Get My Score


hybrid security framework

Cybersecurity Scoring Blog Series

This is the third in five-part blog series designed to help your organization understand and leverage your own cybersecurity scoring posture--the first blog Introduced you to CyberPosture Scoring. The second one went over Cybersecurity Posture Scoring vs Risk Scoring.  Over the course of the series, we are presenting the concept of cybersecurity posture along with a security framework and an approach to calculate your overall posture score.  

Key Attributes and Elements for Building a Successful Security Framework

In our first two blogs, we presented an overview of what cybersecurity posture scoring is and how it relates to cybersecurity risk scoring. As we take you along the path to generate a CyberPosture score for your company, the first step is to establish an IT security framework from which you will guide your own scoring process leading you to a consistent scorecard that can be used throughout the organization.

When developing a security framework for measuring the CyberPosture of your IT infrastructure, it’s important that the framework adheres to five key attributes:

  • Comprehensive—incorporates all business-oriented risk signals impacting the security posture.
  • Extensible—dynamic ability to incorporate future risk signals and emerging controls that could impact the security posture over time.
  • Comprehensible—consumers of the score must be able to understand it with minimal cybersecurity knowledge.
  • Meaningful—represent your security posture adequately, accurately, and consistently to help drive prioritized action plans.
  • Defensible—based on industry-standard cybersecurity frameworks and supporting details available for those who want (or need) to dig deeper into the analysis.

Your CyberPosture will be driven by the following six elements, which serve as the scoring for your IT security framework:

  • Asset Criticality (discover and classify)
  • Threats (events perpetrated by threat actors in the context of the critical assets and vulnerabilities)
  • Vulnerabilities (weaknesses in the infrastructure)
  • Controls (mitigating controls against the vulnerabilities)
  • Likelihood of a Breach (historical projected)
  • Impact of a Breach (business assessment based on CIA triad)

When the attributes and elements of your posture scoring framework are in place, the information security team can articulate and present a clear view into how well the organization is prepared to deal with the threats and attacks it will likely face.

The rest of this blog will take you through the key factors to consider as you apply this framework to your IT environment.

Key Factors When Applying a Security Framework to Your IT Environment

Asset Criticality—the criticality of IT assets is an important contributory factor to your overall CyberPosture assessment. Assets are classified under the following categories:

  • Information—databases, data files in servers as well as desktops and laptops, system documentation, user documentation, training materials, operational/support procedures, continuity plans, and archived information.
  • Software—application software, system software, development tools, and utilities.
  • Physical Devices—computer equipment, processors, monitors, laptops, modems, printers, and other hardware.
  • Services—general utility services such as power, lighting and air conditioning that are used for IT equipment.
  • People—those who own and run the programs and perform tasks for the IT department related to these assets.

Each asset should be rated using the CIA information security triad—Confidentiality, Integrity, and Availability (CIA). It’s best to have the respective asset owners identify and classify the assets. This ensures that the individual owners’ concerns around security for each asset are taken into consideration.

The criticality of each asset will be scored according to the impact on the business if that asset were to be compromised:

Level 1 - No impact
Level 2 - Insignificant impact that will not result in a business or financial loss
Level 3 - Some impact that may result in some level of business or financial loss
Level 4 - Significant impact that will probably result in a significant business or financial loss
Level 5 - Severe impact that will likely result in a significant business or financial loss

Taking this approach will help prioritize which assets to focus on first as far as raising their posture score. Once the most critical assets are selected, they can then be grouped based on similar criticality ratings.

Of course, the assessment of criticality if only as accurate as the inventory of assets being evaluated. Therefore, the first step as part of this element is to implement a thorough discovery process that can identify the systems, containers, applications, and services in use throughout the organization, both on-premises and in the cloud.

Additionally, one must not forget to explore the environment for assets that may have been brought into the environment by employees, contractors, and partners without the knowledge of the IT department; or “Shadow IT.”

As a final point here, it is also essential to maintain a proactive view into the inventory of these assets, keeping abreast of planned and unexpected changes made to the environment, such as the modification of scope made to an existing workload and/or the launch of a new workload to address a new business requirement or process.

Threats—threat events pertain to conditions that can lead to breaches and are perpetrated by threat actors—either humans (insiders or outsiders), botnets (human-controlled networks) or nation states (government entities).

