A GUIDE TO

12 CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

There is a major difference between perceived and actual security. Perceived security is what you believe to be in place at your organization, but actual security is much more difficult to understand. Why? Because actual security requires verification— not just what you believe to be in place. So how can you better understand your actual cybersecurity standings and health? The first step is to better understand the three primary ways that your organization can experience a cybersecurity incident:

2

1

Someone on the outside.

As an example, a hacker could send you an email with a piece of malicious code—and if you click on that email, you’ll download the malware onto your system. If and when it spreads throughout the corporate network, it will allow the hacker to do what he wants within the organization. We’ll refer to this below as an external threat.

2

A trusted insider.

This is someone who has a lot of access inside of your organization who can steal data, intellectual property, trade secrets, and more, without the knowledge of colleagues or co-workers. This person has been given a certain level of trust and exploits that trust—either willingly or unknowingly. We’ll refer to this below as an internal threat.

3

An attack through the supply chain.

A company can experience a cybersecurity incident because someone has been able to manipulate hardware or software that the company uses in order to gain access to their network or infrastructure. Or, they are able to leverage a third-party service provider that they’re using and steal a company’s data through that vendor. We’ll refer to this below as supply chain threat.

3

Of course, you’ll want to build a security program that thoroughly addresses all three of these so-called “threat vectors.” But how do you go about doing this? Through the use of specific, quantifiable cybersecurity metrics. Below, we’ve detailed 12 actionable metrics—in no particular order—that help you specifically assess how an organization is doing with cybersecurity. These metrics help you go beyond simple “yes” and “no” answers and dig deeper into your vendor’s (and your) security posture. Keep in mind that these are only a few of the key metrics you should be watching; not all of them. This isn’t a be-all, end-all list, but it’s certainly a good place to start.

4

External Threats 1

Number of botnet infections per device over a period of time. Knowing that your company has had a few botnet infections in the past is one thing—but this metric forces you to examine how many (and likely what kinds) of botnets have infiltrated your network. There are many different types of botnets, and there are several reasons why an organization should be monitoring this metric. One reason is data exfiltration. Many botnets communicate back with a command and control server, and they are often written to collect user data or gather specific information. Other botnets can be used to install additional malware on computers. So if you have 10 affected devices, whoever is controlling the botnet can send more malware to those devices—and this additional malware could then cascade across your corporate network. While examining the number of botnet infections, it’s also important to consider the type of botnet infections you’ve had. If a company had all Confiker infections, for example, that says something different than if they were hit with a variety of types of botnets. This is particularly important to consider if you’re a financial organization, since there are botnets like Zeus that are specifically created to seek out financial information.

5

2

Number of unpatched known vulnerabilities. By measuring and understanding the implications of this metric, you may be

able to help avoid an attacker from using known vulnerabilities that have been published on the internet to access computers on your network. Vulnerabilities like Heartbleed, Poodle, LogJam, or Freak Attack can be easily exploited and cause significant damage to an organization. Thus, you want to be sure that you’re patching your own network when any and all known vulnerabilities are announced, so you aren’t susceptible to these non-sophisticated attacks.

3

Number of properly configured SSL certificates. Monitoring this metric may help you answer these two important questions: • Does the SSL certificate meet the accepted level of security?

• Is the server configured properly to use those SSL certificates? If the answer is “no” to either of them, someone from the outside may be able to steal your SSL key. This key ensures that company communications are trusted to and from the server and databases. If someone with malicious intent is able to use this key, they could potentially gain access to very sensitive data or information. Thus, you’ll want to be certain that all of your critical third parties (and you) have properly configured SSL certificates in an effort to avoid this issue.

6

Insider Threats 4

Amount of peer-to-peer file-sharing activity on a company’s corporate network.

If employees have been given the unrestricted freedom to download software, applications, movies, or music on the corporate network, that is likely a very bad thing. A metric that measures the number of files that have been shared or downloaded through peer-to-peer activities helps company leadership get down to the bigger issue of why personal downloads are happening at all. Not only does this activity open the corporate network to botnets and malware, but we’ve also found that companies who have a lax policy on this issue typically have poor cybersecurity postures in general.

5

Percentage of employees with “super user” access.

