Deceptions Everywhere ®

Insights on threat and cyber risk trends, use cases for deception technology
and strategies for combatting targeted attacks

Cybersecurity Risk Assessment & Testing: How to Guide

Posted by the Illusive Networks team on Nov 12, 2015 2:31:00 AM

Cybercrime is now big business and needless to say, everyone wants in. Tweet: In 2014, over 317 million new pieces of #malware were created – which pans out about 1 million new #cyberthreats every day. In 2014, over 317 million new pieces of malware were created – which pans out about 1 million new threats to prepare for, every single day. 

But that’s just the start. Numerous companies are facing advanced persistent threats on a daily basis. With such a complex and evolving threat matrix, it’s no surprise that leading organizations feel vulnerable and need to take steps towards cyber security risk assessment.

It’s no longer enough to blindly implement a cyber security strategy and simply hope that you’re safe. These solutions must be tested to examine how they hold up against a dedicated attack.

Do you know the 5 steps to cyber security risk assessment? Find out below...


Constructing a Security Risk Assessment Test

A true test of a company’s vulnerabilities starts with a Red Team. This group can either be staffed internally or hired as a third-party contractor, and is formally tasked to try and break through corporate defenses to access sensitive files.

By using multiple techniques and testing different paths to access the network, this group can provide a detailed report on all system vulnerabilities found in the process.

Before you hire or staff a Red Team, here are a few tips to create a solid assessment plan:

1. Know Your Adversary

Every organization faces a different threat matrix – some are more vulnerable to nation-state and hacktivist attacks, where as others are targeted for their customer data and intellectual property.  

< Get the Guide: 15 Open Source Tools Cyber Attackers User >

Many organizations consistently face attacks from known enemies with specific strategies and toolsets (common malware, botnets, sophisticated zero day attacks, etc.). Understanding what you’re up against is the first step is preparing for an attack. 

2. Assemble the Team

Only the most experienced cyber experts with expertise in breaking codes and hacking sophisticated environments and data sources should be used in a Red Team exercise.  The better your Red Team, the better your vulnerabilities test.

As you continue running security risk assessment tests, be sure to vary the team (even if you have an internal group), since each uses different tactics to try and breach defenses.

3. Define Goals 

When you know who your adversary is, construct your test accordingly. For instance, if reputation loss is the biggest concern for your company, you may want a Red Team to focus on hacktivist threats that may lead to PR blunders.

4. Outfit the Test Environment

Lab simulations are great, but they can’t always reflect what will happen in the real world. Therefore, make your testing environment as close to the production environment as possible so the results are accurate.
This is not the time to try to cut costs. With the average data breach costing $150 to $363 per compromised record, companies should pay what’s necessary to make the simulation extremely accurate.

5. Allocate Sufficient Resources to Fix the Problem   

This may seem obvious, but there are plenty of companies out there who hire or staff a Red Team, read the report, and then ignore the results. Make sure to plan for system upgrades and fixes in your budget before sending the Red Team to work.

Learning to Outsmart Cyber Attackers

Tweet: The cyber security market is expected to be worth about $170 billion by 2020The cyber security market is expected to be worth about $170 billion by 2020, so it’s clear that companies aren’t afraid to invest in a cyber security strategy.

The key is to ensure the budget is being spent wisely. Cyber defense is not the a problem that businesses can just throw money at – hoping it will go away. Leveraging a Red Team and understanding your security goals are essential steps to security risk assessment. 

It’s time for companies to start being more proactive about their cybersecurity strategy, rather than sitting back and reacting to data breaches after-the-fact.


Recommended reading for you: 

Topics: Deception Technology, Cybersecurity, cyber security risk assessment, Security Risk Assessment Testing

Stay up to date!