Threat actors can exploit weaknesses in systems and software to create threat events that portend breaches. The threats could be the result of malice (e.g., a cybercriminal trying to steal data) or unintentional (e.g., an admin-level user who changed access control permissions – to an S3 bucket, for example – without understanding the consequences).

Threat events can span:

  • Configuration issues: unintended data flows that expose data to the outside world.
  • Defects and other vulnerabilities in systems and applications: which can be used to bypass authentication, access rights, and other powerful system-level capabilities.
  • Limitations in compliance frameworks: far too often, the regulatory bar is set way too low, guiding the threat actor for how high they need to jump.

To gain a proper view of the threats the organization faces, the team must consider collecting and consuming one or more threat intelligence feeds. These feeds will provide real-time feedback for threat events pertinent to the organization which will, in turn, contribute crucial intelligence needed to better for a security posture score relevant to the environment within your organization (which, of course, was identified in the asset discovery and criticality element above).

Vulnerabilities and Mitigating Controls—according to, a vulnerability is a weakness in an application, operating system, or other components, that allows a threat actor to cause harm or compromise. The weakness can be a design flaw, misconfiguration, operational lapse (ineffective security practices), or other attack vectors.

A mitigating control is a configuration, process, technology, or even a person implemented as a means to safeguard or provide some other countermeasure in which to avoid, detect, counteract, or minimize the risk identified for a given asset.

As one might naturally picture, vulnerabilities and controls are very closely related to threats. The reason for this is simple: threat actors both intentionally and accidentally take advantage of vulnerabilities in the hopes that there are no effective mitigating controls in place. If the threat actor is malicious, for example, they could easily search the open web for the types of systems, applications, and services in use within your organization, do a lookup for the known vulnerabilities and common (out-of-the-box) misconfigurations they possess, and the check to see if there is a control in place to block access and/or prevent the payload from succeeding. 

If there is an adequate control in place, the threat actor can move on to seek out another system or application that is missing the control. If there is no mitigating control in place, the threat actor can choose to exploit the vulnerability and/or misconfiguration and leverage the benefits from doing so; change/increase access rights, change the system/application configuration, laterally move to another location on the network, or even sit and wait to use the machine’s location and capabilities to their advantage at a later time after they perform some additional reconnaissance.

As noted above, there are three types of vulnerability and control assessments that factor into the CyberPosture score:

  1. Configuration related issues
  2. Vulnerabilities related issues
  3. Security and Compliance framework related audit issues

The score contributions will come from any IT infrastructure resources such as OS resources, Cloud accounts, and services—both from an initial assessment contribution followed by a run-time monitoring assessment of the configuration, vulnerability, and control framework policies for which the organization has in place for the hybrid cloud infrastructure. Assessment monitoring also aligns with the CIA model in that one cloud service may require more availability or confidentiality than another.

The Likelihood and The Impact of a Breach—the likelihood of a breach is the probability of an asset being compromised due to threats exploiting the specific vulnerability and can range from <unlikely to occur> to <certain to occur>.

The impact of a breach that results in a business or financial loss should be assessed by the owner of each asset, collection of assets, and the overall business process that utilizes those assets. The value can range from <no impact at all> to <severe impact>, which may result in disastrous consequences or lead to significant financial loss.

The likelihood and impact analysis relies heavily on historical trends within the organization, trends in threat intelligence data, statistics related to the industry in question, statistics related to the geographical location of the business operations (laws and regulations can have an impact), the current patching regimen, and what types of attacks are actually possible against the identified vulnerabilities. There may be other factors as well, but these are the core areas from which the assessment would be made.

As the likelihood and impact are calculated, keep in mind that a single asset may be used to enable multiple business processes and may also be in play in support of multiple business units in many forms and in many locations.


Up Next: How CyberPosture Scoring Works 

For the security framework to be successful, you must have visibility into the hybrid world of the OS (both VM and container), of the workloads, and the key set of cloud provider services utilized as well. Remember: the faithfulness of your CyberPosture score is directly related to the rigor, consistency, and honesty that goes into each phase of the process.

In our next blogs, we will take you through the scoring methods to measure your CyberPosture score. We will then show you how to get started with obtaining your own CyberPosture score—including what you need to do before you can start scoring.

