Last October, the Judicial Neutral Point, a telecommunications network used to connect judicial bodies with other institutions such as the Tax Agency or the Social Security, suffered a cyber-attack that could have affected taxpayers’ data held by the AEAT. That same month, through another cyberattack, malicious actors were able to access the router configuration data of some Movistar and O2 customers. The frequency of this type of criminal action highlights the need for public and private organizations to carry out a security risk assessment to detect vulnerabilities and protect their assets from criminals.
Failure to do so will expose companies and institutions, as the National Cryptologic Center (CNN-CERT) warns, to an increase in disruptive and control operations, attacks on the supply chain, and attacks on industrial environments, which are some of the main trends predicted by this public body for the short term.
How can organizations conduct a comprehensive security risk assessment? By contracting penetration testing services.
Such services consist of offensive security tests that simulate real cyberattacks in controlled environments, allowing the professionals performing them to detect and identify vulnerabilities and attack vectors.
In this article, we will address the five keys to a security risk assessment and its relevance in a context where cyber-attacks are becoming increasingly common and sophisticated.
1. What is a security risk assessment?
First of all, we must define what a security risk assessment is. As the name suggests, it is an analysis focused on identifying the risks and vulnerabilities present in a company or institution, its systems, security policies, applications, and technological devices or networks.
Thus, the security risk assessment seeks to detect any problem in the company’s infrastructure and software, to prevent the vulnerability from being exploited by a malicious attacker.
To carry it out, cybersecurity professionals must perform advanced pentesting that allows them to simulate real attacks, detect risks and evaluate existing security measures.
As such, security risk assessment is a key element in designing and implementing a company’s security strategy, as well as in analyzing its effectiveness.
In an increasingly digitized world, in which a large part of the assets of companies is digital, security risk assessment has become a strategic issue that every organization must undertake to avoid being a victim of security incidents that jeopardize its business continuity.
2. Why is it important?
The above is a good example of the importance of security risk assessment and why companies and public administrations must hire pentesting services to carry it out.
Although the list of reasons that justify the need to carry out this study of vulnerabilities and threats is endless, we can point out two that are directly related to business viability and continuity.
2.1. Preventing security incidents and their consequences
Cyber-attacks target the assets of organizations. Sometimes they seek to steal data about customers, in the case of companies, or about citizens, in the case of administrations. In other cases, they aim to paralyze the organization’s activity. Or to commit financial fraud. We could go on and on with examples ad infinitum. The list of malicious actors’ targets is infinite.
The many cyber-attacks that occur every year around the world demonstrate the impact they have on organizations, in operational, economic, legal, and reputational terms.
It is therefore essential that cybersecurity becomes a strategic element within companies. And this involves carrying out a security risk assessment to obtain a broad and accurate overview of existing vulnerabilities, attack vectors, and the repercussions of successful attacks, both external and internal.
2.1.1. A solid foundation for building, analyzing, and updating a security strategy
The security risk assessment thus becomes a solid foundation on which to build a comprehensive security strategy that serves to strengthen the company’s systems and to prevent and mitigate security incidents and their consequences. Or, also, to analyze the strategy that has already been implemented, correct the errors and deficiencies detected, and update it in light of the new malicious campaigns that emerge every day.
Think, for example, of a company whose e-commerce platform is its main sales channel. A successful cyber-attack could paralyze its activity for a whole day. This will generate substantial economic losses, which will drag on profits.
In addition, it will mean a loss of confidence on the part of consumers who will not be able to access the online store to make their purchases.
Let’s take this hypothetical case further. The cyber-attack has not only paralyzed the operation of the e-commerce but has also succeeded in infiltrating its databases so that the attackers have had access to the personal and financial data of the online store’s customers. In this case, the economic and reputational repercussions are aggravated and possible legal consequences come into play due to the lack of protection of citizens’ data.
