Getting key information for risk management

Blog From Huntsman Security


To meet the growing demand from regulators for greater cyber security accountability by senior executives and directors, cyber security consultants and operations teams are continuing to look for better sources of cyber security information; to support and inform more effective management of cyber security risks.

We are hearing both from consultants and internal security and risk teams (either in the security department or the internal audit function) that the technical range, choice and sophistication of suitable tools is not the issue. Matching the outputs of those tools with the needs of users is a problem. As executives look to better manage their cyber risk they, and the teams that support them, are looking for tools that provide clearer visibility of their current security posture, accurate measurement of the associated risks and business centric metrics to enable their effective management.

At a technical level there are specialist tools for everything; old favourites like Nmap and Nessus which can take some technical skill to navigate and interpret, together with an ever-widening range of technical apps, scripts, packages, scanners and other tools. The Metasploit framework and the Kali Linux distribution were part of this evolution.

New tools are of course emerging all the time, such as the recent rise of automated penetration testing solutions, penetration testers often writing their own technical tools to automate, simplify or speed-up a particular task or consolidate the work they currently do across their clients and from project to project.

Highly technical tools, some that operate at the command line or ones that generate a large volume of per-system, per-vulnerability results – both real and false positives – are useful, but need skilled staff to operate and interpret. Translating outputs from these tools to create a report that can go to an often less technical audience, such as the management team, risk committee or the board, can be onerous and time consuming. Bridging the gap between technical and management can often be lost in translation.

Spreadsheets and questionnaire-based approaches often appear simpler and more accessible in providing graphics and numerical/tabular security performance information; particularly for a less technical audience. The problem is that much of their reporting and outputs are based on qualitative data, subjective interpretation and non-systematic processes; hardly the bases upon which to build your accurate and objective risk assessment and management platform. When it comes to translating technical data – like the configuration of systems and controls – into actionable information, there is a requirement for something in your toolkit that accurately informs evidence-based decision making for operational security management and effective executive oversight.

The ransomware threat has exacerbated these problems for both consultants and end-user organisations. There is, for example, broadly agreement amongst security specialists that a simple set of well maintained security controls can counter much of the ransomware challenge – patching, user awareness, application controls, backups etc; and they span both the managerial and technical aspects of security. So, measuring and reporting the effectiveness of each of these controls will inform the need to adjust any security settings.

Obviously, the process of “checking” the technical implementation or providing assessments in a questionnaire format is possible. It does, however, have the disadvantage of being unable to quantify the identified risk and use that measurement as the basis of risk management decision making. The business doesn’t want to know the list of servers and corresponding vulnerabilities, it wants to know the scale of the risk. Risk officers don’t want architectural nuances of how data is protected and made available for recovery, they want to know that, in the event of an attack, how quickly the systems will recover and what are the implications for business continuity.

So technical approaches and tools need to gather data and provide quantitative outputs and reporting in clear, accurate and reliable ways. While qualitative high-level approaches can appear at the outset to reduce the time and effort required in the risk assessment process, the subjective nature of the inputs can make their accuracy variable and the resulting analyses unreliable. Only objective observations and empirical risk measurement can provide a consistent basis for evidence-based risk management decision making.

In a world where the management of cyber security risk is now an executive responsibility, tools that can easily measure risk and translate them into key security metrics to aid and assist technical and business executives in their ongoing risk management efforts are a new imperative.

Risk teams and consultants that support executive teams need access to these new tools, that quickly take objective measurements of technical failures, gather security configuration and organisational data, and provide clear, easily understood, visual and quantitative outputs in a form the audiences from both risk and executive disciplines can understand.

To add to your cyber security tool box or simply get more information about our solution for ransomware risk assessment and cyber security posture scoring, find it here.