Cyber Risk Assessment - What is a Cybersecurity Risk Assessment

July 12, 2021

The Cyber Rants Podcast

Episode #35 - Cyber Risk Assessments: Everything You Never Thought You Wanted To Know!

What is a cybersecurity risk assessment? This week, the guys take a deep dive into the intricate world of Cyber Risk Assessments. They cover best practices from choosing an industry recognized cybersecurity framework, to scoping and preparing for your cyber risk assessment, plus how to make cybersecurity standards like NIST, CSF, and CIS Controls work for your company.

They discuss how these assessments work for different purposes and what to expect when you're planning for your first Cyber Risk Assessment.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

Cybercrime Costs Organizations Nearly $1.79 Million Per Minute
Ransomware: To Pay or Not to Pay? Legal or Illegal? These Are the Questions

REvil Ransomware Asks $70 Million to Decrypt all Kaseya Attack Victims

Kaseya Hacked via Authentication Bypass

CISA, FBI Share Guidance for MSPs and Their Customers Impacted in Kaseya Attack

Bad News: Fake Kaseya VSA Security Update Backdoors Networks with Cobalt Strike

Agent REvil Unveiled in Kaseya VSA Ransomware Attack

Good News: Researchers Uncovered the Network Infrastructure of REVil – The Notorious Ransomware Group That Hit Kaseya

QNAP Fixes Critical Bug in NAS Backup, Disaster Recovery App

Microsoft – nuff said?

Microsoft Issues New CVE for 'PrintNightmare' Flaw
Microsoft Pushes Emergency Update for Windows PrintNightmare Zero-day
Experts Bypassed Microsoft’s Emergency Patch for the PrintNightmare

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber criminals and now here's your hosts mike rotondo zach fuller and

lauro chavez hello and welcome to the cyber ants podcast this is your co-host zach fuller joined by

mike rotondo and lauro chavez today we are talking about cyber risk assessments everything you

never thought you wanted to know about cyber risk assessments but uh it's important topic because

everybody needs to understand how they're exposed at the highest level across an organization

so before we do that mike you want to kick us off with the news and get some interesting headlines

for us today i'm not going to start out with microsoft i'm going to save that for the end

but anyway uh cyber crime costs organizations nearly a dollar 79 1.79 million per minute um

cyber crime costs organizations is incredible 1.79 million every minute according to risk iq

the study analyzed the volume of malicious activity on the internet exposed the scale and

damage of cyber attacks in the past year finding that 648 cyber threats occurred every minute

researchers calculated that the average cost of a breach is 7.2 dollars per minute while

the overall predicted cyber security spend is 280 000 every minute well the e-commerce industry saw

a record 861.1 billion in sales it lost 38 052 in online payment fraud every minute healthcare lost

13 dollars per minute on digital security breaches in it in the past year court also

looked at the impact of different forms of cyber crime that showed that permanent there was 3 615

loss to cryptocurrency scams and 525 000 records compromised and six organizations victimized by

ransomware and that is per minute the question continues to come out ransomware to pay or not

to pay legal or illegal these are the questions so there's no guarantee that a decrypter will be

forthcoming if you do pay the ransom that's one thing we all need to understand uh basically on

a recent cyber survey by cyber reason they found that almost half of the businesses that pay for

ransoms didn't regain access to all their critical data after receiving their encryption

why are people paying then well there's one problem a whole new industry segment of

ransomware negotiators and cyber insurance emerged on the other a new business segment has been born

companies and individuals began profiting from facilitating the payment of extortion demands

whether it's legal or not in october 2020 the united states department of treasury office of

foreign asset control or ofac declared it illegal to pay ransomware demand in some instances which

are still vague however aside from olfacts ruling in the united states there's still no clear

guidance on paying ransom demands and according to experts it may actually be taxed about deductible

so you know we got that going for us so it's it comes down to an ethical business reason

basically and there's no guarantee of getting your data back we all heard about cassaya all right so

i'm just going to run through some big headlines on cassette basically our evil ransomware asked

