It can be a wake-up call for an organization to obtain its cyber risk score and learn it is not as prepared for a data breach as it thought it was. In the U.S. for example, the Chamber of Commerce and FICO have launched a quarterly Assessment of Business Cyber Risk that looks at whole industries, through a roll-up of the FICO® Cyber Risk Score. As companies learn their FICO Cyber Risk Score, it raises the question: What are our recommendations for cyber risk management?
Managing cyber risk is about managing behavioral risk and skills gaps, as well as technical flaws. Based on the observations of thousands of businesses scored for the ABC, FICO and the Chamber offer six recommendations for cyber risk management that can help organizations improve their security posture and better protect sensitive data.
Cyber Risk Recommendation 1: Use the NIST Cybersecurity Framework to develop an information security program.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework, or a similar risk management framework, is one way to reduce network weaknesses and deter malicious cyber actors. The CSF offers voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce risk across five core functions: Identify, Protect, Detect, Respond, and Recover. Adopting best practices in each of these areas will help an organization align and prioritize its cybersecurity activities with its business mission, risk tolerances, and resources.
Because the CSF provides voluntary guidelines, it can and should be customized by different sectors and individual organizations to best suit their risks, situations, and needs. For example, the financial services industry published a sector profile, which tailors the framework to the sector’s unique threat landscape, its vulnerabilities, its risk tolerances, and its regulatory environment.
Cyber Risk Recommendation 2: Obtain and maintain a reliable understanding of your network, and ensure that all assets are identified and under active security management.
Large or small, changes in the scope of a network can result from mergers, acquisitions, or divestitures. They might also result from geographic expansion or changes in an organization’s offerings that require modifications to internet-facing assets in the field. Risks may simply evolve over time with changes to networks outside of best practice standard procedures.
Change that is not fully managed can lead to vulnerabilities. Some organizations may have active and ongoing programs for perimeter management and active maintenance of the internet protocol (IP) footprint. But many — if not most — organizations find surprises when they perform a comprehensive review of their IP footprint. Legacy product lines, tuck-in acquisitions, and “skunk-works” projects frequently result in assets being owned by the organization, but not under the full control of the security team — or in assets that are no longer owned by the organization, but for which the registry information was not properly updated.
Understanding how an organization’s network looks from the outside and comparing it to how it is defined from the inside often results in the identification of unexpected gaps — and correctable vulnerabilities.
Cyber Risk Recommendation 3: Find the weak links in the organization with regard to adherence to process and policy.
Most technology and security teams operate as separate functions and therefore require coordination and interaction. Many companies will have a network engineering team, an IT team, and one or more software engineering teams. They also likely will have multiple security teams interfacing with the engineering groups. Team performance is often highly inconsistent, even within the same organization.
With that in mind, we believe there is value in evaluating security issues by category, and assessing effectiveness by category. By categorizing discernible technical flaws in posture or configuration, one can also draw useful conclusions about the relative effectiveness of process, procedures, and maturity by function. As FICO’s research has demonstrated consistently, the best indicators of security risk are associated with the presence of an effective cyber policy and the adherence to that policy, rather than the presence or absence of technical faults.
Persistence, rates of recurrence, duration of condition, and rapid accelerations in frequency of technical faults are more predictive of negative security outcomes than technical flaws. These can be attributed categorically by function, and this attribution aids in the understanding of performance by function within an organization. The FICO® Cyber Risk Score presents findings by category and leverages categorical information to establish risk levels.
Cyber Risk Recommendation 4: Ensure that your network team adheres strictly to the details of network management best practices.
Understanding the impacts of network configuration on specific risks can be difficult, especially when evaluating a network from the outside. Some items speak for themselves, such as easily exploitable open ports. Others are more subtle, but indicate gaps in the adoption and execution of best practices. Organizations should always avoid unnecessarily exposing network infrastructure assets and ensure correct configuration for those that must be exposed.
The FICO® Cyber Risk Score looks for both exploitable conditions as well as other indicators of process maturity and network configuration best practices in the assessment. A number of organizations fail to follow best practice principles in exposing certain services — such as NTP (Network Time Protocol) servers and DNS (Domain Name System) resolvers—to the internet.
Even if certain non-standard configurations in a network are technical dead-ends for exploitation, the presence of sub-standard practices in a network can serve as an invitation for bad actors to further probe a network for other, more serious weak links. For example, there are few legitimate scenarios for making the Network Time Protocol (NTP) service publicly available, if however it is necessary, two commands in particular should be disabled—version and monlist (i.e., is a debugging command that allows the retrieval of information from the monitoring facility about traffic associated with the NTP service).
Cyber Risk Recommendation 5: Protect and monitor network endpoints.
One way that the FICO® Cyber Risk Score assesses the health of endpoint security is by looking for evidence of endpoint (e.g., workstations, servers, laptops) compromise. While a compromised endpoint is not the same as a material data breach event, research has proven the correlation between incidents of malicious behavior due to compromise and subsequent breach events.
Organizations committed to cybersecurity takes steps to protect their endpoints with virus protection products or active monitoring with endpoint agents that look for atypical endpoint behaviors. Many organizations go further and engage the broader security community in detecting potential endpoint compromise by looking at published Real-time Blackhole Lists (RBLs), which report on confirmed or suspected malicious activities (such as spamming or malware distribution) originating from the endpoints of a network. The FICO® Cyber Risk Score consolidates these RBLs to ensure broad coverage and an ability for users to see trends in incidents over time.
Cyber Risk Recommendation 6: Ensure active certificate management programs are in place and are being implemented.
It can be easy to ignore or deprioritize basic tasks in favor of the pressing issues of the day. As a result, the routine maintenance of managing security certificates often slips.
Expired or otherwise non-standard certificates (or the use of self-signed certificates) may or may not pose a serious risk to networks all the time. That said, the failure to effectively manage certificates often is evidence of a failure to implement and maintain best practices more broadly. And research proves that organizations that are not actively and effectively managing certificates are more likely to suffer material breach events or other compromises.
From tomorrow, you can download our report and see the latest ABC metrics at www.cyber-abc.com.
You can also learn more about your security performance by registering for a free subscription at cyberscore.fico.com.