Maturity Assessment Model
S4 Applications Cyber Security Maturity Assessment Model
Cyber Security Maturity Assessment Model
Security is a process not a “thing”. An organisation can never be “secure” but it can be “more secure” than it was. The S4 Applications Cyber Security Maturity Assessment Model helps formulate an understanding of your organisation’s current maturity and how to enhance it.
A planned and pragmatic cyber-security programme will constantly review an organisation’s current status quo. Providing a roadmap on how to achieve the desired state of security maturity, prioritising the right initiatives and solutions.
S4 Applications wants to help your business invest wisely to reduce risk exposure and protect business value. Walk through our 6 step Maturation Model below to get to grips with what your current maturity level is.
Our 6 step maturation Assessment model
Step 1 – Asset Inventory
Identifying all assets on your network that require a level of protection. You may be surprised to find there are more than you think – all too often, companies possess a multitude of unknown assets in their environments that could compromise their security over the long run. Similarly depending on the type of asset the level of protection required can vary. For example a smart fridge or security camera require a different level of network protection to a finance server or customer database, although again all too often they are housed within the same corporate network. An Asset Inventory provides clarity and an invaluable starting point for strengthening your security posture.
Product RecommendationTenable Nessus Pro
Step 2 – Vulnerability Assessment
A snapshot report of what is wrong and what needs to be fixed. As mentioned its common for businesses to have a vast pool of unknown assets and poorly configured network devices. Undertaking a vulnerability assessment uncovers these weaknesses and provides a clear view of the baseline maturity of your current security configurations.
Taking a snapshot allows us to make immediate recommendations to strengthen your security posture and help mitigate risk.
Product RecommendationTenable Nessus Pro
Step 3a – Vulnerability Management
Continuous vulnerability assessment and remediation. By regularly scanning your environment your business can continuously identify new vulnerabilities known as CVEs, when adding software, (such as Microsoft Windows, Apache Web Server and Adobe Acrobat Reader) and hardware (such as firewalls, routers, switches and servers) to your network.
Scans can be run on any number of assets to ascertain known CVEs, as well as looking at versions of files and behaviours to understand if any part is susceptible to a given CVE and the remediation action required to close off those vulnerabilities.
Product RecommendationEnterprise: Tenable.io or Tenable.sc SME: Vicarius
Step 3b – Application Scanning
If your company has applications that you have built yourselves or come from an external vendor, then these can have security issues. The issues could be caused by the writers of the application or by inclusion of 3rd party software that has issues. The Equifax hack and data exfiltration from 2018 was caused by the use of a vulnerable Apache Struts library.
As part of your security strategy, alongside scanning for infrastructure vulnerabilities it is equally important to scan for application vulnerabilities.
In an idea world scanning for application vulnerabilities becomes an intrinsic part of the software development lifecycle. The objective being, that no security vulnerabilities every get into a software release version.
Step 4 - Risk-Based Vulnerability Management
Vulnerabilities should be prioritised on business risk not just technical risk; this is the same for infrastructure based issues or application based issues. For example, if a vulnerability is identified across multiple machines (or application), say one on the public web site, and one in engineering, a typical, technical risk based approach would rate them as equally dangerous, whilst a business risk approach would focus on the public web site first as this is where the highest risk really lies.
Step 5 – Penetration Testing
Penetration Testing identifies issues that would not be found by automated scanning alone. It is the holistic combination of skilled human and software intervention for uncovering potential vulnerabilities within your environment. A penetration tester will employ the same techniques as a potential hacker might undertake in an attempt to infiltrate your networks, install remote agents or ex-filtrate data.
The penetration tester may start out from the public Internet, or with a targeted phishing campaign, or perhaps even sit in your company car-park trying to get onto the corporate Wi-Fi, or access one of your remote offices as a an external visitor would, then plug something onto the network. A successful penetration test would be defined as one in which your defences prevent such nefarious access.
Product RecommendationCore Impact
Step 6 – Active Threat Detection
Mature companies accept that nefarious individuals and groups will attempt to compromise their defences, Ransom wear, Denial of Service, and even state sponsored hacking are just some of the serious breaches businesses face today, and of course it’s not just websites they can attack, but internet-connected servers, the critical infrastructure for all sorts of applications, databases and business uses.
Whilst prevention is key, so too is developing your ability to quickly detect threats and respond. Active Threat Detection is the continuous monitoring of your networks and devices for potential security threats.
Network Insight is an agent-less and device agnostic, assessing all of the information transiting from inside your network to the Internet catching traffic and instructions from “bad software” and building a case file for your IT team to take remediation action upon.