70 million to decrypt all cassette attack victims cassaya hacked by authentication

bypass it's actually a really good read cisa has come out with fbi guidance on dealing with

msps and their customers impacting the cassette attack on the bad news side fake cassette vsa

security update backdoor networks with cobalt strikes so what's basically happening is there's

a fake fix out there agent are evil unveiled and kasaya vs vsa ransomware attack so they

confirmed it's our evil and uh lastly researchers uncovered the network infrastructure of our evil

the notorious ransomware group that hit cassette that's i guess the good news they've been able to

track everything back to a cl uh a cloud provider in eastern europe so some little news qnap fixes

critical bug and nas backup disaster recovery app uh check that one out and microsoft in the news

again three fixes or actually three problems they they had a new print nightmare flaw they

released a new there's a new cda though cve that was identified they then pushed an emergency patch

and then experts were able to bypass the emergency patch so good luck with uh printing with microsoft

with that i turned to laurel and the exploits since you saved uh microsoft the offensive child

for last i'll go ahead and um just go ahead and lead with what i have today which is wordpress

again uh this week so lots of lots of wordpress plugins this month so if you're again if you're

leveraging wordpress please be careful with the plugins you're using we've got three this week

the project and document manager has a remote code execution bad bad bad news for this so if you're

running that that project and document manager plug-in make sure that you're you're updating

that beyond 4-2 the other one is plain view activity monitor if you're writing that wordpress

plug-in for monitoring activities there's a remote code execution for that as well so make

sure that you you've updated that beyond 2.0 and last but not least if you're running the wordplus

plug-in anti-malware security and brute force firewall you are subject to directory traversal

so again if you're playing with wordpress and you you know you like being in that danger zone

make sure you're updating your plugins because um that that anti-malware security reports firewall

up to 4.20 is vulnerable to that direct reversal and that is all i have this week turn back over to

use that without talking about with microsoft or wordpress they ought to be sponsoring the podcast

that's what i was thinking i wouldn't want i mean it just be like a dirty like getting sponsored by

like a dirty cesspool of stuff terrible we don't want to associate ourselves with that stuff

but uh yeah i guess everybody has problems just some have a lot more than others so if you're

on wordpress just just don't just just get off yeah it's like if you think it's just bad for

you if you think it's if you think you've got it bad just you know be glad you're not microsoft

the wordpress right now yeah exactly i've had wordpress like web developers tell me that you

know web development marketing companies tell me that oh it's the best thing ever no there's

never any problems with it it's you know it's great it's it's secure i've never heard anybody

anybody's wordpress site going down but anyway let's let's transition and we're kind of beating

a dead horse at this point right want even more cyber rants be sure to subscribe to the cyber

rants podcast get your copy of our best-selling book cyber rants on amazon today this podcast is

brought to you by silent sector a firm dedicated to building world-class cyber security programs

for mid-market and emerging companies across the us silent sector also provides industry-leading

penetration tests and cyber risk assessments visit silentsector.com and contact us today

cyber risk assessments and what you need to know about and that's what today is all about we want

to take you through a bit of a process for for all the the millions of listeners as we established uh

i think on our previous episode i want to just make sure that everybody is clear

on what a cyber risk assessment is what's involved in the process and and how to look at it cyber

risk assessment we're going to differentiate this for today's purposes we did a series on

penetration testing previously we're talking about cyber risk assessment in in the form of what we

would call a framework risk assessment following an industry recognized set of best practices and

following more of a paper analysis through reviews of documentation through interviews

that sort of thing so that's the the the lens in which we're looking through today

and i say that because it's all over the board with what the industry calls these different

these different types of assessments right so starting out and mike and lauro love to hear your

take on this but you have you really have to have to look at it in a couple different ways right the

big question is why are we doing this are we doing this because some client is telling us we have to

um are we doing it for a certain compliance requirement say nist 800 171

or cmmc for the department of defense or do we really want to know internally where our strengths

and weaknesses and across our whole cyber security cyber risk management program and so i would say

it's generally split you know we get a lot of requests for risk assessments because they're

being required by somebody by a client or prospect of one of our clients and then we

also have a lot of companies that are they truly are being proactive and they're doing it because

