Vendor Risk Assessment Tool

Our new addition to the Security Colony Portal.

Security Colony has released its “Vendor Risk Assessment” (VRA) tool, developed in conjunction with a major financial services client, which enables our subscribers to assess the risk posed to their internet facing sites, and receive a profile reflecting their cyber security maturity.

While seeing your own profile is empowering, the ultimate purpose of the tool is to enable you to gain better visibility over your suppliers. In Q2 this year, we will be releasing the ability for our paid subscribers to add additional vendors for tracking, to get a view of their third party risk.

The platform uses a range of free, open source and commercial tools to complete 17 distinct checks against a company’s online footprint, packaging this analysis up in an easy to use interface that details identified risks and providing an overall risk score and grade for the vendor.

What does it do?

There are two broad assessment categories completed by the VRA platform: malicious activity checks, and misconfiguration and vulnerability checks.

The data collected from these assessments is then analysed and presented in an easy to manage format, including:

  • Providing a risk-based score (out of 10) and a corresponding grade (from A to F)
  • Tracking the change in security risks over time
  • Providing clarity around the source of the calculation

Domain Risk Overview

Malicious activity checks

The VRA tool assesses the organisation for historic (or current) malicious activity, including:

  • Whether an organisation has had their domain blacklisted for spam
  • Whether an organisation has been identified as hosting malware on their domains
  • Whether an organisation has been identified as a source of phishing attacks
  • Whether an organisation has been identified as a source of botnet attacks

Malicious activity checks

Misconfiguration and vulnerability checks

The VRA tool assesses security misconfigurations and vulnerabilities, including:

  • Whether an organisation has a strong process for correctly configuring all their encryption (SSL/TLS) certificates
  • Whether an organisation uses strong email security technology (SPF and DMARC)
  • Whether employees of an organisation have used their corporate email addresses on external accounts, and whether they have then been the subject of a data breach
  • Whether an organisation has insecure (ie. unencrypted) ports open to the Internet

Security configuration and vulnerability checks

To demonstrate the system, scores were calculated for each of the ASX 100 companies. Analysed by industry, the average industry scores — out of 10 — were as follows:

Key findings of the analysis were:

  • The IT industry has the best average score, showing their understanding of the importance of consistent cyber security processes.
  • Telecommunications and Financial Services round out the Top 3.
  • Energy, Materials (including mining) and Industrials are less mature, reflecting the reduced focus they have placed on cyber security historically.
  • Health Care is in the bottom 4, a significant concern given the sensitivity of data held.

Just 3 companies in the ASX 100 received a ‘perfect 10’ — ANZ Bank, Link Group, and Star Entertainment Group.

The VRA tool is now live in the Security Colony ( portal. Membership is free and any organization can see their own score after signing up.