Page 65 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 65
So, What’s the Problem?
Table 1 and Table 2 show an example of a common yet specific terminology problem. A company wants
to assess a vendor to ensure that the vendor’s email servers cannot be used for phishing attacks targeting
the outsourcing company. Specifically, the outsourcer wants to know if the vendor has enabled the
Sender Policy Framework (SPF) on their network. SPF is a Domain Name Service (DNS) configuration
that organizations can enable to help stop attackers from impersonating an organization’s email
addresses.
When reviewing Security Rating Service A’s alert category, it is easy to spot the reference to SPF
because SPF is specifically listed. However, in Security Rating Service B’s solution, it is hard to tell if
either Category 1 or Category 2 matches the outsourcers need for SPF monitoring.
A Group of Rivals
Shared Assessments is a member-driven organization that has developed and promoted standardized
resources for corporate risk assessment (not just cyber risk assessment) for over a decade. SA members
— including SRS providers such as 23Advistory, BitSight, Black Kite, Panorays, RiskRecon, and Security
Scorecard — worked through Shared Assessments to create the common taxonomy with which they
could describe their varied offerings. The taxonomy establishes consistent language, practices, and
reporting structures for complex cyber events and vulnerabilities, and removes the potential for
ambiguities. Each of the “rivals” sees advantages for themselves and their clients.
The World Economic Forum and NIST are both considering leveraging the taxonomy to ensure
consistency with their own frameworks and terminology.
The taxonomy itself takes no stance on the relative importance of any one event over any other. What is
required is that an event is currently being monitored by someone, in some way, in the real world. The
events are described in the adverse to avoid duplication. For example, one SRS provider may say “the
XYZ patch is missing — that’s bad” and provide a lower score while another provider may say “the XYZ
patch is present — that’s good” and provide a higher score. The taxonomy always describes the XYZ
patch in its adverse form to avoid describing the condition twice.
65