In the meantime, should you have any questions or need help generating a CyberPosture score for your organization, visit or contact Cavirin to speak with one of our CyberPosture scoring professionals. 

aws outage

The Benefits of a Hybrid Cloud

Having different workloads on both public and private clouds embraces a hybrid cloud strategy that is increasingly becoming popular with IT and CISOs. In essence, this strategy means avoiding the proverbial “putting your eggs in one basket”, which is the best way to invite risk and breaches to your data.

We got a glimpse into the vulnerability of the cloud last week when Microsoft Azure’s South-Central US data center region was down for a while after a severe lightning storm disrupted their cooling system.

According to a TechTarget article, Azure Outage Spotlights Cloud Infrastructure Choices, “the surge hit the power cooling systems, and subsequent rising temperatures triggered automatic hardware shutdowns.  Nearly three dozen cloud services, as well as the Azure status page, bore the brunt of the storm”.  The article cited that “much of the problem lies in how Microsoft has built out its public cloud architecture, where most Azure regions are comprised of a single data center”.  Additionally, there are so many risks of failures from many events, when workloads are solely stored on single data centers. To avoid this happening in the future writer James Montgomery at TechTarget said, “Microsoft must also modify its software to accommodate a multi-availability-zone architecture”.

This Microsoft incident points out, once again, that a cloud first strategy opens up an organization to service outages and downtime.  According to analytics firm Cyence, a startup that models the economic impact of cyber risk, the four-hour AWS outage in 2017 caused S&P 500 companies to lose approximately $150m.  It’s crazy to think how much could be lost if a major cloud provider is offline for days.  Lloyd’s, the specialist insurance and reinsurance market, in partnership with the risk modeler, AIR Worldwide put out a report in January that calculated an "extreme" cyber-incident -- one that takes a top cloud provider offline in the US for three to six days -- would result in industry losses of $15bn. 

Azure Outage, AWS downtime

A hybrid cloud infrastructure provides organizations more control of their critical workloads, which could mean everything if a cloud provider is unfortunate enough to be pushed offline for hours/days.  Check out our eBook, The Enterprise Journey to the Hybrid Cloud, which walks you through the steps required to building a world-class Hybrid Cloud infrastructure from setting goals and developing consensus to building and deploying secure hybrid workloads.




Actions to Take and Verifying Your Readiness

This is part 2 of a two-part series on CCPA readiness.  Read Part 1.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

What action should you take?

The GDPR and now the CCPA seem to be part of a wider trend towards greater individual data privacy and so it would be wise to prepare for further legislation and reassess your strategy with regards to personal data collection.

Begin by fully mapping all the personal data you collect and make sure that you know precisely how it is collected, how it’s used, who it’s shared with, and where it’s stored. Interrogate the reasons behind your data collection. If there’s no clear business benefit, then you may want to reconsider collecting that data in the first place.

Put processes in place so that your systems can securely handle data requests in a timely manner. Remember that you’ll need to provide access to data, delete data when required, and share specific information on the sharing or sale of any personal information. Allowing opt-outs on the sale or sharing of data may also require tweaks to your existing systems and/or end-user agreements.

The law requires that the business provides consumers with two or more designated methods for submitting requests for information.  A minimum requirement is a toll-free telephone number and if the business has an Internet Web Site, a website address.  In addition, the business must update its online privacy policy, and/or any California-specific description of consumer’s privacy rights and these updates must be done at least once every 12 months.  The Business is required to provide a clear and conspicuous link on the Business’ Internet homepage titles “Do Not Sell My Personal Information” that allows the consumer, or a person authorized by the consumer to opt out of the sale of the consumer’s personal information for 12 months (Note: Business can require the consumer to opt out after every 12 months).  The law requires that the request be submitted through a password-protected account maintained by the consumer if the consumer maintains an account with the business or that the business allow information request through the business’ authentication of the consumer’s identity.

Businesses and their data service providers will be required to implement technical safeguards and business processes that prohibit reidentification of the consumer to whom the information may pertain.  This will be a major burden to organizations that do not already have these controls in place.

Verify your readiness

Along with redesigning your data handling rules and systems you should update all policies pertaining to data and be prepared to train any employees who might be responsible for data. It’s not enough to ensure compliance internally, you also need to reach out to third parties and partners to ensure they follow suit.

Expect to update your systems and applications to implement additional data controls and/or monitoring of data access.  Implement new technical safeguards and business processes to prohibit reidentification of the consumer who has opted out.