they're getting in the best practice of doing this at least annually let's talk about picking

a framework right and and i don't know what you guys think but i i we get a lot of these companies

they'll come to us and they say hey we had this risk assessment done a cyber risk assessment and

the company that did it they know they had their own they had their own framework they had their

own way of doing it it wasn't falling it wasn't any industry standard and that that always makes

me cringe you know i think you should really be following a a nist csf or cis controls or nist 853

or some some formal standard that's recognized across the industry that's put together by

a governing body of very smart people what do you guys think yeah you shouldn't be using buy

you bojack's security framework yeah don't want to get paid framework make it up as we

go um what do you think about uh so for the companies that are they're coming to you what

you know what would be your considerations if they're saying well you know we've never done

this before what framework should we choose for our first risk assessment call it uh maybe it's

a mid-market company between let's say somewhere between a hundred and a thousand employees

well i mean my general go-to is either in this csf or cis so those are the two

that make the most sense to me because they you can you can then step them into

uh other frameworks you can go from the csf to 171 alpha to 53 853

or cis is pretty much sufficient in itself it just doesn't have the name recognition

for some reason as nist does probably because of the federal government attachment to nest

yeah yeah no great point and that's the other thing is that kind of ask them is

it what type of clients do you have what type of customers do you have do you do

business with you know the the industries that that would better recognize nist as a

as a as a governing framework or are you in you know kind of a technology b2b industry

where you know cis would you know not only be applicable but probably be more

known about than than in the government wings yeah yeah i mean i agree the thing i like also about

those is there the the way the the data rolls up between especially this csf with your five

um major control categories um i think they do a nice job of laying that out and cis does as well

cis uh the latest version um 8.1 as of right now they they really put a lot more emphasis on

your um remote workforce so you know they took all the lessons learned and things that

companies were struggling with you know when covet hit and put that into the new

the new cis framework so i think that's beneficial as well another thing to note there too is that um

you know some of the these are going to be more palatable

for mid-market and emerging type companies whereas a more sophisticated organization with say

an in-house security department or at least a fairly robust it department um something like

nist 853 would would be more achievable for them but but that's a lot to bite off for a a

smaller organization by the way nist is national institute of standards and technology and csf is

a cyber security framework so you can google that you can download the spreadsheets online and you

can see exactly what we're talking about cis is center for sorry center for internet security

and then controls uh you can download from their website as well the framework in the form

of an excel spreadsheet and what you'll see is it's really just a big list of things that you

should have in place to be considered proactive in your security program so for those people

brand new to this stuff i wanted to give a give an overview here so let's talk about scope a little

bit so once we've picked a framework to run with right and by the way we're talking about

cyber risk assessment in the term of a of a non-compliance related audit right so we're

not talking about it in for pci or a sock 2 audit that's a that's a different topic altogether um

with with different auditors and all that so we'll save that for another day we're talking about the

things that you could even do yourself or bring a third party in for a third party attestation

of alignment so let's talk about scope what what should an organization um do i mean other

than you know doing the the risk assessment across the entire company when would you

suggest they they think about focus narrowing the focus versus just doing it company-wide

well i'm always a proponent of doing it company-wide so

um i mean you can narrow the the scope if you're doing like a

business unit or a subsidiary but other than that i mean with some of the small companies you just

might as well do the whole thing it's my is my belief i agree i agree i think i think we talked

about this before too mike that you know it's okay to probably scope things out initially so that you

you're not overwhelmed with work yeah um but you you need to i mean it's just it's ridiculous as an

example i think so you know whether you go with nist or cis they're going to require you to do

continuous vulnerability scanning as an example right we'll put one of the controls out so if you

if you narrow the scope to just this one business unit and you're trying to you know implement these

control sets there and these these programmatic continuous operationalized items that you're doing

like vulnerability scanning it's ridiculous just a vulnerability to run to implement vulnerability

scanning just for one business unit right just to say that one business unit is compliant

but all of your other business units now they have no vulnerability scanning of any kind

you're not doing the same sort of threat awareness or program management for the other sites so

it overall you need like mike said you need to work towards a holistic approach with a framework

