How to Conduct a Cybersecurity Assessment for Your Agency

Cybersecurity risk assessments can aid agencies as they search for IT security vulnerabilities in a world of rapidly evolving threats.

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, said in March he thought it would take the U.S. government a year to 18 months to fully recover from the suspected Russian attack that targeted SolarWinds’ Orion software and impacted nine government agencies.

As part of those efforts, the Department of Homeland Security is preparing a series of cybersecurity “sprints” to address the country’s major IT security issues, reports The Washington Post.

“Our government got hacked last year and we didn’t know about it for months,” Department of Homeland Security Secretary Alejandro Mayorkas said last week at the 2021 RSA Conference, the Post notes. “This incident is one of many that underscores a need for the federal government to modernize cybersecurity defenses and deepen our partnerships.”

A clear place for cybersecurity teams to start their recovery efforts, which are already underway, is conducting cybersecurity risk assessments. Such cybersecurity assessments explore an agency’s IT security protections and their ability to remediate vulnerabilities, as SecurityScorecard notes.

A cybersecurity assessment is closely aligned with the first core function of the National Institute of Standards and Technology’s Cybersecurity Framework: identify. The main goal of any cybersecurity assessment is to identify vulnerabilities and gaps in security and then move to plug those gaps and protect against the vulnerabilities that are discovered.

What Is a Cybersecurity Risk Assessment?

The Russian attack and other recent high-profile cyberattacks have underscored how critical cybersecurity is to the government, and there may be an urge on the part of some agencies and lawmakers to simply spend money on IT security solutions to shore up defenses. While that will surely be needed, agencies first need to assess their vulnerabilities to determine the best solutions to acquire and implement.

Cybersecurity threat assessments are critical to those efforts, and they often start with a comprehensive gap assessment, which is a broad overview of an agency’s security posture, and can be conducted internally or with a trusted third party.

As Waris Hussain, a senior security solution architect with CDW, notes in a CDW blog post, analysts will conduct vulnerability scans, review architectures, conduct penetration tests and incorporate threat intelligence information into their work during these gap assessments. “The result is a set of recommendations for improving an organization’s technical controls and business processes for cybersecurity,” he writes.

As NIST notes in its Risk Management Framework for Information Systems and Organizations, “Risk assessment at the organizational level leverages aggregated information from system-level risk assessment results, continuous monitoring, and any strategic risk considerations relevant to the organization.”

Agencies should assess the totality of risk from their operations and use of their information systems, as well as connections with other internally and externally owned systems and risks from vendors.

“For example, the organization may review the risk related to its enterprise architecture and information systems of varying impact levels residing on the same network and whether higher impact systems are segregated from lower impact systems or systems operated and maintained by external providers,” the NIST document states.

DIVE DEEPER: Follow these tips to improve your agency’s incident response plan.

What Are the Benefits of a Security Risk Assessment?

There are numerous benefits to conducting a cybersecurity risk assessment. One is that such assessments can identify organizational vulnerabilities that need to be remediated. These are sometimes the “low-hanging fruit” of IT security issues.

As Mikela Lea, a principal field solution architect with CDW, notes in a blog post, some of these common vulnerabilities or patterns of behavior include continued reuse of weak passwords, a lack of incident response capabilities and misconfigured multifactor authentication deployments.

Another issue that often comes up in IT security assessments, she writes, is a failure to meaningfully implement a separation of privileges. “Our penetration tests also demonstrate that once we gain access to any user account, we are almost always able to use that account to gain administrative privilege,” she notes. “Tricking a receptionist into falling for a phishing attack almost always allows us to gain full access to back-end systems. Organizations must implement extremely strict access control policies that implement a need-to-know requirement and lock down access tightly.”

Conducting a risk assessment for cybersecurity can also help an agency know whether a new investment in cybersecurity tools is justified, and if so, help provide a justification for that. “Added security usually involves additional expense,” an ISACA blog post notes. “Since this does not generate easily identifiable income, justifying the expense is often difficult. An effective IT security risk assessment process should educate key business managers on the most critical risks associated with the use of technology, and automatically and directly provide justification for security investments.”

Our penetration tests also demonstrate that once we gain access to any user account, we are almost always able to use that account to gain administrative privilege.”
Mikela Lea

Principal Field Solution Architect, CDW

Relatedly, assessments can show that new investments are not required. For example, Hussain notes, after performing an inventory of an organization’s existing security controls, the assessors “realized that the firewall it already had in place was perfectly capable of addressing the threat, and a new purchase wasn’t necessary. We then reconfigured the existing firewall to address the gap identified during our analysis.”

Such assessments aid agencies in determining how trustworthy and security their IT security vendor partners are. “Do you know all the third parties you are dealing with? Because not all of them should be treated equally. You have to be more stringent with certain companies to ensure they are meeting your standards,” Kelvin Coleman, executive director of the National Cyber Security Alliance, tells FedTech.

MORE FROM FEDTECH: How can agencies tackle cybersecurity supply chain threats?

How to Conduct a Cybersecurity Assessment

NIST offers a comprehensive guide on conducting risk assessments, and the process starts with identifying potential threat sources and threat events.

From there, organizations are tasked with identifying “vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts.” In layman’s terms, agencies need to determine the vulnerabilities that could lead to attacks or events that harm the agency, its operations, IT environment, data or reputation.

“There is potentially a many-to-many relationship between threat events and vulnerabilities,” NIST notes. “Multiple threat events can exploit a single vulnerability, and conversely, multiple vulnerabilities can be exploited by a single threat event. The severity of a vulnerability is an assessment of the relative importance of mitigating such a vulnerability.”

Organizations are then supposed to determine the likelihood of a threat event and the impact of such an event. That then helps determine the risk.

“The level of risk associated with identified threat events represents a determination of the degree to which organizations are threatened by such events,” NIST says. “Organizations make explicit the uncertainty in the risk determinations, including, for example, organizational assumptions and subjective judgments/decisions. Organizations can order the list of threat events of concern by the level of risk determined during the risk assessment — with the greatest attention going to high-risk events.”

In practice, there are several ways that agencies can conduct cybersecurity assessments, especially if they are working with third parties such as CDW. Paul Shelton, lead practice architect for CDW’s security solutions practice, notes in a blog post that a Rapid Security Assessment typically includes the following:

  • A scan of internet-visible hosts and a test of vulnerabilities
  • Internal network vulnerability scans and penetration tests of key IT assets
  • An audit of passwords and password-related policies
  • Testing of wireless security at one site
  • A social engineering exercise to assess vulnerability to phishing

Meanwhile, a more fulsome Comprehensive Security Assessment often includes discovery of known and unknown IT assets and networks, in-depth penetration testing, an audit and review of multiple Active Directory domains, and a complete vulnerability scan of internal and external systems, websites and applications.

“Too often, organizations wait until after they’re successfully attacked to take a serious look at cybersecurity,” Shelton notes. “But this period of great change should motivate organizations to be proactive and take steps to stop potential problems before they start.”

More On Policies, Security, Risk Assessment, Threat Prevention,