What is a Cyber Security Risk Assessment?
A cyber security risk assessment can take many forms. In order to determine what sort of assessment is best suited, you first need to define your goals and work backwards to determine the type of assessment required. Today, we will discuss some of the different ways to assess cyber security risk .
Below are common tests that can server as cyber security risk assessments, along with the questions that they can help answer.
1. Penetration Testing
Penetration testing can answer many questions about your network, your organization’s susceptibility to a cyber attack, and what potential risks you may be facing. Different types of penetration tests help to identify different areas of risk.
External Penetration Test: – An external penetration test emulates an attacker trying to break into your network from the outside. The goal of the engineer performing this assessment is to breach the perimeter and prove that they can gain access to the internal network.
Question This Answers: Can a hacker on the Internet break into my network?
Internal Penetration Test: An internal penetration test emulates an attacker on the inside of your network. This could be either an attacker who is successful in breaching the perimeter through another method or a malicious insider. The goal of the engineer in this this type assessment is to gain root and/or domain administrator level access on the network, and gain access to sensitive files.
Question This Answers: Once an attacker breaks into my network, what damage can they cause? If an internal employee goes rogue, what can they access?
Web Application Penetration Test: An in-depth vulnerability assessment and penetration test on both the unauthenticated and authenticated portions of the target web application. Test for all of the OWASP Top-10 critical security flaws, as well as a variety of other potential vulnerabilities based on security best practice.
Question This Answers: Is my web application secure, and what could an attacker do to my organization’s website?
Wireless Penetration Test: A wireless penetration test is a comprehensive evaluation of the wireless networks in your organization using automated and manual methods.
Question This Answers: Can a hacker break into my network from the parking lot?
Physical Penetration Test: A physical penetration test is an assessment of the physical security of your premises.
Question This Answers: Can an attacker physically break into my building?
2. Best Practice Gap Analysis
A best practice gap analysis is a great way to determine your organizational risks. At Triaxiom, our best practice gap analysis is an interview-based review of your information security program. We use the Center for Internet Security (CIS) Top 20 Critical Security Controls or another relevant industry standard to comprehensively review all aspects of your information security program. Some of the areas covered include:
- Inventory and asset management
- System hardening
- Account management and principle of least privilege
- Disaster recovery and continuity of operations
- Incident response
Question This Answers: Is my security program in-line with industry best practice?
3. Red Team Assessment
A Red Team Assessment is a great way to gauge your firm’s preparedness and ability to react to a cyber security event. In general, red team engagements are best for organizations that have an information security program on the higher end of the maturity scale. Maybe they have had security testing and penetration tests performed for many years, and are generally scoring pretty high across the board. Or maybe the organization wants to get a more holistic view of their risk or provide their network defenders an opportunity to practice against a realistic adversary. These are all opportunities for a red team engagement.
Question This Answers: Is my security team ready and able to react accordingly to prevent, contain, or otherwise stop an ongoing cyber incident?
As you can see a cyber security risk assessment can take many shapes and sizes. Also, what one person thinks is an appropriate cyber security risk assessment can greatly differ from what another person thinks. Have any questions? Interested in learning more? Reach out today and we would be happy to help!