What is Vulnerability Assessment?
The goal of conducting vulnerability
assessment
The purpose of the assessment is to
understand, analyze the risk involved. It is important to understand what cyber
risk is? And therefore, it is important we look at the Risk Indicators. When we
talk about cyber risk is must be clear that Technology is an obvious cyber risk,
employees may also play a key role in cyber risk. Managing your data will also
be another cyber risk. There are multiple guidelines on what should be on the
questionnaire to assess the cyber risk.
What are the Standards, Bodies, Guidelines
to assess the Vulnerabilities?
Some of the Bodies that set guidelines
are NIST(National Institute of Standard and Technology), ISO, COCO. There are a number of regulatory bodies that provide standards for cyber risk.
The Regulatory Standard for cyber
risk
like PCI compliance for Payment Card
Cybersecurity, etc. This gives ideas about the different types of cyber risks involved. However, every organization
is different so it is not correct to apply the same standards to every org. So that
we understand the risk indicators for each org.
What information does the MIT Clinic
needs from Infrastructure agencies to assess vulnerabilities?
So the primary thing is to know what
the org. is about, it's functioning so that the clinic can find out the risk
indicators for the org.
Whom the MIT Clinic will contact for
such information?
The only main source for this
information will be the IT Team of the Org. It is the best source of knowledge
for a wide body of information on their digital systems, on their networks,
anything they do on the computer.
Culture of the Security
Well, it's not always that the
Technology will be the key risk indicators, Employees also play a vital role in
such risks. Therefore, it is important to understand the Security Culture in
the org. It is necessary to know-how is the security managed in the org., Is
there a Central Management Structure, Do the Employees have awareness of their
security, How the org. treats security problems? And so this can be done by
following the questionnaire, guidelines…
Initial Questionnaire for the Client
Agency
Once there is a contract between the
Clinic and the Client-agency, then the Clinic intends to gather all the information
from the Client-agency for the Vulnerability Assessment. These questions
contain yes or no questions along with elaboration if required. Some questions
will be sked online before the contract, after the contract is done again
general questions will be asked for Vulnerability Assessment.
Here are some questions asked to the
Client-Agencies: “ Who's in charge of cybersecurity at the agency? Who has authority during an attack? What's
the agency's budget for cybersecurity? What's been spent on what kinds of
cybersecurity improvements over the past three years? What's the agency's
approach to ensuring that routine security patches and software updates are
installed in a timely way? Are all agency data systems securely backed
up? If so, where, when, and how are they backed
up? And who has access to them? And how do they have that access? Which of
the agency's data are not backed up? If
they can't be backed up, what is their strategy going to be for recreating that
information if it's compromised by a hacker? What systems or data are most critical to the
agency's operations, and what are the consequences if the agency loses control
of those assets? What are the
consequences immediately and in the long term? What cybersecurity awareness and best
practices training are provided for new employees in the agency? Is there refresher
training for all employees? What best
practices are they teaching? Who teaches
them? Who determines whether and how these are being followed? What is the
system shutdown plan if there is an attack? Who contacts whom? Do all employees know what to do if there's an
attack? What agency plan is in place for operating temporarily if data or
systems are compromised? What are they going to do if they can't operate in
their usual way? What is the incident review process post attack that that
agency has in place? Are they able to learn from an attack once it happens? Is
the agency open to negotiating with attackers? This is a very controversial
question. We expect to ask it in each case. Is there a negotiation process that
they've put in place? Who's supposed to do the negotiation? Has this happened
yet in this particular agency? We want to know what their thinking is on this
issue at the moment. Who are the partners that the agency learns from? Who do
they work with to prepare for cyber-attack? What sort of relationship does the
agency have with each of their partners? Does the agency have cybersecurity
insurance? If so, can we see the policy? Who sold this policy to the agency?
What does it cover? Does the agency have a private cybersecurity consultant? Who
is that? What assistance have they provided?”
These are a few examples of questions asked to the clients in order to track their Clear Vulnerability Assessment. These answers help the Clinic to know vulnerability in the system.
Difficulties
Well, Some Client-Agency might not
feel to answer some of the questions, they might be nervous about their
performance in cybersecurity, some may not have the information. It is
important to get the answers to all these questions, there is no other way and
these answers get double-checked.
Many of the times, Clinic will be
required to cross-check the information with various people who are in the
agency or outside it, that is any other agency working with the agency.
Draft
When all such questions are answered
and double-checked, then the MIT Clinic can prepare the draft of the
Vulnerability Assessment, this draft will be sent to the Client-Agency. After
this, the Clinic will start preparing for the Final Vulnerability Assessment.
Reviewing of the Information provided
by the Client-Agency
Now when such questions are answered
by the Clients,
1.
the First and the foremost thing is
to check the Completeness of the answer. It is impossible to assess the
vulnerability with just yes or no question, so the client is required to elaborate
the answer.
2.
The Next Step after Completeness of the answer is to check whether the answer is adequate, relevant and consistent.
( for example, if the client answers that they previously have a cyber attack
then the client will ask for the evidence, documentation for such attack, the Clinic
can also search on the internet for the story of the Client.)
3.
The next step is Effectiveness
(for example, if the client tells that they train their employees for
cybersecurity, then Clinic might ask the effectiveness of the training, any
protocol after an attack and its effectiveness.)
4.
The next is Line of Authority,
that is if the client says XYZ person is responsible for the attack or mishap,
then the Clinic will want to know more and review about the person having the
authority and the assignment of CSAIL like Responsibilities, if there is no
Chief Information Security Officer appointed.
5.
The next is to determine the Attitudes
of the people in the Agency. The people in the agency must be trained to
negotiate with the Attackers, if there is an attack, which generally helps to
find out the attackers, their goal, lessened the ransom.
6.
The next is Kinds of Documents,
it is necessary to review the relevant documents like if there is an Emergency
Action Plan of the Agency, the budget of the Agency.
7.
Then comes the Organization Chart,
It is also important to know who is in the org., their roles, what’s inside the
org., visiting their sites with the Agency and other documents, which will help
the Clinic makes Notes of the questions answered by the org.
Such information of the questions is to be given to
the clinic before an on-site visit, because Clinic
staff need all relevant information to prepare for the on-site visit –
including knowing who to meet with, what questions to ask, what items to
verify, etc. There will not be enough time during a site-visit to cover all the
relevant questions and topics.
Key Take Away
- Sometimes the primary contact person at the agency does not have the authority to share certain (sensitive) information. Putting more pressure on them will not necessarily produce a better result.
- The client-agency is very likely to have confidentiality and security concerns. You must be ready to address them.
- If the agency official to whom you are speaking is unable to help, you may have to go up the chain of command in the agency to speak to the person who signed the Letter of Agreement with the clinic.
0 Comments