2.2. Complying with legal requirements
Precisely, the legal consequences lead us directly to another of the keys that explain why companies should hire pentesting services and carry out a security risk assessment of their systems and assets.
By now, everyone has heard of the General Data Protection Regulation (GDPR), which regulates, as its name suggests, the safeguarding of information in the European Union. The same could be said of its translation into Spanish law, the Organic Law on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDG).
Both regulations attest to the legal, social, and economic relevance of data protection in our society. But they are merely the advance guard of an increasingly rigorous regulatory system that is emphasizing guaranteeing the cybersecurity of companies, public administrations, and citizens, especially in strategic sectors, such as the financial and healthcare sectors.
Thus, the PSD2 and NIS2 directives, the DORA regulation, and the European Central Bank’s TIBER-EU framework stress the need for companies and institutions to carry out a security risk assessment to protect themselves against vulnerabilities and arm themselves to successfully combat attacks.
Therefore, conducting a security risk assessment is not only a fundamental business issue, but in many cases, it is also a legal requirement that, if not complied with, can lead to severe financial penalties.
3. What are the objectives of a security risk assessment?
Taking into account the motivations that should lead companies to implement a security risk assessment, we must now specify what the objectives of such an operation are. How can it contribute to improving the protection of a company’s systems and assets?
3.1. Identifying the organization’s critical assets
A security risk assessment seeks, first of all, to identify the company’s critical assets and, therefore, the most important ones to focus on to find security breaches and vulnerabilities.
Each organization is different and there are many differences between companies. Both in terms of their level of digitization and the economic sector in which they operate and the legal requirements to which they are subject.
A bank that has websites and online banking applications and has migrated a large part of its systems to the cloud will have very different critical assets to protect than, for example, a company that supplies food products to supermarket chains and does not have any of its assets in the cloud, but its information is stored in a data center.
The applications, the servers, the network configuration, the devices that connect to them, the software and tools that are used… These assets have neither the same configuration nor the same relevance in all companies. And, therefore, neither should they be when designing and implementing a security risk assessment.
This first objective is important because to design a security strategy following the needs and resources of a company, it is essential to know its systems in depth.
Thus, the security risk assessment must start with the elements subject to such risks and then identify the existing vulnerabilities that call into question the protection of critical assets.
3.2. Detecting security vulnerabilities that can be exploited
Once the company’s systems, processes, and infrastructure have been identified, the professionals in charge of the security risk assessment can go on to identify the vulnerabilities that exist in these assets.
In this task, pentesting services can be of great value, as they serve to find and exploit vulnerabilities by simulating the behavior of real attackers. In addition, pentesting can be as deep as needed to perform the company’s security risk assessment.
Thus, vulnerability analysis can be performed on the internal/external network, using automated tools to obtain an overview of the weaknesses with the greatest exposure and a map with the main threats.
But it is also possible to carry out in-depth pentesting to infiltrate the organization’s networks and applications and track down all the vulnerabilities and attack vectors existing in them.
3.3. Determining threats and analyzing risks
Based on the assets and vulnerabilities detected, the professionals conducting the security risk assessment can determine what threats the company faces.
To do so, they must take into account not only the weaknesses found but also the methodologies and tactics used by malicious actors to exploit asset vulnerabilities.
By analyzing vulnerabilities and threats together, an assessment can be made of the risks involved and the likelihood of them being exploited. In addition, it is possible to predict how security incidents may develop and what consequences they may have on the company’s systems and operation. The economic, reputational, and legal consequences are also taken into account.
In this way, security risk assessment not only serves to identify vulnerabilities but also makes it possible to measure and evaluate risks, analyze how they can be exploited, and study how security incidents can occur, taking into account existing controls and measures.
3.4. Prioritizing assets to be protected and vulnerabilities to be addressed
In an ideal scenario, organizations would be able to address all the vulnerabilities detected and eliminate the risks of malicious intrusion. However, not all companies assume the same level of risk, nor do they have the same financial and human resources to deal with them. Thus, each company defines its risk appetite by establishing the level it is willing to assume.
