Especially for smaller organizations, it can be tricky to measure the true depth and breadth of your cybersecurity defenses. How long would it take your team to detect the presence of an attacker in your midst? And how long would it take you to respond to their presence? How difficult would it be for criminals to find a way in to begin with?
A formal cybersecurity assessment can give you a general idea of where your strengths and weaknesses lie, while undergoing penetration testing – or participating in a red team exercise – will provide much more specific insights into exactly how a breach might occur.
“Not all of our customers immediately know what kind of security assessment they need,” says Matt Wilson, Chief Information Security Advisor at BTB. “Some might use the term “audit” because they’re familiar with it as part of the lingo that goes along with compliance requirements. Others might talk about a “risk assessment” or a “threat assessment.” Our goal is always to perform the evaluation that will provide as much useful information as possible while staying within time and budget constraints.”
All types of cybersecurity assessment share a common goal: gauging the strengths and weaknesses in the comprehensive set of technologies, controls, processes, procedures and human behaviors standing between your data and the cybercriminals looking to exploit it. How in-depth and hands-on yours needs to be depends on your organization’s initial cybersecurity maturity, the industry-specific risks and compliance requirements you face, your goals, your tolerance for risk and, of course, your budget.
Let’s take a look at the most common cybersecurity assessment types.
“This is the one that gets called by the wrong name most often,” says Wilson. “To us, “risk assessment” has a very specific meaning. Performing a risk assessment means following all of the guidance outlined in NIST Special Publication 800-30. More than 200 pages of guidelines are included there.”
In fact, a formal risk assessment conducted according to the National Institute for Standards and Technologies (NIST) framework is a comprehensive, labor-intensive process that’s broad in scope. The guidelines, which cover how to prepare for, conduct, and share findings from a thorough evaluation of a far-reaching array of quantitative and qualitative risk factors, are intricately detailed. This type of assessment is usually carried out by major enterprises, financial institutions, military subcontractors or other organizations that face particularly severe risks or extremely stringent regulatory requirements.
Depending upon which regulatory requirements organizations in your industry must meet, you may need to undergo annual compliance audits, during which an inspector or consultant will certify that you have required controls and policies in place in your IT environment. Compliance audits generally follow a very specific checklist format and aim to provide a comprehensive view of your security posture at a particular moment in time.
“If cybersecurity assessments were tools, an audit would be a sledgehammer,” says Wilson. “An auditor is required to assume that everything you tell them is a lie, and to ask for evidence proving that it’s not. If you say you update all your software on a monthly basis, they’ll want to see the logs.”
Even if a vendor is performing an audit simply for purposes of assessing cybersecurity maturity, the process will be thorough and is likely to be checklist-based.
Threat and Vulnerability Assessment
Threat and vulnerability assessments (TVAs) offer you the opportunity to receive professional criticism on your security posture from a team of industry experts, as well as to get meaningful, actionable suggestions for improvement.
“A threat and vulnerability assessment is like a swiss army knife,” says Wilson. “It’s not going to be able to find every single thing that’s wrong, but it’ll be able to identify the most relevant and important things — and the ones that you’ll best be able to fix.”
Generally speaking, a threat and vulnerability assessment includes four primary components:
- meetings and interviews with members of your team
- review of your policies and procedures
- checks of configurations and settings
- vulnerability scanning.
An audit typically includes the same components, but an organization that’s undergoing an audit must provide detailed documentation proving that its security posture is as claimed; in contrast, a threat and vulnerability assessment is less about proof and more about deepening awareness and supporting improvement.
In addition, there are two different short-term testing engagements that can tell you exactly how well your defenses would perform if you confronted the tactics, techniques and procedures (TTPs) that a real-world attacker would employ.
Also known as a “pen test,” this investigation will help you understand your practical, real-world weaknesses in detail so that you can better plan a cybersecurity budget and strategy for the future. Penetration testing involves skilled, focused efforts to find and exploit vulnerabilities in your environment, from an internal perspective (how easily could an attacker move laterally across your network?), an external perspective (are there any open ports or other vulnerabilities to exploit?) or a web application-based starting point. The goal is to gain access to your systems or data in order to demonstrate how that feat was accomplished – so that you can remediate the vulnerabilities that made it possible.
“Red team operations are like penetration tests but carried out over a longer time period and with a larger scope,” says Wilson. “They let you see what the bad guys would really exploit: are there weaknesses in your business processes? What about those of your business partners and vendors? Are there times of the year when you’re more vulnerable because staff are on vacation? Or, because large funds transfers take place then?”
Taking part in a red team exercise allows you to understand how all aspects of your information security ecosystem – from physical door locks to networking appliances, and from disgruntled former employees to independent contractors you regularly engage with – might handle a sustained assault from a determined adversary.
While penetration testing engagements usually last one to two weeks, a red team operation will take at least a month, if not longer. “Think of the recently disclosed SolarWinds breach,” explains Wilson. “Something of that scale could never have been accomplished in a week. It took an enormous amount of time and planning. Red teaming allows us to simulate more complex real-world attacks.”
How to Choose
What type of cybersecurity assessment is right for your business depends upon the risks that your industry typically faces, your compliance requirements, and how much money you have to spend. Threat and vulnerability assessments are a good first step for organizations looking to deepen their cybersecurity maturity, while those facing complex regulatory requirements may need to undergo audits and penetration testing on a regular basis.
No matter your budget or your risk profile, it’s important to build an organizational culture that emphasizes risk awareness and to follow basic cybersecurity best practices. “The organizations that are paying attention are the ones that are getting it right,” says Wilson.
Interested in exploring how our team of leading industry experts can help you investigate your own risks and vulnerabilities? Discover how our threat assessments and tests provide clear, meaningful, actionable results to organizations of all sizes.