A cybersecurity credit score
Arizona did not have much visibility into its cybersecurity vulnerabilities when Mike Lettman arrived six years ago.
Since then, the state’s chief information security officer has been able to evaluate the security posture for individual assets, network and applications, across agencies and the state’s network as a whole, Lettman said.
Arizona began working with web-based RiskSense about four years ago. The service scans agency assets, applications, databases and networks for vulnerabilities and assigns a cybersecurity risk score, much like a credit score.
“If I go to an agency director and say, ‘Your cyber risk score is 750,’ he or she knows what that means from a credit perspective and knows whether they’re good or bad,” Lettman told GCN.
All agencies now have scores of 700, and Lettman is now trying to bring them all to 725. These scores help prioritize patching, but they also give the state’s security experts an easy way to communicate a system’s standing with other officials, he said.
The scoring is informed from a variety of network scans, and the state had to standardize on scanning processes and products “so we could all be judged equally on our cyber scores,” Lettman said.
The scores consider results of network, application and database scans, according to Risksense CEO Srinivas Mukkamala. They also take into consideration what is most at risk and gives more weight to systems that have external exposure.
The information from these scans is then compared against a variety of vulnerability databases including the National Institute of Standards and Technology’s National Vulnerability Database, those of the top 50 technology vendors and the Chinese national vulnerability database.
RiskSense has done work with the Department of Defense in a program called Computational Analysis of Cyber Terrorism Against the U.S., which looked at creating exploits for known vulnerabilities. This research helps inform the system’s ability to pick out vulnerabilities that are potential targets of an exploit, even if an exploit isn’t on a public database. Finally, it is able to validate whether an exploit can be executed and what risk it actually poses against a network, Mukkamala said.
Arizona is now using RiskSense to look at 100,000 assets — including desktops, laptops, servers and some applications — with the goal of extending the use to more applications, Lettman said.
RiskSense allows users to dig down to the device level to see where vulnerabilities are, which helps IT managers check to see whether patches have been applied. Users can also search for specific vulnerabilities making headlines and see if it exists within the system, which is a feature the state was able to leverage after the Equifax hack, Lettman said.
The Equifax data breach was caused by a vulnerability called Apache Struts. Arizona learned about it over the weekend, and by Monday morning had a report of every device on the network that was vulnerable.
“We went into an emergency patching process … and by Tuesday morning all those vulnerabilities were either mitigated, being patched or isolated on the network,” Lettman said.
Both Letteman and Mukkamala say security comes down the discipline in patching.
A good patch management systems means “you’re religious about it, it’s a culture you’ve built in your network — that you consistently patch your system,” Mukkamala said.
Matt Leonard is a reporter/producer at GCN.
Before joining GCN, Leonard worked as a local reporter for The Smithfield Times in southeastern Virginia. In his time there he wrote about town council meetings, local crime and what to do if a beaver dam floods your back yard. Over the last few years, he has spent time at The Commonwealth Times, The Denver Post and WTVR-CBS 6. He is a graduate of Virginia Commonwealth University, where he received the faculty award for print and online journalism.
Leonard can be contacted at firstname.lastname@example.org or follow him on Twitter @Matt_Lnrd.
Click here for previous articles by Leonard.