by Anže Žitnik (XLAB), Antonio Álvarez Romero (ATOS) and Stephanie Parker (TRUST-IT)
As one of the outputs of the WISER project, CyberWISER-Light provides a quick way for SMEs to make a first assessment of their cyber risk status.
Most of us rely on information and communication technologies (ICT) in our professional lives as well as private day-to-day activities. Although this brings huge benefits in many areas, we rarely think about the threats introduced by our increasing dependence on ICT. As the number of security-related cyberspace incidents continues to increase, it is important to be aware of the potential impact that incidents such as identity misappropriation, information theft or disruption of critical services can have on individuals and businesses. SMEs, representing the highest proportion of European businesses, are the most vulnerable to cybercrime. The biggest obstacle in the process of limiting the growth of cybersecurity incidents is the lack of awareness of individuals, business decision makers and even IT professionals, which leads to insufficient risk management and inadequately resilient security information systems and networks.
WISER delivers a cyber-risk management framework to assess, monitor and suggest mitigation options for cyber risks in real time, while incorporating socio-economic impact aspects, building on current state of the art methodologies and tools, and leveraging best practices from multiple industries and international initiatives. The WISER framework [L1] features cyber-risk modelling techniques [1] and monitoring tools that observe the state of ICT infrastructure and services in an organisation. These provide the information necessary to evaluate risk levels and drive decision support tools to recommend effective mitigation options based on cost-benefit analysis of the risk impact. The aim of WISER is to increase cyber risk awareness as well as make cybersecurity understandable to management personnel and facilitate their decisions about risk management and inclusion of cybersecurity systems.
CyberWISER-Light is the first product emerging from the WISER project. It is free of charge and enables self-assessment of cyber risk exposure with minimal effort and time required by the end-user. Designed with SMEs and the general public in mind, CyberWISER-Light provides a very first approach to cybersecurity to a wide variety of companies with no experience or awareness in the field. It features a questionnaire about the business and ICT profile of the company and an automatic website vulnerability scanning tool. The vulnerabilities found are put into the context of the business based on the insights the user provides in the questionnaire. The assessment result includes a general risk assessment score and a report of vulnerabilities found and suggestions for mitigation measures. The report gives a very basic yet relevant picture of a company’s cybersecurity position as a step towards defining a corporate cyber-security strategy, regardless of the size of the company.
The questionnaire consists of 28 questions and performs the assessment, which takes into account the business company profile, the internal organisation and the risk exposure of the sector it operates in, as well as the technical aspects of its ICT profile, identifying the basic measures that must be adopted to assure technical and organisational ICT Security.
The web application vulnerability scanner automatically gathers responses from the targeted website and compares them to a database of known vulnerabilities to find which vulnerabilities might be present in the web application. A vulnerability scan can be carried out from outside the company’s infrastructure which means that no installation or modification of hardware or software on the premises is required. Another advantage is that vulnerability scans can be scheduled to run continuously on a time schedule or after changes in the monitored web application.
The vulnerability scanner in CyberWISER-Light is based on combining results from several existing tools for vulnerability scanning, such as W3af [L2] and OWASP ZAP [L3]. These tools are running enclosed in a Docker [L4] container, which enables us to easily deploy several instances to cope with the increasing workload of the vulnerability scan requests. The architecture of our vulnerability scanning solution is presented in Figure 1. We can set up multiple Docker containers running the vulnerability scanning tools depending on the amount of vulnerability tests that need to be processed. The simple API developed in the Django framework [L4] manages task scheduling and communication with the worker programs. Our solution permits a vulnerability scan to be triggered with a single call to the API, with the option to include custom settings or use the default parameters for the vulnerability testing.
Figure 1: The vulnerability scanner solution in CyberWISER-Light.
Figure 1: The vulnerability scanner solution in CyberWISER-Light.
The WISER project is an Innovation Action funded by the European Union’s H2020 research and innovation programme under Grant Agreement no 653321. The project started in June 2015 and brings together a multidisciplinary consortium of partners including technology providers, risk management experts, market experts and service providers for piloting. WISER partners are: Atos Spain (coordinator), Trust-IT Services Ltd (UK), Stiltefsen SINTEF (Norway), XLAB (Slovenia), AON SpA (Italy), Rexel Developpement SAS (France) and Enervalis (Belgium).
Links:
[L1] http://www.cyberwiser.eu/
[L2] http://w3af.org/
[L3] https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
[L4] http://www.docker.com/
[L5] https://www.djangoproject.com/
Reference:
[1] A. Refsdal, B. Solhaug, K. Stølen: “Cyber-Risk Management”,. SpringerBriefs in Computer Science, 2015.
Please contact:
Anže Žitnik
XLAB d.o.o., Slovenia
+386 1 244 77 50
