Risk Assesments

Fast and decision-enabling cybersecurity information

Assessment Services

Vendor Controls Assessments, Data Driven Vendor Assessments, Data Driven Product Assessments, and File Integrity and Authenticity Assurance
Standardized and Customizable.

REQUEST A SAMPLE

Supply Chain Risk Management is about Vendors and Products

Utilizing best practices for security and NERC CIP compliance.

Vendor Controls Assessments

Standardized A2V Vendor Questionnaire

  • Quantifying cybersecurity risk
  • Findings are resolved by avoiding, mitigating/remediating, accepting or transferring the risk
  • Out-of-the-box workflows enable industry best practices whlie allowing for configurations
  • Non-responsive vendors flagged to be revisited during contract renewal
  • A2V provides collective bargaining power

Data Driven Vendor Assessments

Summarized & scored with full transparency into…

  • Risk management personnel
  • Public cybersecurity posture
  • Web scanner results
  • Negative news, regulatory & compliance
  • Financial, merger & acquisition
  • Fourth-party incidents
  • Privacy policies

Product Assessments

Cybersecurity information for products addressing risk across…

  • Inherent product risk
  • Vulnerability and patch remediation risk
  • Product security risk (controls-based)

File Integrity Assurance

  • Software source authenticity verification
  • Patch integrity validation

Achieve your security and compliance goals faster!

CIP-013-1 R1.2 Security Requirements

  • Notification by Vendor
  • Coordination of Response
  • Disclosure by Vendor
  • Verification of Software
  • Identity Verification
  • Integrity Verification
Asset to Vendor Logo

Asset to Vendor Network

We can help you reach your CIP requirements on time

Continuous Monitoring

A screenshot of the fortress platform with circular diagram surrounding it

Data-Driven Risk Ranking

The analytics-based approach to ranking vendor risk.

Data Driven Risk Ranking uses web scraping, API’s, cyber geolocation and machine learning to classify vendors by industry and inherent risk.

A chart of the Data Driven Risk Ranking approach

Data-driven risk ranking/tiering uses machine learning, web scraping, cyber scans and human analysis to determine inherent risk across (1)system access [application and/or hardware] (2)data access, (3)physical access, (4)offshore, (5)cloud, (6)financial, (7)strategic, and (8)fourth-party

Validation

  • Company’s primary business
  • Revenue
  • Employees
  • Domain names

Information Gathering

  • Keyword scan vendor website
  • Identify cyber global footprint
  • Match against public and private databases

Enrichment

  • Learning for classification
  • Review validation and conclusions

Business Rule

(Configurable)

  • Mimics the risk rank scoring methodology

Insights

  • Cyber risk
  • Breach data
  • Compliance data
  • Custom data sources

Data-driven risk ranking can rank up to tens of thousands of vendors in days.

File Integrity Assurance

Software source authenticity and file integrity

In Compliance with NERC CIP-010-3

Software Source Authenticity

Is the IDENTITY suspect?

Best Practices: Monitor…

  1. DNS IP changes
  2. BGP route hijacking
  3. Prefix, path, data plane, policy
  4. SSL/TLS certificates
  5. Threat intelligence

Software File Integrity

You can’t trust the vendor hash

What if the attacker replaced it when they replaced the newly infected file?

You can’t trust MD5 hashes

They are cryptographically insecure

You can’t trust third-party sites

How do you know they have not been compromised?


File Integrity Assurance Meets These Requirements

Chain of custody

Immutability

End-to-end encryption using non-interceptable means such as Perfect Forward Secrecy

Malicious Code Detection

Asset to Vendor Logo

Asset to Vendor Network

Continuous Monitoring

A2V continuously monitors

  • Hash lookups in malicious file databases
  • Antivirus scanning
  • Yara Rule detection
  • Malicious JavaScripts loaded on compromised download pages
    (It’s not just the software, but the source too!)

Firmware Analysis and Source Composition Analysis

An icon of a shield with a lock over email
  • Hard-coded Secrets
  • Weak Passwords
  • Vulnerabilities
An icon of a lock in front of people
  • Outdated/Third-party Components
  • Insecure Coding Practices
  • Insecure Functions
An icon of a shield over a database
  • Lack of Exploit Mitigation
  • Manual Suspicious File Investigation
  • Custom Security Analysis (YARA Rules)

File Integrity Assurance

Verifying the source of the file and the integrity of the software

The file integrity assurance pyramid model for assessments

File Integrity Assurance (FIA) Process

Fortress downloads target file

  • Optional on-premise file repository
  • Optional integration/configuration with ticketing and patch deployment systems
  • E.g., ServiceNow, Remedy, LANDesk, RH Satellite, Ivanti

Authenticity & integrity checks

  • Authenticity – breaches, encryption, certificates, DNS
  • Integrity – code signing, malware, sandbox (when other checks fail), firmware 3rd party analysis, custom rules (e.g., YARA rules)
  • SHA-256 hash stored in private blockchain

Utility checks file hash

  • Via command-line interface or
  • Via upload file to online repository or
  • Via integrated secure file storage

ADOPT THE CONSERVATIVE APPROACH TO CIP-013-1

The largest utilities (including those set to be audited in late 2020 and early 2021) and industry advocates are embracing the secure spirit of CIP-013 by adopting these best practices:

    an icon of a globe surrounded by a refresh symbol
  • 1. Broadly defining a BES asset

    By including any vendor with physical, not just remote or logical, access to BES assets

  • an icon of a stopwatch
  • 2. Retroactively applying the standards

    The letter of CIP-013 requires a security risk management plan, but these organizations are planning retroactive implementation

  • an icon of a shield with a checkmark inside
  • 3. Ultimately including all vendors

    Processes are being completely overhauled from supply chain to procurement/sourcing to IT, and analytics are being used to quickly classify legacy vendors with a high likelihood for CIP-013 applicability

  • an icon of a piece of paper with a magnifying glass
  • 4. Performing comprehensive assessments

    The CIP-013 standard vaguely requires an assessment, and these organizations are choosing to use assessments with up to several hundred questions