Over time, the way we view cyber security risk has evolved the penetration testing industry. What once was a static laundry list of vulnerabilities to remediate is now a risk-based vulnerability management program. Modern penetration testing should provide more than a list of vulnerabilities. To be effective, it must guide organizations to effectively prioritize the vulnerabilities, assets, networks, etc. that pose the highest risk to the business.
In this webinar, NetSPI’s product team, Jake Reynolds and Cody Chamberlain, will discuss how risk has evolved in penetration testing services, the role of risk scoring in intelligent prioritization of security activities, the factors that impact a risk score, and pragmatic steps to take after you receive a risk score
- 2:18 – What is risk?
- 8:07 – Evolution of risk assessment
- 12:34 – How risk scores are created
- 21:49 – NetSPI’s risk scoring
What is Risk?
At its most abstract form, risk is the effect of uncertainty on objectives. From an information security and cyber IT perspective, organizations have defined risk as threat times vulnerability, if there is no threat, but you’re vulnerable, there’s no risk. On the other hand, if a lot of threats and threat actors are attacking an organization, but the organization doesn’t have vulnerabilities to exploit, there’s also no risk.
The risk lifecycle includes:
- Context to identify risk tolerance, people, and processes
- Identification of vulnerabilities, threats, and assets
- Assessment using the risk equals threat times vulnerability formula to determine risk likelihood, impact, and asset value
- Treatment by mitigating, transferring, or accepting the risk
Evolution of Risk Assessment
The evolution of risk assessment refers to how an organization has dealt with a specific problem or vulnerability in the past. Originally, it may have been as simple as responding to a problem and fixing it. As IT systems became more important and integral to business processes, organizations realized the need to start proactively identifying the vulnerabilities.
Some steps in the evolution of risk assessment have included:
- Respond to it and fix it: Wait for a problem or vulnerability to happen and fix it.
- Let GRC solve it: Send the risk to an application that will correlate all vulnerabilities aligned to controls and identify the “true risks” to the company.
- Find the vulnerabilities: Proactively finding vulnerabilities and fixing them regardless of the compensating controls, threat actor analysis, or asset value – just fix it.
- Trust us, it works: This includes the use of artificial intelligence (AI) and other tools or efforts to opaquely calculate the likelihood of exploiting a vulnerability.
While risk assessment is now more effective than it was in the past, organizations still face an immense number of vulnerabilities that they have to sift through and prioritize. Risk-based vulnerability management providers are more effectively integrating threat intelligence than in the past. But there’s always an opportunity for more organizations to embrace threat intelligence.
How to Use Risk Scores
A lot of information and criteria go into calculating a risk score, along with many different equations. Once you have a risk score, the next step is figuring out how to use it. The best risk score is one that you can sort by a numeric value. For example, the top score is your worst vulnerability or your most important asset that you need to focus on and start remediating immediately.
At NetSPI, we expose the top risk score in a few different ways using our risk scoring methodology, but ultimately, you can simply sort the risk scores, select the top item, and begin remediation.
An effective methodology also splits risk scoring into two distinct categories. One is vulnerability specific risk scoring and the other is aggregate risk scoring, meaning taking a group of vulnerabilities and assigning a score to them.
Metrics to measure vulnerability risk scoring include:
- Impact takes into consideration how detrimental the impact of a vulnerability would be on an organization, including monetary, brand, and industry specific impact.
- Likelihood measures how likely a vulnerability is to be exploited.
- Environmental factors, such as whether different compensating controls exist within the environment, whether public exploit code is available, and whether the affected asset has access to PII or PHI.
Aggregate risk scoring factors include:
- Vulnerability intelligence: How does this specific combination of vulnerabilities affect your business?
- Industry comparisons: How does your risk compare to other organizations in your sector?
- Threat actors: Are threat actors actively exploiting vulnerabilities present in your environment?
- Remediation effectiveness: Are you on track to remediate your risks on time?
NetSPI’s Risk Scoring
NetSPI’s risk-based vulnerability management capabilities and risk scoring model focus on transparency and collaboration with our clients. Our risk scoring brings together the different aspects of risk into our platform to align with the penetration testing as a service (PTaaS) experience. Clients will not only understand how their risk scores are impacted, but they will also be able to track risk scores over time at the granular vulnerability level, the project level, and the greater organizational level.
Other capabilities include:
- Customization options
- Scalable risk scores
- Benchmarking against peers
- High-touch, high-tech through a combination of advanced technology and human expertise
Learn more about NetSPI’s risk score methodology and how to effectively propel your risk-based vulnerability management program forward by reading this whitepaper.