Internal and External cyber risk score for enterprise : A comparison | Lucideus

Background
With the advancements in technology such as the rapid increase in the reliance on computer systems, Internet, and wireless systems, cybersecurity is now of growing importance. Cyber attacks have gradually transformed from being theft driven to meticulously planned hacks of a greater magnitude that have the power to manipulate organisational data, causing serious disruptions. Many companies have recently been targets of such crimes such as the WannaCry ransomware, that impacted businesses in about a 100 countries.

For enterprises, all this poses new challenges related to collaborations, vendor risk management, continuous assessment of their IT assets, etc.

As a result, enterprises are on the lookout for third-party providers that come up with a quantitative analysis of their cybersecurity posture that is accurate and easy to understand. A variety of products having numerous distinct features deliver in this domain.  All of them aim to make the IT infrastructure of an enterprise cyber-resilient, however, they differ in their approach. While some apply intrusive methods i.e. scanning of internal IT assets of an enterprise for vulnerabilities, others rely on non-intrusive methods such as collecting data about the enterprise that is externally available. Both kinds of data are then consolidated and analysed to produce a comprehensive cyber risk posture of the enterprise.

This analysis is then reported to the enterprise in the form of a security metric which could be a rating/score/grade/percentile signifying the preparedness of the enterprise network against cyber attacks, or a measure of any other aspect of cybersecurity. Some vendors also use graphs or heatmaps in their reports to determine the severity of the vulnerabilities in their client’s network.

Internal Cyber Risk Scoring (Intrusive)
This process could be divided into various steps to obtain maximum efficiency. It is a cycle, which should be continuously followed to stay protected from the attacks.
  • First, the network devices of a network are scanned. This could be done with the help of third-party systems. It gives the connection overview of the entire network and the devices connected to them. 
  • Next, the vulnerabilities found are prioritised according to their severity i.e. the more critical vulnerabilities are given priority over the less critical ones.
  • These vulnerabilities are assessed and assigned a security metric (rating/score/grade/percentile), and this analysis is reported to the enterprise.
  • After reporting the security flaws, some providers also suggest steps to remediate them. The list of remediations may also be prioritised.
  • Finally, tests may be carried out to verify whether the patches were successful.
  • The process may repeat itself in order to provide enterprises with a continuous and real-time assessment of their cybersecurity posture.

External Cyber Risk Scoring (Non-Intrusive)

“ 65% of companies that reported sharing customer data with a partner also reported subsequent breach through that partner ”

Security practices in large organisations are extremely difficult to assess. It is an even bigger challenge when organisations turn to third-parties to provide technology and business services, which typically requires tight network integration and sharing of confidential data, thereby potentially increasing the organisation’s attack surface. Hence, there is a need for an approach
to the problem of understanding and mitigating security risks in organisations. 

This non-intrusive approach addresses the need by presenting a rigorous, data-driven method for assessing organisational risk vectors. The method can inform an organisation about the risks posed by its third-party vendors and can help it better understand its own risk profile, ultimately providing guidance on how to improve the security of its own internal networks.

Risk Factors 
This method uses risk vectors that can be measured externally and objectively and show how they correlate with actual security incidents. Most risk vectors may not be able to directly cause malware infections; rather, they are indicators of conditions in an organisation that may lead to malware infection or other security problems. Breach disclosures, configuration parameters, email viruses, user behaviour, underground hacker groups etc. are some data sources that may indicate any malicious activity happening in an organisation’s network. The final reports may include the cyberhealth of an organisation across these risk factors.

Observations and Conclusion
Both internal and external methods of data collection and scoring aim to evaluate a company’s potential risk. Companies would go for providers of external evaluations usually to know about the cybersecurity posture of their third or fourth party vendors in order to decide whether to join hands with them for business. This is similar to a credit score. But companies who want to understand their own cyberhealth and don’t have the means to do it themselves turn to providers that perform internal assessments. Such providers may also suggest a prioritised list of remediations for any vulnerabilities found. 

The key differentiator, however, is that the external analysis identifies statistical correlations rather than analysing direct causation, which is what happens during the internal assessment of the IT assets of an organisation. Providers of an external score argue that correlating security ratings with actual outcomes yields information which is sufficient to assess the security maturity of an organisation using only externally available information. However, it is apparent that if tools are placed inside the firewall of a network to collect more data, the score could be more accurate.

Nevertheless, it has been seen that both these methods of evaluation produce almost the same results.

References
https://www.globaldata.com/enterprises-evolving-cyber-security-needs-combat-increasingly-sophisticated-threats-says-globaldata/
https://resources.infosecinstitute.com/vulnerability-management/

https://www.bitsighttech.com/hubfs/White_Papers/Risky-Business-Assessing-Security-With-External-Measurement.pdf

https://www.csoonline.com/article/3103293/security/what-s-in-a-security-score.html

http://iso27001guide.com/annex-a/supplier-relationships/iso-27001-supplier-security-identify-high-risk-suppliers/

No comments:

Powered by Blogger.