alignment it's okay to start small and not boil the entire ocean at one time but you need to

have that holistic goal in mind otherwise you'll you'll find yourself in a place where you have

very few places that are that are secured and and running operationalized cybersecurity programs

that are aligned to frameworks and the rest of your business and and places will suffer

yeah no i totally agree with that and the other thing is that you know you got to focus on that

that framework you got to focus on getting it done because a 50 complete framework is just as useful

as a zero percent framework because it all works together yeah and these frameworks are going to

give you programmatic tactics in in both documents in process and in the technologies that you may

need to either modify or implement this defense and depth strategy right so everything that the

framework is going to tell you to do is a good it's a good thing to do in a mature cyber security

program it's going to help reduce that risk for the organization so that's why it's important

to do the whole thing excellent point you know another thing i'll touch on is rather than the ad

hoc approach of make up cyber security as you go if a breach occurs and you find yourself in court

and the opposing counsel is asking well what was your cyber security program based on and you say

oh well we have some you know smart techie people that are

doing some cyber security stuff for us it's like well no that's that's going to be considered

negligence right versus if you're able to say hey well we follow the csf uh framework we're

you know 80 aligned this is this is where we are on our plan of action and milestones

they're going to say okay wow these this company has their ducks in a row um they're not negligent

they're actually making a valid effort day in and day out to align to industry recognized standards

that's going to hold up a lot better than saying well we we made it up as we went so we aligned

your runner we allowed to buy you bojack security standard and down here that's just fine for us

we're gonna we're gonna we're gonna patent that we're gonna

create our trade market i should say make it our own right well what we're seeing too is that um

with the growth of the cyber security insurance piece as i kind of alluded to in that one

article was that insurance renewals are up 40 now because of all the hacks my assumption

is they're going to start asking you to prove that you have some kind of compliance in place

in order to be insured they've been moving to this for a while and i think this will finally take

take root because these companies are going to start seeing they're losing tons of money

because these people aren't doing their job i think they're going to treat it like health

insurance right with this pre-qualified conditions or you know what i mean like if you've got yeah if

you've got certain certain things wrong with your business they're going to say no thanks we're not

going to insure you too high risk right yeah and they do have the self the self attestations

right that's what we see most commonly is they send they their their questionnaires

are getting more and more robust but i think what they're going to i think it's going to be

requiring either one of their own auditors to come in um even for mid-market and emerging

companies or a third party like us basically giving a report um and an attestation letter

showing the extent of alignment so i think you're right and i also think cyber insurance is going

to get a lot more expensive 1.79 million dollars every minute from your article mike that's that's

crazy that's just crazy unbelievable it's staggering it shows where you know we are

losing as a nation as a world we are losing the fight against cyber crime and we're only making

the the criminals more powerful so anyway i i won't go down losing losing we haven't lost yet we

forgot there's still a chance we're not we're not um there needs to be a lot more done and

um yeah a lot of a good thing you know a lot of smart people are working to figure it out

but um we we gotta look at ourselves and say you know there's a lot we don't know um there's a long

way to go here but um yeah i want to go back to the self attestation piece real quick the last

thing you want to do is ever lie on a self attack station or state you've got something that you're

implementing that you truly aren't because that will blow up in your face with an insurance claim

and then court really fast fraud it's fraud yeah it's fraud if you try to use that as a method to

to receive um a policy amount right that would be due to you um through the insurance company

yeah and that's you know that's the difference i think between a civil you know fine and uh

you know to quote the movie office space federal pound me in the rear end prison

i don't know if that's a direct direct quote but for our uh under under 18 audience

hello peter yeah what's happening sometimes he's got a case of the mondays

what the hell letter we need to do an episode on office space one of these videos here right now

i would correlate reality yeah i know i don't let zach find me at friday afternoon afternoon

hello mike what's happening well hey uh after we get so organization goes in they go they choose

a framework they say okay well excellent makes sense we're going to do this enterprise or cyber

risk assessment across the entire organization let's talk about what to expect in terms of

that process what do they need for resources on there and what is their involvement versus ours