Greater transparency in how personal data is collected and used is a good thing for consumers, but it also presents security challenges, so make sure you factor that in. With new policies, systems, and training in place, it’s advisable to complete a full audit that encompasses internal and external systems. Test for different scenarios and ensure that you’re in compliance with the new rules well before they come into effect.

If the Business plans to continue maintaining consumer personal information, then it would be best to have all the data encrypted at rest with the ability to de-identity the data if requested.

Expect to move from a compliance validation framework to a continuous security monitoring approach to establish your CyberPosture that can be reported daily.



California Privacy Act

Does the CCPA Apply to You and Consumer Rights

This is part 1 of a two-part series on CCPA readiness.  Read Part 2.  Find out whether the CCPA will impact your organization, what the requirements are if it does, and what action you should take to prepare for it. 

The dust has barely settled on the GDPR and businesses have new legislation to worry about. The California Consumer Privacy Act (CCPA) stipulates that California residents should have greater access to and control over personal information held by businesses (Note: this excludes financial services, healthcare, and/or other regulated businesses).  The law seems targeted to online social media firms.

Non-compliance carries civil penalty fines of up to $7,500 for each violation for any person, business, or service provider that intentionally violates this law.  Individuals can claim up to $750 per incident in damages (minimum is $100) if the business/service provider transgressor does not rectify any issue after being given 30 days to rectify the issue (the "business" can request additional time to resolve the matter).  Note: All legal actions need to be brought by the California Attorney General and only if there is no action after six months can an "individual" bring their own legal action against the transgressor.

INTERESTING FACT: This law formally places responsibilities and liabilities on the data service processors as well.  This is a major change.  Traditionally, non-regulated data service processors were required to comply based on business contract language while this law codifies their role.  Note: Financial Services data processors do have FFIEC defined responsibilities but does not have defined consumer liabilities.

CCPA is due to come into effect on January 1, 2020, so now is the time to assess exposure and start working towards compliance.

Does the CCPA Apply to you?

The new legislation applies to you if you have a for-profit business (sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity) that does business in the State of California and that falls into one of these categories:

  • Annual gross revenue more than $25 million;
  • Process the personal information of 50,000 or more California residents, households, or devices every year (Note: Definition of a device is any physical object that is capable of connecting to the Internet [directly or indirectly] or another device – i.e. think of a USB stick; mobile phone; vehicle diagnosis information; etc.);
  • Derives at least 50 percent of gross revenue by selling personal information; or
  • Any entity that controls or is controlled by a business that has the power to exercise a controlling influence over the management of a company.

It doesn’t matter where your business is located, but there are some exclusions pertaining to information that’s already covered by other Federal laws such as GLBA (mainly Financial Services firms); HIPAA or CMIA for health data; and/or CA Driver Privacy laws.

The definition of personal information for the CCPA is quite broad and covers anything that “could be reasonably linked, directly or indirectly, with a particular consumer,” so it’s best to take a cautious approach and cover as much data as possible.

This law does not require the business to retain any personal information if there is only a single, one-time transaction, and the information is not sold or retained by the business.

Third parties that purchased consumer data are restricted from selling the personal information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.

If a business collects consumer data but is unaware of the consumer’s age then the business is considered to know the consumer age and be required to have the consumer to opt-in for usage of the data.

New Consumer Rights

The new law enshrines a few fundamental rights for consumers to access the information that companies hold on them and to control what is collected, stored, and shared within the previous 12-months (Note: This can be done twice in any 12-month period at no cost but after that the "company" can charge for additional requests). Consumers can find out exactly what data a business has collected, they can prevent the sale of that data, and they have the right to delete it (Note: There are defined purposes that allow the company to maintain your data even if you request that it be deleted – example: Data Breach investigation).

The law was very specific of the identifiers included: real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, e-mail address, account name, social security number, driver’s license number, passport number, or other similar identifiers.  The other items that may be new to businesses:

  • Products and/or services purchased, obtained, or considered or other purchasing or consuming histories or tendencies;
  • Biometric information that includes an individual’s physiological, biological, or behavioral characteristics, including an individuals deoxyribonucleic acid (DNA), that can be used singly or in combination with each other or with other identifying data, to establish individual identity, In addition, Biometric information includes imagery of the iris, retina, fingerprint, face, hand, palm, vein pattern, and voice recordings from which an identifier template can be extracted; keystroke patterns or rhythms; gait patterns or rhythms; sleep, health or exercise data that contain identifying information;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information; and
  • Education information that is not publicly available personal information per the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

The law also restricts the business from storing personal information a consumer when the consumer is in California then collecting (extracting) that personal information when the consumer and the stored personal information is outside of California.  Examples: Mobile Phone, Tablet, Electronic Reader, etc.

