Not everyone likes it, but there's no getting around it: third-party assessments of your online security can affect your business.
“It already does impact business-to-business dealings,” says James Kelley, network engineer at Kelley Consulting Company. “For example, the credit-card industry requires an assessment called a PCI audit to be performed on a regular basis for businesses that process credit cards. If they can pass an audit, they get a cheaper rate for transactions.”
But if third-party evaluations can make a big difference, that still leaves the question of who’s doing all this evaluating and how effective their own grading systems tend to be.
“The way that [risk] is assessed today is generally by questionnaire,” says Sonali Shah, vice president of products at BitSight Technologies. "They’ll send a questionnaire and the questionnaire will ask about policies and procedures — do they do background checks, do they have their employees change their passwords regularly, do they have a firewall in place?"
BitSight, and similar companies, want to augment this process in significant ways. And when it comes to an external security assessment, the first step is looking for a breach.
“That could be botnets,” says Shah. “The assumption that we’re making is that somehow that IP address within that company has been compromised. The breach has already happened; the communication with the botnet is evidence of that.”
Other key problems include:
· Spam: External investigation by a third-party risk assessor may also track whether a company is sending out lots of spam. If it’s a bank, and not a marketing company, that’s a significant anomaly that suggests a spammer is taking advantage of the bank's computing resources.
· Malware: The assessment includes looking for evidence that a company’s servers are hosting malicious code or distributing it.
All of this monitoring is done with online sensors. And then BitSight, in our example, creates a score for the company: 250–900.
Think of it like a credit score. The security score gets updated on a daily basis. If the rating changes beyond an agreed-upon threshold in a certain period — say, one week — then an alert goes out and the company can begin to address the potential breach.
Next Steps: Alternatives, Challenges, and Beyond
Now that we've looked at how third-parties evaluate security risks, we're still left with an important question: is external monitoring sufficient? What kinds of attacks and compromises could be left out when it comes to looking into a company's security from the outside?
“I don't believe a sufficient security analysis of a company's infrastructure can be gained from analyzing perimeter traffic,” says Benjamin Caudill, principal consultant at Rhino Security Labs. “A company's valuable data — source code, financial information, customer databases, etc. — are all internalized, and no amount of perimeter traffic analysis will determine how secure those are. Similarly, even rigorous external analysis grading will miss attack traffic — whether it's encrypted, email-borne malware, social engineering, or just outside the scope of the external analysis.”
Fair enough, says Shah, but third-party external assessment isn’t blind to those factors.
“We certainly don’t think we’re replacing everything else you do today,” Shah says about comprehensive risk assessment. “When they have their assessors go out and look at that third-party vendor, they can take with them the BitSight report ... so that the assessors, onsite, can really focus in on areas of concern."
The future, Shah says, will also include the ability to look at configurations to understand central police frameworks, social networking, and other factors.
“We are looking at inbound as well,” says Shah. “That’s something we’re adding—and one of the challenges we face is how we keep up with all of the different threats.”
As a tool in the IT kit, a security rating score may not supplant the multiple approaches that admins need to take when drawing conclusions about risk, but in the data security field, it does give business leaders the kind of “boil down” information that allows for quicker communication of where risk lives, and what it means to a company’s profile.
The score, if it sticks, may be a starting point for next-level steps in stronger security policies.