Hence, a fundamental objective of security risk assessment is to prioritize both the assets to be protected most thoroughly and the most dangerous risks to be addressed and mitigated.
The probability of a security incident occurring and its potential impact on the organization’s assets, taking into account the damage it may cause and the consequences it may trigger, are key when prioritizing mitigation measures.
3.5. Mitigating identified problems
Precisely once the risks have been assessed and prioritized, security controls and measures must be deployed to mitigate the risks and problems detected.
This implies that security risk assessment is not limited to analyzing vulnerabilities and measuring the impact of incidents, but provides the necessary knowledge to deploy a mitigation plan that addresses the most likely and/or dangerous risks to the organization.
To this end, the professionals who carry out the security risk assessment will draw up a series of recommendations that the company must implement to limit risks, remedy vulnerabilities, and optimize the measures, protocols, controls, and tools used to secure its critical assets.
3.6. Evaluate existing security protocols, controls, and measures
The security risk assessment also serves to analyze the security strategy already in place, as well as the performance of your controls and the professionals in charge of cybersecurity.
If a pentesting service is contracted, the evaluation of the performance of the security strategy will be extremely accurate, since the professionals will be able to objectively check how the existing controls and protocols respond to an attack.
When performing a security risk assessment, it is just as important to detect internal and external attack vectors as it is to test whether or not the measures implemented are sufficient to address the risks and protect the company’s critical assets.
3.7. Updating security measures to take account of new attacker techniques
Any security risk assessment must take into account the best practices in the industry, as well as the innovations implemented by malicious actors when attacking company assets.
In this sense, this profuse study plays a transcendental role when it comes to detecting new vulnerabilities, in light of the information continuously gathered by professionals about cyberattacks, as well as in terms of updating a control, mitigation and remediation measures for security breaches.
The world of cybersecurity is constantly evolving. A security risk assessment should not be viewed as a specific, one-time, one-time-only action. As well as attacks, strategies, methodologies, techniques and the applications themselves change and become more sophisticated. Assets that were fully protected in the past may not be protected now. That is why, in the context of the company’s security strategy, the execution of security tests should be considered regularly.
Thus, security risk assessment allows companies to optimize their security strategy and protect themselves against the latest malicious practices, contributing to the continuous protection of their assets.
4. What elements of an organization can be assessed?
As companies and administrations have moved down the digital path, the number of elements that make up their systems has increased, and at the same time, they have become more important for the operation of organizations.
Thus, a company’s systems are made up of multiple assets to be taken into account when carrying out a security risk assessment.
4.1. Infrastructures, systems, networks, applications, and data
- Physical infrastructures: hardware, servers, networks…
- Cloud infrastructures.
- Internal systems. From operating systems to anti-malware systems, including user authentication systems.
- Internal and external networks, including firewalls, filters, etc. Paying attention to IoT devices that connect to NFC, Bluetooth, WiFi… networks.
- Applications and software. Web applications, both internal and external, as well as mobile applications if any, should be evaluated.
- Information. In the security risk assessment, the analysis of how information is stored and managed is of great relevance. How is data stored? How is it classified? How is it encrypted? Who can access it?
4.2. Security and Supply Chain Policies
- The organization’s security policies. Business continuity plans, protocols for action in the event of an incident, risk management systems, disaster recovery plans… As we have already pointed out, the analysis of the security strategy is one of the keys to any security risk assessment.
- The supply chain. In the face of the security reinforcement being carried out by organizations, many attackers are opting to attack these companies through other companies with which they have a relationship, such as their suppliers. Thus, when carrying out a security risk assessment, it is necessary to take into account the risks linked to the supply chain. There is no point in securing systems if a supplier with access to them is not fortified against attacks.
5. How is a security risk assessment carried out?
Throughout this article, we have discussed the reasons, objectives, and assets to be taken into account when deciding to carry out a security risk assessment in a company or public administration. So how is such an assessment carried out, and what steps are involved?