Businesses will also have to inform consumers when they intend to change data collection processes, share details on which categories of third parties have access to data, and elucidate on the business or commercial reasons for collecting it in the first place.   In addition, this law limited the usage of the consumer data to the stated purposes.

The legislation also introduces a strict opt-in requirement for minors, so businesses need to obtain parental consent to sell personal information belonging to anyone aged 16 years or under. There’s also protection against businesses trying to get consumers to sign waivers or otherwise discriminating against consumers who decide to opt out of any future sale of their personal data.

Note: The Business can charge the consumer a different price or rate, or provide a different level of quality good or service if the difference is reasonably related to the value provided by using the consumer’s data.

IMPORTANT: Sales of personal information to or from a consumer reporting agency (i.e. Equifax, Trans Union, Experian, etc.) is excluded from this law.  This is cover under Federal Law (Fair Credit Reporting Act).


Black Hat 2018

Everything CISO and Cybersecurity During Black Hat 2018

Black Hat celebrated its 21st anniversary this year, bringing together over 15,000 cybersecurity professionals to learn and network in Las Vegas.  At the Cavirin booth, people flooded to get their “Got CyberPosture” t-shirt and learn how the Cavirin CyberPosture Intelligence platform provides “credit like” scoring, with actionable insights, helping enterprises align their security resources to more effectively address pressing threats of cyber attacks in their hybrid environments (multi-cloud, containers, and on-premise). 

Additionally, BrightTALK was at the heart of the action, streaming live panel sessions and engaging in conversations with some of the world's top security leaders. These panels offer a collaborative atmosphere, enhanced by speaker presentations and insights. Cavirin’s CSO, Joe Kucic participated in two of the thought-provoking panels:  Key Factors for CISO Success & Managing Your Cyber Risk!  If you were unable to join us in Vegas, we highly recommend tuning into these two panels available on the BrightTALK website. Here is a little more information about the webinars: 

The Key Factors for CISO Success was a Part 1 of 2 CISO panels during Black Hat. This panel was an in-depth focus on the ever-changing role of the CISO and the factors influencing their success. There was also a focus on why identifying your organization’s security culture matters. With the huge shift to cloud services, CISOs are needed to recruit, develop, and retain strong security talent.  Today’s cyber threats and the introduction of the hybrid cloud is forcing CISO’s to build a new arsenal of talent and tools to accommodate its present complexity. Kucic believes that CISO’s are beginning to adapt the continuous security model to address the frequency and acts of today’s threats.  CISO’s are required to know what their levels of exposures are based on different assets. Further, they must be able to prioritize the remediation actions that help improve the overall security posture of an organization.  Taking that data and being able to present it to leadership is key for a CISO’s success.   Lots more great insight from Joe and other members of the panel: Mark Weatherford (vArmour), Azi Cohen (WhiteSource) and Mark Whitehead (Trustwave).

The second panel that Cavirin’s CSO, Joe Kuicic, was featured on was Managing Your Cyber Risk lead by ITSPmagazine, based on detecting and responding to threats within your organization. This panel was a Q&A based around managing security risk. The key takeaway was that every company has it whether they want to acknowledge it or not. Kucic says that “risk management has evolved to be a business enabler, a differentiator if they do it right.  It allows companies to move quicker with technologies and go to market faster than their competitors if they look at it the right way and not just as a compliance requirement”. Continuous visibility is important because risks and breaches are ongoing and not just a single occurrence.  Finally, he adds that remediation and mitigation are things that companies continue to struggle with today.  Both webinars are available on BrightTALK for free! Tune in for the full coverage.

Overall, Cavirin’s participation at Black Hat was awesome due to the relationships built, conversations enjoyed, and insights gained this year. To continue the BH momentum, if you want to see a demo of our CyberPosture Intelligence Platform, This email address is being protected from spambots. You need JavaScript enabled to view it.!  We would love to keep the connections going! We even might be able to get you the hot “Got CyberPosture” t-shirt.  See you soon.



© 2018 Cavirin Systems, Inc. All rights reserved.