Pratum Blog

Best Practices for Information Security Risk Assessments

If you’re considering how to get the most value from your information security risk assessment—or whether you even need one—use these best practices shared by Pratum vCISO Ben Hall. Ben and the rest of the Pratum team conduct numerous information security risk assessments each year, giving them deep insight into how you can maximize this key part of your cybersecurity strategy.

Pratum vCISO Ben Hall
Ben Hall
vCISO, Pratum


What’s the most common risk you see?


We always see issues with access controls, whether that be access to the network, access to applications or access to the facility. There is always some gap in control when it relates to giving an individual user access to those resources. A lot of times, we see organizations give administrator privileges to an end-user that may not be doing development activities. So not only can they make changes to their local workstation, but they can also make changes to an application or to something like customer data when it may not be necessary for their job role.


What’s another common challenge that comes up in assessments?


Change management comes up a lot as well. A lot of organizations think they have pretty robust change management controls in place, but we can typically identify that it’s not the case when we ask for selections. So if it’s firewall changes and you make changes every Wednesday, we’re going to ask if there are tickets to back that up. If you’re doing development changes where you’re going from one version to another, where’s the development process within that? How are you evaluating that the development change is actually good and will fit within the environment? Is there a quality assurance (QA) test?


Are there other policies or controls that you recommend everyone should have based on all the risk assessments you perform each year?


Incident response comes up now more than ever based on all the news we’re seeing, the ransomware events, the actions of malicious employees, etc. With all that going on, it’s crucial to be able to get your team together and properly respond to an incident.


What kinds of things tend to surprise IT leaders when they read the report from their IT risk assessment?


They almost always find something surprising in there. Most people tend to think their environment is more secure than it really is. And that’s the benefit of bringing in a third-party for the risk assessment. We can provide that objective view. We’re not intimate with those controls, so we can ask the questions of why they exist in the first place. So the risk posture they expect versus the reality comes up a lot, and it can make those meetings a little interesting.


You cast a wide net during a risk assessment by talking to people in a variety of departments. Why is it important to get all those perspectives within the organization?


Something that comes up often is a lot of shadow IT controls and applications that exist. You may be aware, for example, of what your Accounts Payable department is using to make sure all the statements are paid. But there may be additional things like cloud-sharing tools that you were unaware of and that the team tells the external auditor about. We also like to meet with the finance team and CFO or others in the C-suite to get that additional insight as to what’s existing today and what their expectations are for IT. It sheds a lot of light on what the CEO expects IT to do but has never told them about and that IT has never even considered.


How do you coach people to read through a risk assessment report and start deciding on next steps?


One thing we do with every report is identify the 5-10 items that we’d start with if it was our program. So we help you set that prioritization focusing on Implementation Level 1: This is what needs to take place, all the way through. We also provide a risk register that lists any additional opportunities for improvement discovered through the risk assessment. So that way you not only have that executive overview of these 10 things to do immediately, but you have that other comprehensive list of activities that can be incorporated throughout the year.


What trends have you been seeing in risk assessments this year?


The thing that surprises me the most is the lack of multifactor authentication across the board. You would think that with 2020 and that immediate shift to remote workforce, everyone would have widely implemented some kind of MFA or 2FA by now, I’m surprised that it’s still a gap with a lot of organizations that still have pretty substantial applications open to the network. A lot of times you’ll see that maybe they have put in some kind of VPN, but even that still doesn’t have MFA or 2FA tied to it. This remote shift is going to stay a while, so if you don’t already have plans to implement MFA or 2FA, that would probably be my #1 thing to start working toward this year.


After an organization has done a risk assessment, when do they need to start thinking about another one?


Best practice is to do it at least annually. Even better practice is to have that annual risk assessment, but then have some kind of risk management committee. So not only are you evaluating those controls identified in the risk assessment and utilizing your risk register to manage a lot of that, but you’re also meeting on a quarterly or even monthly basis to look through what exists, adding new risks that have been identified throughout the year to that list and talking through a remediation plan. So you need that continuous evolution of quarterly processes reviewing that process in addition to the annual formalized risk assessment.


Can an organization realistically evaluate its own risk using its internal team?


You could, and we often encourage that. But if you look at it like going to a gym and hiring a trainer, you really benefit from getting an expert opinion on what kind of workout makes the most sense for you. That can tie into risk assessments, too. You want that external opinion from subject matter experts who do this on a daily basis and can truly assess your organization with that independent lens. As a control owner within that organization, you tend to be a little guarded as far as to what some of those activities could be. In comparison, an independent auditor or assessor can look at those processes objectively and point out potential flaws that exist in the remediation activity. Hard questions will be asked during a good risk assessment. But that said, it’s not a tough engagement. We’re there to help you get better. So it’s best to give us those open, honest answers. We’re here to help you get stronger and get better. There are no wrong answers in a risk assessment.

If you’d like to talk with a Pratum consultant about how to plan a risk assessment in your environment, contact us today.

A thorough penetration testing campaign involves social engineering, vulnerability scanning, and the manual hacking of computer systems, networks, and web applications. This overview shows how a professional team uses multiple types of penetration testing to exploit a variety of attack vectors, just as a real hacker would.