The goal for every organization should be to only provide employees with the level of network access they need to do their job. That being said, most employees do not need access to every single piece of data in an organization—which is why this metric is vital. If you give everyone unlimited access to the network, you’re drastically increasing your chances of an insider-based cyberattack. Once you’ve monitored this metric and reduced privileges, you can focus your attention on monitoring the employees you’ve trusted with the greatest amount of access.

7

6

Average number of days between notification of job departure and elimination of corporate access. Often, employees who are leaving a company may walk out the door with

some sensitive data. Once you’ve established this metric, you’ll be able to get a better idea of how quickly your company is acting to avoid the likelihood that a disgruntled former employee could access the network and wreak havoc. Additionally, you’ll want to create a baseline of behavior for each employee, so you can tell if an employee who has given notice is doing anything different with their network access. For example, if someone typically downloads three documents a day and is now downloading 30 per day, you’ll want to know. But without a baseline, this number will be meaningless. From there, you can put a policy into place to monitor employee behavior against this baseline as soon as notice of leave is given.

7

Frequency by which employee access is reassessed.

This metric is focused on timeliness, which is something you want to measure for certain. Frequency is either measured in weeks, months, or years—and is entirely dependent on the organization. If your organization is constantly in flux but waits for three years to reassess employee access and controls, there may be cause for concern.

8

Supply Chain Threats 8

Number of open ports during a period of time.

Monitoring the number of open ports is vital because it helps you understand whether third parties are communicating to the outside using unencrypted channels. For instance, if an HVAC service provider connects to your vendor’s network through telnet—which is typically port 23—that is a risk to your organization and could potentially be used for harm. Their unencrypted user credentials could be stolen, and a hacker could use them to breach your network through telnet access. Here’s how: A telnet port is an unencrypted communication channel into a network. The problem with leaving it open is that the user credentials and data transferred through it can be seen by anyone. If a third party houses your company’s confidential or personally identifiable customer information (PII), you should ensure that the port is closed. If it’s open, you should certainly know why. It may be for a particular reason—for example, they need it for certain network device access—but it could also mean that your vendor needs a more modern network infrastructure with SSH connections.

9

9

Percentage of third-party software that has been scanned for vulnerabilities prior to deployment.

Ideally, you’ll show 100% for this metric at all times. This metric is important because it allows you to assess the security of the software you’re using before your entire organization begins using it. If you skip this step even once and miss a critical vulnerability, your corporate network could be at risk.

Frequency by which a company reviews 10 its entire list of suppliers and vendors and designates those that are critical.

The process for identifying supply chain threats begins with understanding two important designations: who your third parties are and who your critical third parties are. If this process is performed frequently, your organization is more likely to find third parties that have a surprising amount of access to your data or network, and thus should be deemed “critical.”

10

11

Frequency by which a company verifies its vendor’s controls.

Vendor assessments come in many different formats, but they are all designed to do one thing: evaluate whether the proper controls are in place to assure security. The frequency with which vendor controls are verified is important, because your organization needs to be certain that the controls reported to be in place are in operation—and that those controls stay in place. This goes back to the ageold adage “trust, but verify.” Some companies do this on an annual basis, while others may opt for more or less frequent evaluations. Regardless of the timing, it’s important to make sure you and your vendors have agreed to when these verifications will occur.

Percentage of critical vendors 12 whose cybersecurity effectiveness is continuously monitored.

Questionnaires, audits, penetration tests, and vulnerability scans are all important pieces of vendor risk management. But these four practices only offer you a snapshot in time of your vendors. You still won’t know what is going on with these critical third parties on a day-to-day basis—which is vital in today’s security landscape. Continuous monitoring software helps you keep an eye on all your vendors and can help you make better, data-driven choices.

11

In Conclusion Years ago, you could simply ask if your organization (or your

vendor) had a cybersecurity program in place—but today, that’s simply not enough. Senior executives, CEOs, general counsels, and board members are taking cybersecurity more seriously

than ever, and by monitoring the 12 metrics above, you’ll be taking steps to protect your customers, your vendors, and yourself.

But while monitoring these 12 metrics is crucial, it shouldn’t stop there. You can’t possibly assess whether or not your

vendor’s security is in order unless you have access to their

network in real time—and that’s where a continuous monitoring solution like BitSight comes in. It allows you to take action against real threats immediately.

Want to see BitSight in action with a free demo? It’s easy. Click here to get started.

12 Download: 40 Questions You Should Have In Your Vendor Security Assessment Need some assistance with the creation of your vendor security risk assessment? This ebook will give you a strong head start.