or you know an organizat and assessors um i should say and then um what do they

need you know to think about in terms of just readiness and then and time requirements and such

yeah i'll jump in so it's it's it's a pretty seamless process right i mean i think the the

first engagement pieces are going to be interview based so you know you want to you want to have

you know keep key individuals that are going to be there to be able to answer questions about

you know infrastructure process that sort of thing that's going to happen any assessor is

going to look and i think to prepare yourself an assessor is going to look in three places to

determine or ascertain whether or not you have a control state in place so vulnerability scanning

for example right we talked about that earlier so if i'm trying to determine through the requirement

if you've got vulnerability scanning in place i'm going to interview them and i ask you right

what you're doing i'm going to talk a little bit maybe your it team about what technologies they're

using to do this how often they're doing it and then i'm also going to look at your documentation

so there's always those three places we're going to interview the human we're going to

review the technologies and then we're going to review the documentation and make sure that

all three places hold um reasonable belief right reasonable language and reasonable

process that you're you've got those control that control in place is that is that too much stack

did you forget about the new cover sheets on the tps reports exactly yeah

no that's that's a great point the the three you know it's it's the triple whammy it's it's a you

know people your your documented processes and then the technical review right uh for for the

various controls um so that's important for people to understand that they need to have those things

in place and it goes back to our previous rants about documentation and you document what you

do right and do what you do i love reading it yeah especially mike loves reading documentation

so he only probably reads about seven thousand pages a week i hear i hear that mike's gotten

really good i heard that mike you got real good at reading documentation through teary

eyes i know i have well so so you know so good point on the so basically a series of interviews

set up meetings uh at the frequency that your organization can uh allocate the appropriate

people right and so most of them will require your your technical resources heads of i.t and such for

certain scenarios they may need to get information from leadership or access to other other data or

documents or whatever but for the most part i think we can usually work with the kind of the

the lead you know technical individuals within the organization that kind of know where everything

is yeah and yeah they can answer the questions and the other thing zach just to jump in here plan for

plan for somewhere between four and four and eight hours to go through the interview process

for a framework assessment right depending on how complicated the organization is

yeah and if if you want to make it all on once or on a saturday um you know mike i know you love

that too so yeah that's my favorite thing but uh but yeah break it up break it up over a few weeks

uh you know one thing to bring back too is during these assessments i i think there's a lot of

people that bundle up a lot of fear and they're like oh my god i don't want to know how bad we

are in reality a lot of the companies we find when we go through them they're between 60 and 70

compliant just by doing what you oh yeah that's true they are they really are they've got a lot

more going from them than they think they do yeah um the biggest thing they're usually always

missing is documentation yeah would you agree i would concur yeah and the the other thing that

i see is that a lot of times you know you get six months into these projects and we tell them it's

gonna take 18 to 24 months and people were like well why aren't we got more donuts because because

you guys aren't doing the work so you have to be committed to doing the work and that's that's

there's only so much a consulting company can do because some of this internal processing has

to come from you we can't do it all they can yeah anybody that tells you they can build their your

security program in a bubble and you don't need to be involved you're not you're not getting a

secure you're not securing your organization just flat out unfortunately it doesn't oh jack security

we could a company like ours could take a lot of the heavy lifting off

provide a lot of the guidance right shorten this shorten the timeline tremendously and do it right

the first time but you have to be involved right just the fact back of the business but um well

i feel better now knowing that most companies are 60 to 70 percent aligned a little good uh warm and

fuzzy there so now when we go through the process um interviews looking at documentation technical

reviews all that stuff is done we go back and put a full very robust report together um many many

many many pages long and um so excellent reading material our reports are the best we're told um

so that actually at least the first the first uh section that most people read is uh is uh

should be captivating you should enjoy it and um you know you probably want to probably want

to share it with the the other interested parties in your organization keep it internal but once you

have that um you understand where the gaps are so let's talk about prioritizing and remedying what

do you do after you have this risk assessment that says you're 65 in alignment with miss csf