Social Engineering: Hacking Humans

  • Phishing
    Penetration testers craft emails that seem to be from a trusted source and invite recipients to either supply their login credentials or click on a malicious link or attachment.
  • Pretexting
    Penetration testers call targeted people and ask for sensitive information such as login credentials or fool the user into performing a malicious action. Callers frequently impersonate a Call Center rep or a fellow employee from another division.
  • Facility Access
    Old-fashioned physical intrusion still plays a role. Penetration testers may slide through an open door in a group of employees. Or they may look for vulnerable entrances such as loading docks, maintenance entrances or designated smoking areas. Testers sometimes pose as maintenance workers and talk their way into sensitive parts of the facility.
  • Dumpster Diving
    Just like real hackers, testers know they often can find sensitive information in the trash. This might include credit card receipts, travel information, network diagrams, device inventories with IP addresses, contact lists, and more.

Vulnerability Scanning: Discovering Weaknesses

Automated tools seek known security vulnerabilities in your systems such as unpatched software or open ports. The scans reveal risks that may directly impact your organization and point penetration testers to areas they can try to exploit.

Penetration Testing: Manually Exploiting Vulnerabilities

  • Network & Infrastructure
    Infrastructure penetration testing identifies security weaknesses within your network. Testers look for flaws such as outdated software, missing patches, improper security configurations, weak communication algorithms, command injection, etc. Infrastructure penetration tests often include testing of firewalls, switches, virtual and physical servers, and workstations.
  • Wireless Penetration Testing
    Hackers can leverage wireless capabilities to infiltrate an organization’s secured environment, even if some access and physical security controls are in place. Pen testers map access points in the wireless landscape and gain access to the wireless network. Then they attempt to exploit weaknesses in the network to gain access to privileged areas and demonstrate the potential impact of a wireless network breach
  • Web Applications
    Web applications often process and/or store sensitive information including credit card data, personally identifiable information (PII), and proprietary data. And web apps are frequently vulnerable due to their complexity and rapid development cycles. That’s why about 40% of all breaches involve web apps. And that’s why a well-rounded pen test includes any web apps the company uses.

Red Teaming: Emulating Advanced Threats

Here, penetration testers take a more adversarial approach as they go after specific targets. This type of advanced, focused test emulates Tactics, Techniques and Procedures (TTPs) of mature threat actors. The Red Team attempts to remain invisible to the systems’ defenders (known as the Blue Team).

To learn more about Pratum's penetration testing services, contact us today.

SOC 2 Report on white background with SOC 2 overlaid

SOC 2® reports are probably coming up in a lot of conversations among your industry peers and key partners. But do you need to get a SOC 2® report? The process represents a significant investment of both money and time (about 18 months to complete a typical SOC 2® Type II reporting process). As you weigh whether the investment is worth it for your business today and in the future, consider these factors. (And if you need a summary of how SOC 2® works, jump to the bottom of this post.)

Why You May Need a SOC 2® Report

  • Retain/create opportunities with larger clients – Many big companies have strengthened their cybersecurity programs by dramatically tightening requirements for their third-party vendors. If you can’t produce proof that you have a mature security program, you may lose deals or never even get invited to bid. We’ve heard many stories about companies that caught their big break with a large client because they had a SOC 2® report ready to go while their competitors scrambled to satisfy the customer’s requests. That’s why many firms have recognized that SOC 2® gives them a competitive advantage.
  • Efficiently answer clients’ security questions – Many organizations have found themselves overwhelmed with constant security questionnaires from clients and partners doing their due diligence on the companies they rely upon. In many cases, you can avoid wading through dozens of custom client questions by giving them a copy of your SOC 2® report. After a few of those situations, the SOC 2® process pays for itself in terms of time savings for your staff.
  • Improve your overall security – Don’t overlook the core purpose of the SOC 2® process: improving how you handle data security. During the prep process, you’ll surely clean up a lot of your controls and processes—and probably find some surprises in the way your team is doing things. During the process, you may be notified of additional ways you can make improvements. All of those improvements mean you should experience fewer business interruptions and costs from data breaches. Again, the SOC 2® process will probably pay for itself by helping you avoid costly incidents.
  • Accelerate your progress on compliance requirements –SOC 2®’s requirements overlap with standards and frameworks such as HIPAA and ISO 27001. That means going through the SOC 2® process will also help you take big steps toward meeting other compliance requirements you may have.
  • Increased operational efficiency – During the process, you’ll uncover areas where you can improve things like how you share information, how you process change requests, etc. So while a SOC 2® report focuses on security, pursuing it will help tune your overall operations.
  • Secure better cybersecurity insurance rates – Insurance rates have skyrocketed in the last year as insurance companies try to get a handle on all the ransomware claims they’ve been paying out. To get the best available premiums, you’ll have to demonstrate the maturity of your program. A SOC 2® report can help make that case.

SOC 2® Defined

Companies use the widely accepted SOC 2® compliance model to confirm that their vendors/partners handle information securely. Rather than simply trusting vendors who declare themselves secure, companies can demand a SOC 2® report as third-party proof of the vendor’s security. In a SOC 2® audit, a firm recognized by the American Institute of CPAs (AICPA) reviews a company’s controls over a specific period of time and issues an opinion on its compliance with the standard.

Companies can seek either SOC 2® Type I or Type II. Type I examines the design of controls at a specific point in time. Type II evaluates the operating effectiveness of those controls over a period of time. While a Type I report can be completed fairly quickly, a Type II audit can take up to 18 months, including the readiness and audit periods. Retaining SOC 2® validation requires repeating the audit on a regular basis (usually annually).

Pratum consultants help numerous companies each year determine whether they would benefit from a SOC 2 report and then prepare for the SOC 2 process if they move forward. To learn more about how Pratum can help simplify the journey for you, contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.