring services. Includes employee roles and who is in charge of various aspects of the system, who controls access, and coordination with HR on how roles define access to files and systems.
System stability: Determine the criticality of a system and if it is worth the effort to ensure higher guaranteed uptime. Some systems are mission critical and no downtime can be tolerated, so need additional functionality in place to allow those systems to continue to function in the event of a failure.
Use policies: Define what behaviors are permitted while employees are using company assets and networks. Include policies around use of personal devices, when and how they can be used.
Security assessment includes:
Attack surface: Includes anything a user can access, a way someone could get into and exploit a system. There are many in any network and it is important to identify risks associated with attack surfaces.
Points of entry: Includes attack surfaces that specifically allow remote activity from outside into the organization, like VPNs, desktop tools, web portals. Need to define the level of risk for each.
User habits: Users often share account information, which can be a huge problem because it becomes impossible to audit exactly who is doing what in the event of a cyber incident. It is particularly important with users working from home and at different times, or for groups operating outside the U.S. (geo-blocking solutions)
Security policies: Review the policies of the organization to determine if they are following industry best practices or are if there are gaps. Identify gaps and develop policies to protect the organization.
HR procedures: HR needs to be involved in defining security by job role and access, and building procedures around asset retention, such as a policy for returning equipment when an employee leaves the organization.
Legal impact: Determine if the organization is required to have documentation for security or around auditing user activity, such as with financial and medical organizations, which are required to comply with industry regulations and standards.
Vulnerability assessment includes:
Review applications for flaws. A tendency is that once they’re deployed to rarely perform updates, patches. Have to periodically review and ensure patches are employed.
Operating system flaws: Application that run computer servers have so much control over environment, so have to maintain patching.
Computer system flaw: There can be design limitations within a computer that allows exploitation where information can be extracted. Often simply have to acknowledge that risk is there and wait for a vendor to develop a solution.
Enabled ports, processes and services: Need controls over who is allowed to run what on systems and to ensure that old software is removed from systems.
Databases: They should be configured according to best practices, encrypted, and protected from external access?
Human errors: Identify ways human errors are likely to happen in order to build controls around them.
The dark web is where hackers exchange information they’ve stolen from an organization. Need to determine if information or credentials have been stolen and close those gaps.
Integration of people, processes, and technology:
Need all three in place to secure the organization, or there is no defense.
Have to make sure people are following the processes you have put in place and using the technology.
Have to get buy-in from the executive team and they need to champion the efforts.
Risk assessment outcomes:
Should have a road map: Identify the risks, the impact scores of each risk, and a plan to start closing security gaps according to priorities.
Components of a well-designed cybersecurity solution: Risk assessment is first, the key to creating a solution. Other components include security training for users, advancing detection responses, cyber insurance policies (insurers are telling companies they need to do a better job of risk assessment, identifying and quantifying their risks).
Recovery Plan:
Have to have a policy that defines recovery objectives: the impact on the business, the time it takes to get systems back online, the farthest point back in time you can tolerate a loss of data.
Define dependencies and criticality of applications, including the systems that need to be brought back on line before applications can be.
Obtain licensing information: It is critical to understand the licensing requirements around software in a disaster scenario and how to get licensing back after detecting a problem. Document the process.
Any risk assessment should include a disaster recovery plan and testing the plan to ensure you understand all the implications of a recovery if it needs to be done, including how it actually happens, what can be expected, and who is in charge of what.
Recovery testing:
Review the plan for outdated or missing items.
Conduct a recovery scenario simulation or restoration.
The standard is to have backups in three places, one on premises and two offsite.
Document issues and encounters.
Review with management.
Cybersecurity culture refers to the people in the organization and their behavior relative to cybersecurity. Make sure that individuals are taking a defensive posture and have the tools to recognize threats. It involves continuous education for every part of the organization.
Why do I need to do a risk assessment?
Ever-evolving cyber threat landscape
Changes in business objectives or business model
Changes in infrastructure
Changes in resources
Improvement and course corrections in the cyber roadmap to be able to pivot, adjust, and be nimble
Summarily, know where you stand and never become complacent. Make a point to go through this risk assessment exercise minimally on an annual basis.
