Security Scorecard

Security Scorecard

“If you can measure it, you can manage it.”

Benchmark your organisation’s cyber security risk

 

The Security Scorecard provides continuous visibility of how your business is tracking against nationally and internationally recognised security controls proven to mitigate at least 85% of targeted cyber attacks. 

 

Security Controls

 

 The Security Scorecard delivers:

  • Continuous measurement of cyber security posture
  • Visibility of performance against key security controls, including trends over time
  • Assurance that you are improving resilience to cyber threats

 

What do the controls cover and why are they important?

Application WhitelistingApplication Whitelisting
What it covers: Only authorised applications and code should be allowed to execute.
Why it’s important: By only allowing pre-approved applications and executables to run, the ability of malware to affect the system is severely curtailed.  Whitelisting also provides a greater defence against malicious code which may not yet be detected by gateway and end-point scanning technologies.  A whitelist-based approach to application/executable security also has the benefit of restricting users from running unauthorised or unlicensed software in the environment.

 

Restrict Administrative PrivilegesRestrict Administrative Privileges
What it covers: Ensures that access to administrative accounts is restricted to authorised personnel and that use of those accounts is limited to only those activities which are absolutely necessary.
Why it’s important: When administrators use privileged accounts to perform general duties, the risk of malware infection and dispersal is significantly higher as privileged accounts operate with a higher ambient security level than normal user accounts.  In addition, those accounts may have the ability to change the configuration of the wider infrastructure or provide an attacker with the ability to move laterally within the network.

 

Patch Operating SystemsPatch Operating Systems
What it covers: Ensures that operating system software has had all relevant vendor-supplied patches applied.
Why it’s important: Malicious software often gains access and propagates through the use of known software vulnerabilities.  Operating system vulnerabilities are often used to install backdoors for later use by the attacker, elevate privileges to gain access to sensitive information, or capture information from users by pretending to be legitimate software.

 

Patch ApplicationsPatching Applications
What it covers: Ensures that allocation software has had all relevant vendor-supplied patches applied.
Why it’s important: Malicious software often gains access and propagates through the use of known software vulnerabilities.  Application vulnerabilities are often used to gain unauthorised access to all data to which the user account would legitimately have access, and also for the execution and propagation of malicious software such as ransomware which impacts data to which the user has write access.

 

Disable untrusted Microsoft Office macrosDisable Untrusted Microsoft Office Macros
What it covers: Microsoft Office macros should be prevented from executing.
Why it’s important: Office documents containing macro code from external sources are an extremely high risk.  Macros run with the ambient security privilege of the user that opened the document, and are a common vector for downloading and executing additional malicious payloads from the Internet.  By disabling macros, any embedded malicious code remains dormant even if the user opens the document.

 

User Application HardeningUser Application Hardening
What it covers: User applications should be hardened against common vectors for attack such as through untrusted code executing in web browsers.
Why it’s important: Web browsers and other applications can convey malicious code in a variety of formats for execution directly on the end-point or in a virtualised machine.  Commonly exploited software such as Adobe Flash has been used as an attack vector for many years, and online advertising networks can be used to facilitate distribution of malicious code via banners.  It is recommended to disable the ability for end-points and other systems to execute Flash and other commonly compromised content delivery mechanisms.

 

MFAMulti-Factor Authentication (MFA)
What it covers: Requiring multiple factors makes it harder for an attacker to use credentials by requiring additional elements in order to complete an authentication to the system.
Why it’s important: By brute-forcing or guessing passwords, or gaining unauthorised knowledge of a password, an attacker can often gain complete control of a user’s account.  Users also often use the same password for multiple services or applications, which can result in significant damage.  By enforcing the use of multiple factors, knowledge of just a password does not give an attacker access.

 

Daily backup of important dataDaily backup of important data
What it covers: Application and user data, system configurations and other critical parts of infrastructure should be regularly backed up, stored offline, and tested to ensure its effectiveness.
Why it’s important: When preventative controls have failed, often the only recourse is to restore data from a backup.  These backups should be taken regularly to ensure coverage of the latest state of the business and stored separate from the main infrastructure to guard against cyber-attack (e.g. encryption by ransomware) and physical threats (e.g. fire, flood and theft). Backups should also be tested to ensure that a recovery is achievable in the event they are needed.

 

How the Security Scorecard works

The Security Scorecard simply gathers data from ongoing security operations and through direct connections to systems and configuration interfaces to automatically establish weak points, policy failures and vulnerabilities to the most common attack types.

 

Security Scorecard Solutions

The functionality of the Security Scorecard forms the underpinnings of our ACSC Essential Eight compliance solution and the Executive Cyber Scorecard.  Additionally it includes many of the controls recommended by members of the Five Eyes Community:

 

UK Government – NCSC Top 10

North America – NSA Mitigation Strategies

New Zealand – NZ Cert Critical Controls 2018

Canada – CSE Top 10 Security Actions

Centre for Internet Security (CIS) Controls

 

Download the Security Scorecard Overview

Security Scorecard Overview

Explore how to implement the Security Scorecard

Email us to arrange a conversation Click here