5.1. Defining objectives taking into account the organization’s assets, legal requirements, and resources
Before designing and implementing a security risk assessment, it is essential to define its objectives, as well as its scope when assessing the company’s systems.
To do this, the professionals who are going to carry out the assessment should meet with those responsible for the security and the business area within the organization.
To define the objectives and scope, the legal requirements must be taken into account. In other words, what security requirements the company must meet following the regulations in force.
The economic resources that the company or institution can or wishes to allocate to carrying out the security risk assessment and mitigating the vulnerabilities detected also play a fundamental role.
5.2. Recognition of assets and security policies
Once the objectives and scope of the security risk assessment have been defined, the practitioners will initiate an initial phase of the assessment.
During this first phase, the assets and security controls and protocols will be surveyed using various techniques to obtain as much information as possible about them.
This data collection work will be of crucial importance in detecting vulnerabilities and pinpointing the threats facing the company.
5.3. Identification of vulnerabilities
This phase revolves around the analysis of the information gathered during the previous reconnaissance phase.
Based on this analysis, the professionals proceed to identify the vulnerabilities existing in each of the assets they have decided to assess.
This is crucial in stipulating the security risks and prioritizing them.
5.4. Exploitation of risks
Using pentesting services when conducting a security assessment allows highly qualified professionals to exploit the vulnerabilities identified, assess their level of risk, the likelihood that they will be used by malicious actors to attack the organization, and study how the attacks may unfold.
Exploitation can explore key issues such as persistence, the ability to move laterally within systems, or the possibility of exfiltration of information.
By implementing this phase, a realistic picture is obtained of how cyber-attacks would impact the organization’s assets, how efficient the implemented security policies are, and which threats pose the highest level of risk.
5.5. Reporting of evidence and recommendations
Security risk assessments are carried out with the central mission of correcting existing security deficiencies and minimizing the risk of successful attacks, as well as their impact and consequences.
For this reason, the professionals who carry out the assessment must put in black and white all the data collected, systematized, and analyzed.
The reports delivered to the company or institution’s managers must include all the techniques and actions implemented, the evidence gathered, the weaknesses detected, and, in particular, the recommendations for mitigating them and preventing future problems.
The results obtained can even be linked to standards and regulatory frameworks to obtain a view of their degree of compliance and identify points requiring corrective action. Depending on the nature of the assets analyzed and the objectives of the risk analysis, standards such as OWASP, NIST, CIS, etc. can serve as a roadmap to define the current status and possible future actions.
With all this information in hand, the departments in charge of remediating vulnerabilities will have to address them, taking into account their level of risk and the resources available to them.
It is also important to emphasize prevention. Security policies and measures put in place to detect vulnerabilities and threats and to respond optimally to attacks play a crucial role here.
It should also be noted that prevention requires greater awareness on the part of both security decision-makers and all professionals working in the organization. This is because users are often the weak link in the security system and open the door to attacks by acting in an incautious manner.
5.6. Reviewing the effectiveness of the security strategy
The implementation of the recommendations put forward by the evaluators is key to getting the most out of the security risk assessment. Companies must monitor their implementation and analyze their level of effectiveness.
In addition, as mentioned above, it is important to note that the security risk assessment provides a broad, clear, and accurate view of vulnerabilities and threats at the time it is performed. But these may change in the future, just as the techniques and methodologies used by attackers change. For this reason, this type of study should not be seen as a one-off exercise, but as one more element of a comprehensive security strategy.
For this to happen, companies, especially those that are more digitally advanced and/or operate in strategic sectors (banking, energy, telecommunications…) must place cybersecurity at the center of their business strategy.
In short, security risk assessment allows companies to detect their vulnerabilities, be aware of the threats they face, and take the necessary measures to reduce risks and avoid security incidents that could take their own business by storm.