At Rapid7, we believe that cybersecurity within a company is not just a function with many stakeholders, but rather a shared responsibility among all employees, regardless of role. We have performed hundreds of cybersecurity maturity assessments (CSMAs) for our customers over the years, and one of the main things we continuously find is that the security team is often tasked with things that would be better assigned to IT and business leadership. Those responsibilities include everything from accepting risk on behalf of the business to technical tasks such as implementing patches on production systems. These functions are often assigned to the cybersecurity team because risk is something that many businesses still do not fully understand and IT staff are often overwhelmed with administrative responsibilities.
While we routinely see these practices in place due to their perceived necessity, we aim to help our customers look past how they are performing cybersecurity tasks today, and instead define a future where the responsibilities are distributed so that cyber-risk becomes a board-level discussion. This need for evolution in cybersecurity practices is best illustrated by our 2018 "Under the Hoodie" report. This report analyzes 268 penetration testing service engagements we performed from early September of 2017 through mid-June of 2018, and identifies the common ways our professional hackers were able to breach a network. In short, attackers are constantly changing or recycling their tactics, but the motivations largely stay the same. This requires a cyber-program to constantly assess and manage the cyber-risk to their business and identify approaches that minimize exposure and potential impact.
To determine the future-state strategy and roadmap with our customers, we offer a comprehensive maturity assessment that aligns to the cybersecurity framework best suited for their industry and market vertical. The assessment is divided into phases that consist of a pre-engagement questionnaire, onsite interviews, offline documentation reviews, collaborative report writing, preliminary finding discussions, final reporting, and in many cases, executive/board briefings.
When complete, our customers receive a comprehensive product that includes a consumable component for an executive audience, a deep-dive review of the controls in place and their demonstrated effectiveness, along with a strategic roadmap that prioritizes the strategy based on a risk-to-cost-driven methodology.
Putting it to the test: The technical side of the Cybersecurity Maturity Assessment
Vulnerability scanning and phishing to identify technical opportunities
Fact: This year’s "Under the Hoodie" report saw a significant increase in the rate that software vulnerabilities are exploited in order to gain control over a critical networked resource.
In order to understand successes or opportunities in an existing—or, in some cases, nonexistent—vulnerability management program, a fresh set of eyes and fresh scan data is the first step. This can help determine whether the vulnerability management program is truly effective. If there is already an established vulnerability management program in place, fresh data and perspective can help to gauge just how well previously identified vulnerabilities have been mitigated, and whether they were done so in accordance with your organization’s defined SLA.
Given that the responsibilities for remediation vary and that stakeholders are often geographically dispersed, it's paramount to ensure proper prioritization and remediation workflows—as well as long-term plans—are created and followed.
As part of our comprehensive Cybersecurity Maturity Assessment, Rapid7 will perform an external vulnerability scan of perimeter assets (up to a /24) instead of starting with old scan data. The output from this scanning helps our consultants determine whether your current vulnerability management program is truly effective at assessing your perimeter devices. Additionally, the vulnerability assessment helps determine the attack surface and threat landscape of the external perimeter hosts. From scanning your external hosts to determining whether the highest-ranked vulnerabilities are true risks relative to your environment, our consultants provide actionable information that helps you bolster your security posture and enhance the future state of your security program.
An assessment of your organization's security posture would not be complete without first inspecting the human element. It’s no secret that adversaries are often more successful at breaching perimeter defenses through social engineering than through traditional service or application exploitation. With this in mind, companies need to be vigil in their security training and awareness programs. (Recommended reading: “Socializing Security” in the "Under the Hoodie" report.) As security should have many stakeholders, it’s often hard to gauge just how well these training programs are working, and this awareness needs to come from the top down. Otherwise, it will falter at some point.
Rapid7’s Cybersecurity Maturity Assessment offering keeps this in mind by performing a light phishing exercise to help you visualize how susceptible a subset of your employees are to phishing attacks. While the attack is not a targeted and sophisticated phishing attack, it still gives an inside look into how likely users are to click enticing links and subsequently supply their credentials. Any interaction with a potentially malicious site should be taken with the utmost care, and submission of any information—including fake information—should never occur. Why? There could be other nefarious actions set to transpire after the submission of data, or even the click of a link.
Proper vulnerability management and user awareness training are critical to an organization's defense strategy. Rapid7’s consultants help to bridge the gap between security and business stakeholders, ensuring that security is an organization-wide concern, and not just an IT one.