Understanding the 7 phases of a security risk assessment and how long they take
If you’re proactively looking for ways to increase your security posture or wanting a detailed look at your IT network after a breach, a security risk assessment provides an in-depth look into both.
At The KR Group, our security team offers a Purple Team Hive Assessment, which looks for risks and vulnerabilities in more than a dozen areas of your IT network.
One question most of our customers ask our security risk team about the assessment is what the timeline looks like for the project.
A Step-by-Step Timeline of a Security Risk Assessment
Typically, you can plan on going through seven phases for a comprehensive security assessment:
- Pre-engagement stage
- Launch day
- On-site analysis
- Remote analysis
- Clean up
- Report presentation
- Follow up
Going through these phases and completing a security assessment will give you knowledge and power to increase your network’s security.
Once you’ve committed to a security risk assessment, you’ll start the process with the pre-engagement stage.
This typically is one or two weeks before the assessment starts. The pre-engagement phase is designed to allow the IT security team to gather all the information they’ll need, including terms of the assessment, contact information, and environment-specific information.
Three important components of the pre-engagement stage are:
During the pre-engagement stage, your security adviser will ask you not to disclose to employees that there is an ongoing security assessment.
Notifying your employees could cause them to be vigilant of threats they would otherwise ignore, and thus, it would not provide an accurate depiction of your security posture.
The interview portion of the security assessment gives your security team an idea of your needs.
Your security adviser will ask you questions about regulatory compliance requirements and what security policies and procedures you have in place.
The most important question in the interview is what systems are mission-critical. Your answer to this question will determine how your security adviser prioritizes remediation efforts and determines your level of risk.
Environment information form
The final component of the pre-engagement stage is filling out the information for your environment information form (EIF).
You’ll have about a week to fill this form out, which provides the security team with admin credentials, important hostnames, IP addresses, subnet ranges, external IP addresses, wireless info, remote access information, and email aliases.
All this information is vital for your security team to move on with the other phases of the security assessment.
At this point, about one or two weeks after the pre-engagement phase, your security team will have all the information about your IT environment, and they’ll be able to begin the security assessment.
There are two parts to the launch phase:
Ensure information is correct
Your security adviser will check to see the information they retrieved during the pre-engagement phase is correct.
They’ll check if the login credentials work, and, if needed, they’ll ask clarifying questions.
For the security team, launch day is their first chance to start analyzing your security posture and looking for risks and vulnerabilities.
They’ll begin with an external vulnerability scan. This looks for holes in your network firewall(s) to identify ways outside attackers can break in.
They’ll also create a Cisco Umbrella account to monitor your network.
One feature Cisco Umbrella offers is DNS-layer security, which includes the ability to detect compromised systems and stop attacks.
It also has the ability to analyze the Internet traffic of your company’s users and determine if their usage is safe or unsafe.
When your security team begins the assessment, if it includes offensive testing, they’ll also start external penetration testing and launch the first phase of the phishing campaign.
Launch day is typically complete in one day.
While most of the security assessment can be performed remotely – hence why you needed to provide information for remote access in the EIF – a portion of the security risk assessment takes place on-site.
Depending on your business’ size and complexity, your adviser will need one or two days on-site.
This is a chance for a final cadence with you and the security team to ensure you both have the same goals for the security risk assessment.
Then, the adviser will conduct the following two tests:
The defensive team on the security assessment (The KR Group’s Blue Team) will look at how your server, routers, Active Directory, and other networking components are configured.
The offensive team (KR Group’s Red Team) will identify and exploit vulnerabilities that may exist in your environment. This complements the work your defensive team has done because typically these vulnerabilities coincide with weaknesses they discover.
In addition to a technical review, the team will review existing policy and procedure maturity for categories including disaster recovery, business continuity, incident response, and acceptable use policies.
They’ll take note of any misconfigurations, what issues they could cause, and ultimately provide a remediation effort in the final report.
While onsite, your security adviser will perform an internal vulnerability scan and threat review, looking for vulnerabilities and threat agents inside your business network. This provides a point in time snapshot of misconfigurations, missing patches, and active attacks.
Your security adviser will also look at the physical security of your IT components by checking for fire suppression measures, battery back-ups, and locks.
The offensive team of your security assessment takes this security check a step further and attempts to exploit your IT system.
They’ll check to see if your server closet doors and data center cabinets are actually locked, and they’ll see how far they can get into your office building toward a workstation before being noticed.
Following the on-site analysis, your security adviser begins to review data and continues the remote portions of the assessment.
During the remote analysis, your security adviser will review the initial phishing campaign data and Cisco Umbrella data they received during launch day and on-site analysis.
The team will also continue its manual assessment of your network, including launching the second, more complex phishing campaign.
For the next two to three weeks, your security adviser will be remotely analyzing your security posture, looking for vulnerabilities and listing remediation suggestions.
After 2 or 3 weeks of assessing your environment, your security adviser will have examined the entirety of your network and determine what risks and vulnerabilities exist.
To close out the assessment, the security team will need to clean up your environment and leave it as they found it.
Reputable security advisers won’t change any of your configurations or hijack data. However, they may leave evidence they were able to access different points in your network by leaving benign payloads on the systems they were able to breach.
During the clean-up phase, your security team will go back and delete these items.
They’ll also retrieve any on-site scanners they deployed and decommission Cisco Umbrella if it’s a trial version.
Essentially, they remove all traces of being inside your network.
The clean-up phase takes place between the end of their remote analysis and presenting their discoveries.
While clean-up itself doesn’t take much time, the time between the end of the remote assessment and the presentation can vary.
Your security team is able to meet within a few days after completing the report and cleaning up your environment. Typically, scheduling conflicts between your team and the security adviser push the next phase (the report presentation) out by at least a week.
Between 3 and 4 weeks after beginning the security assessment process, your security team will share their discoveries with you during a presentation.
You can opt for a one-day overview of your security report or you can split it up over a couple of days.
The presentation is comprehensive as it goes over everything your security adviser analyzed and found.
A few highlights of the presentation are:
- The likelihood chart provides an overview of your assets’ risk
- Risk ratings break down the vulnerabilities assessed for the likelihood chart.
- Each vulnerability is given a risk reduction recommendation.
By the end of the presentation, you’ll know what vulnerabilities exist in your environment and have ways to reduce those risks.
After the security assessment is complete, a good security adviser will continue to keep the line of communication open with you.
First, you’ll have an open invitation to reach out regarding questions about the assessment report.
If you want further assistance prioritizing remediation efforts or need clarifying information, your security adviser should be available to provide that information.
Within 4 weeks of closing the project, the security team will reach out to see how things are going. They’ll be available to answer any outstanding questions you may have related to the report.
Unless you reach out to your security adviser, you likely won’t hear from the team again for about 9 months. When they reach out to you this time, it’ll be to remind you about an annual review.
In IT, a lot can happen in a year, and it’s likely you’ll have new vulnerabilities that will need to be addressed. An annual assessment is a chance to follow-up and to continue working toward a stronger security posture.
From pre-engagement to follow-up, it only takes a couple of months to have actionable items to significantly improve your security posture.
During this time, your IT security team will receive all the information about your environment, analyze your vulnerabilities, and create a prioritized list of measures you should take to reduce risk.
For more information on what the result of the security assessment will look like, check out our “How to Read a Security Assessment Report.” And if you’re ready to learn more about what a Purple Team Hive Assessment will look like for your company, go ahead and schedule a free consultation with us.