after you drink a bottle of scotch and cry yourself to death

yeah then you gain some composure and you you either you either ask us for

the road map right for a roadmap for prioritization or you try to prioritize

what you've done on your own and what i like to tell organizations is that

like mike was was stating earlier a lot of organizations have things that are really close

so take care of the short the short ones first right things that like you've got you know maybe

you've got a company handbook and you need to add some language to empower the acceptable

use policy within it right or maybe you just need to create a separate accessible use policy

just get it done and knock it out it doesn't need to be fancy there's no right or wrong way to write

documentation okay what's important is it comes on company letterhead it's approved language for

the organization okay that's the simplest way that i can put it as long as your leadership approves

a language legal is a proven language and you can send it out to your humans to read it that's

good that's all we care about right that's all any assessors should care about they shouldn't

nitpick your language it needs to be impactful and enforceable um but take care of those quick wins

first and then there's going to be some items that come out of this that may require you to

make major configuration changes or even purchase technologies and implement those technology yeah

you know the the best thing about having a road map right whether you get professionals to come

in and build that plan out for you or you do it yourself having that road map and that clear

plan of action and milestones forward that's going to make a tremendous amount of difference because

now the whole organization leadership everybody sees on paper where they're headed usually over

the next next 12 to 24 months what needs to be done what needs to be in place so

it becomes a very measurable process right so it's not it's no longer kind of a fly

by night approach make it up as you go now you have the plan everybody's everybody's

signed off on it and then you understand from there also what type of resources you need to

allocate in order to get an alignment and really really move forward now i will say

that it's rare that any company is going to have a hundred percent of the controls in place ever

right they're going to be justifications around them reasons why compensating controls whatever

wherever it might be but the important thing is that you are you are striving to attain uh

alignment with a recognized framework and and uh that roadmap will help get you there yeah well

um and i think that you can also you have those accountabilities too because there's going to be

line items in that roadmap that you know you as the leader may not be accomplishing right

it may be you know individuals in your it teams and you'll want to have those but but being able

to look at that plan and say you know these are the 15 or 20 things i need to check off in order

to get compliant will help you know not only drive that process but but also give you that

you know that 30 000 foot view of clarity and say you know we're almost done here

right and but you know of course i think that's the other point to make zack is that once once you

once we go down this road right and we've done the interviews and you've gotten the

road map and you're working towards implementing these things you know you have to realize that

i've been telling clients this that these are forever machines right you don't you don't go

down a a cis 8.1 control framework one time when you when you become compliant you're putting

these programs and processes in place they are forever machines they're going to last and become

a inaugural part of the business from from you know the point until the business is no more yeah

yeah that's excellent point i mean that is your that is your ongoing your foundation of

the security program so uh and then once you have that also it becomes like we've said in previous

previous podcasts it becomes much easier to cover down on other requirements that might come up

i know you mentioned this earlier mike but you know any any other compliance requirements or

if you need to switch over and map to another framework you know again they're they're saying

95 percent of the exact same thing just laid out in different ways um so it's just a matter of

mapping between them so don't get caught up too early on on picking the exact perfect framework

right there are some excellent ones to start with and you need to start somewhere so it's better to

do something a little more palatable and then grow rather than trying to bite off too much but well i

hope this helped everybody i hope people that are diving into the cyber risk assessment world for

the first time um gain some gain some insight here and reach out if you have any questions

anything like that but before we go mike lauro any final comments thoughts rants office space quotes

anything nothing well thank you everybody for joining us uh subscribe to the podcast if you

haven't already check out the book on amazon we talk a lot about risk assessments we dive into

pen tests and we dive into all the foundational requirements for a cyber security program all that

good stuff and reach out uh cyberrantspodcast.com there's a little web form there let us know what

you want us to talk about on future episodes or reach out on linkedin and uh let us know there

so thanks everyone and fill out and fill out your tps reports yes with the right cover sheet

please with the right cover sheet hawaiian shirt day on friday yes yes so yeah i'm gonna please

please well thanks everyone on fridays don't take my stapler and we'll see you next week

Episode #35 - Cyber Risk Assessments: Everything You Never Thought You Wanted To Know!

Send Us Your Questions & Rants!

Categories

Archives

Transcript