An Enterprise Risk Management (ERM) framework is a collection of roles, processes, and systems that manage risks that could impact business objectives. If you consider the range of technologies that underpin the business processes that deliver those objectives, it is logical to accept that these same technologies introduce risk to meeting the strategic objectives.
Enterprise Risk Management consolidates the different types of risks an organization is exposed to, for example; credit risk, opportunity risk and operational risk (where IT risk typically sits). It allows us to connect the business objectives to risks and ultimately to the controls we deploy.
An important part of the framework is the risk assessment and risk treatment plan. This allows us to:
- Identify threats
- Calculate risks
- Create the risk treatment plan
- Where mandated by the plan, identify and deploy controls
Of course, there are other options, such as transferring risk (generally by using insurance) but for the sake of this article, we’ll focus on the controls.
Once controls are identified, designed, deployed and configured, they need to be validated and this comes in different flavors depending on the specific control. It could be the validation of a procedural control by manual review or it could be validating that the configuration of a technical control is in line with a particular policy such as a CIS framework. One of the key validation techniques is the penetration test, which can be carried out both prior to system deployment as well as at a specific cadence to meet compliance or policy requirements. The purpose of the penetration test is, of course, to validate whether, after all of the other checks and balances are complete, a malicious attacker can actually breach your system.
An evolution of penetration testing software automates what has historically been a manual process. PenTera by Pcysys allows an organization to set the cadence of testing to suit their operational needs. It may be that most systems only need a monthly penetration test but a critical system needs a penetration test weekly. To date, it was prohibitive manually, either because of resource or cost constraints.
Another key benefit is immediate reporting once the test has concluded. From executive reports used as an input back into the ERM reporting line to detailed remediation tasks, prioritized based on achievable exploits, delivered to an operations team. Focusing on vulnerabilities that PenTera safely exploits and not just returning a long list of static vulnerabilities, most of which have no exploits allows us to cut through the noise and deliver meaningful metrics, allowing for the risk picture to be seen much, much quicker.
At this point, I want to take the opportunity to circle back to the risk assessment. Risk is, at its simplest, a calculation of threat, impact, and likelihood (and I recognize there are many, many ways of calculating risk but let’s keep it simple for the purposes of this article). By conducting automated penetration tests, it is possible to influence these characteristics such that;
- Threat - There is a threat that a vulnerability will be exploited, either a static vulnerability like CVE-2017-0144 or a dynamic vulnerability such as a network or system misconfiguration. PenTera identifies and safely exploits the vulnerability to advance the attack, follow-up remediation activity removes the vulnerability and the threat is reduced.
- Impact - If an organization is subject to a malicious attack then, as PenTera tests using the same techniques and methodology, remediating the static and dynamic vulnerabilities PenTera exploits reduces the ability of a malicious attacker to advance an attack using those vulnerabilities and consequently reduces the impact substantially.
- Likelihood - in a similar vein to impact, by running PenTera, identifying the vulnerabilities that are exploitable then remediating those vulnerabilities substantially reduces (if not eliminates) the likelihood of that vulnerability being used to advance an attack.
However you slice and dice your risk assessments, by automating the penetration testing process it is possible to validate your security controls and in turn, reduce risk and crucially articulate that to the board through the ERM framework in a timescale that is simply not achievable in a resource and cost-effective way today.
So while the technology is a major step forward in the delivery of penetration testing, the value it brings to the business by increasing efficiencies, reducing costs and reducing risk is that really important piece. This is what we feel has been recognized by the award of Enterprise Risk Management Software of the Year; the connection between automated penetration testing and how it fits into and improves an organization’s Enterprise Risk Management framework, so thank you to the Cybersecurity Breakthrough Awards!