By Richard Hicks | Senior Security Consultant at Nettitude
Cybersecurity doesn’t have a finish line. Whether you’re a small business or a large multi-national organisation, there are always steps and checks you should be completing on a regular basis, one of the most common of which is performing regular penetration testing. There are plenty of organisations out there that are willing to sell you days of effort to test a system, based on fixed scopes, etc., but there is more to security than simply asking someone to mark your homework. A proper cybersecurity framework is one that is custom built and designed for your organisation, there is no one-size fits all in cybersecurity and as such there are a multitude of paths available for you to follow.
Sounds confusing, right? Here at Nettitude, we’re big supporters of the not for profit organisation known as CREST, they are an accreditation and certification body that has helped shape and define information security within the UK and worldwide. CREST regularly publish information, tooling and guidance on cyber security, in which, one such guidance document they provide is the CREST Penetration Testing Guide. This guide provides all the information you need to know about penetration testing, covering the key points of why you would want to stand up a framework, how to size and scope it appropriately to your organisation and crucially as a final step, how to measure the performance and efficacy of your penetration testing programme.
Below We’ll give you a non-biased explanation of what a cyber maturity assessment is, and how CREST can help guide you in the right direction.
Why have a cybersecurity maturity assessment?
Why would you measure the maturity of your penetration testing programme? Well, without assessing your programme or framework on a semi-regular basis how can you determine it is actually providing value to your company?
As we suggested earlier at the very start of the blog post. “Cyber Security doesn’t have a finish line”, it is a constant process of improvement and a method of measuring how mature key parts of your testing framework are at any moment in time. This is key in identifying those areas for improvement.
Wait, what do you mean by cybersecurity maturity?
Think of it more as measuring your capabilities. Some organisations testing frameworks may be based around relatively low-level capabilities, quarterly vulnerability assessment, etc. Whilst others may employ more advanced capabilities e.g. red teaming engagements, scenario-based penetration testing.
CREST helpfully define this “capability” as levels of “maturity”, anyone familiar with the concepts of CMMI or other security maturity levels may see some interesting parallels with the suggested measurements.
The levels of maturity as described are:
And by measuring your maturity levels in particular areas of the framework, you’re better able to focus effort at improvement
CREST break down any penetration testing programme into 22 steps spread over 3 stages, but broadly they cover the following:
- Preparation – Establish which governance structure you’re going to follow, identify the testing scope, define the purpose, select the suppliers
- Testing – Identify your constraints, ensure suppliers are using a suitable testing methodology, are your suppliers effectively identifying and exploiting vulnerabilities and reporting the key findings?
- Follow up – Remediation actions, addressing root causes, lessons learned and building and creating action plans.
As part of the information published on the CREST website, they publish 3 tools to help you measure your security maturity levels. Published as a part of their wider Cybersecurity Maturity Assessment toolkit, these 3 spreadsheets are intended to be used for measuring exactly what we’ve been discussing in this blog post so far.
All 3 spreadsheets aren’t essential and as a starting point Nettitude would recommend making use of the summary spreadsheet, the least complex version of the tool. This will provide you with an overarching overview of your security maturity levels for little investment in time. It will help you determine if a more in-depth analysis would be beneficial for you.
You first start out with any of the tools defining what is important for your organisation or rather “how mature” you wish to be in each area. This can be driven from external factors, such as auditing as part of a ISO 27001 accreditation or the output from the Cyber Essentials scheme or it can be as simple as a best estimate. To this end, CREST provide 5 or 6 typical “standards” for you to select from as well as custom.
To get the most out of this tool, Nettitude would recommend you do make use of external reporting for your estimation as these are often the drivers behind implementing a penetration testing programme in the first place and create a customised goal profile, which is after all, the whole purpose of assessing your penetration testing framework.
Once you’ve assigned your program’s goals, you now work across the 3 “assess” tabs, ranking each step with a security maturity level as discussed previously, collate evidence to support each decision such that you can present the evidence to an external organisation such as Nettitude in order to justify your security maturity level should the opportunity arise.
Finally, whilst there are 3 tabs containing detailed results for the areas, the one tab that will be the most useful from a high-level perspective is that of the consolidated results tab. A relatively simple chart will be shown effectively illustrating your security capability maturity model. You should with little help now be able to see your weakest areas at a glance, allowing you to focus efforts to improve.
Brilliant, so that’s it?
Remember: Cybersecurity does not have a finish line!
Now with your capability model freshly created, you can baseline other features that form part of a wider information security maturity assessment.
Nettitude for example, on its more involved engagements such as Scenario Based Penetration Testing or Red Teaming, provide a full Detection and Response Assessment (DRA) where by the capabilities of your organisation to defend against more advanced threats is directly assessed.
This type of activity is perfect for feeding into your wider security capability maturity model, and can often further indicate areas that require more effort to rectify. Continual improvement is the name of the game when it comes to Cybersecurity and now, with an evidence backed assessment of your own capabilities, you’re in a better place to achieve that.
Ready to begin your cybersecurity maturity assessment? Contact our team to get started now!