ASSESSMENTS FOR CYBERSECURITY &

GRC PROFESSIONALS + TOOLS

APRIL 9, 2024

Access CyberJA for many more resources

Compiled by: Richea Perry

2
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
Does assessments prove valuable to your business or organization’s security
posture?

In this document, I cover the following topics:

1. Brief details of various types of assessments and tools for conducting these
assessments.
2. How these assessments improve security
3. A wider list of assessments for considerations and ways to conduct these
assessments.

3
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
 Comprehensive Cybersecurity Assessments for InfoSec
Professionals

Cybersecurity Assessments Tools

Cybersecurity assessments are critical processes that help organizations identify, evaluate, and mitigate
risks to their information systems and data. There are various types of cybersecurity assessments that
InfoSec professionals should be aware of, each serving a specific purpose in bolstering an
organization's security posture. These assessments can range from vulnerability assessments to
penetration testing and compliance audits. Below is a comprehensive list of these assessments, along
with descriptions of their benefits and tools commonly used for each:

1. Vulnerability Assessment

 Description: Identifies and quantifies vulnerabilities in systems, applications, and networks.

 Benefits: Helps prioritize security efforts by focusing on critical vulnerabilities.
 Tools:
o Open Source: OpenVAS, Nessus Essentials, Nikto
o Commercial: Qualys, Rapid7 Nexpose, Tenable.io

2. Penetration Testing (Pen Testing)

 Description: Simulates real-world attacks to identify exploitable vulnerabilities.

 Benefits: Provides a hands-on assessment of security controls and response readiness.
 Tools:
o Open Source: Metasploit, Nmap, Burp Suite Community Edition
o Commercial: Cobalt Strike, Core Impact, Rapid7 Metasploit Pro

3. Security Audit and Compliance Assessment

 Description: Evaluates adherence to regulatory requirements and internal security policies.

 Benefits: Ensures compliance with industry standards and regulations (e.g., GDPR, HIPAA).
 Tools:
o Open Source: Lynis, OpenSCAP
o Commercial: Tenable.sc (formerly SecurityCenter), Qualys Policy Compliance

4. Risk Assessment

 Description: Identifies, analyzes, and prioritizes risks to organizational assets.

 Benefits: Guides resource allocation towards mitigating high-impact risks.
 Tools:
o Open Source: Microsoft Security Risk Detection, OWASP Risk Assessment Framework

4
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
 o Commercial: RSA Archer, MetricStream, IBM OpenPages

5. Security Awareness Assessment

 Description: Assesses the effectiveness of employee security training and awareness.

 Benefits: Improves security culture and reduces human-related security risks.
 Tools:
o Simulated Phishing: KnowBe4, PhishMe (Cofense), Proofpoint
o Security Training Platforms: SANS Securing The Human, Infosec IQ

6. Incident Response Readiness Assessment

 Description: Evaluates an organization's ability to detect, respond to, and recover from security
incidents.
 Benefits: Identifies gaps in incident response processes and technologies.
 Tools:
o Frameworks: NIST SP 800-61, SANS Incident Handling
o Commercial: FireEye Helix, IBM Resilient, Splunk Enterprise Security

7. Cloud Security Assessment

 Description: Reviews cloud infrastructure and configurations for security risks.

 Benefits: Ensures secure adoption and usage of cloud services.
 Tools:
o Open Source: Cloud Security Suite, Prowler
o Commercial: Palo Alto Prisma Cloud, McAfee MVISION Cloud

8. Mobile Application Security Assessment

 Description: Evaluates security vulnerabilities in mobile apps.

 Benefits: Ensures the security and privacy of mobile users and data.
 Tools:
o Open Source: MobSF (Mobile Security Framework), Frida
o Commercial: NowSecure, Veracode Mobile Security

9. Network Traffic Analysis and Monitoring

 Description: Monitors network traffic for signs of malicious activity or anomalies.

 Benefits: Helps detect and respond to network-based attacks.
 Tools:
o Open Source: Wireshark, Snort, Suricata
o Commercial: Cisco Stealthwatch, Darktrace, Vectra AI

These cybersecurity assessments collectively help businesses and organizations enhance their security
posture by proactively identifying and addressing vulnerabilities, ensuring compliance with
regulations, improving incident response capabilities, and fostering a security-aware culture. The
5
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
choice of tools largely depends on the specific assessment type, organizational needs, budget, and
expertise.

For InfoSec professionals, staying informed about the latest assessment methodologies and tools is
crucial to effectively manage cybersecurity risks and protect organizational assets. Regular
assessments and continuous improvement based on assessment findings are key components of a
robust cybersecurity strategy.

GRC Assessments Tools

Governance, Risk, and Compliance (GRC) assessments are critical for organizations to evaluate their
information security posture, identify vulnerabilities, and ensure compliance with regulations and
internal policies. InfoSec professionals should be well-versed in conducting various types of
assessments to strengthen their organization's security posture. Below are comprehensive types of
GRC assessments, their benefits, and tools commonly used to conduct them:

1. Governance Assessments

 Description: Evaluates the effectiveness of governance structures, policies, and procedures.

 Benefits: Ensures alignment of security objectives with business goals and regulatory
requirements.
 Tools:
o Open-Source: None specifically; often conducted through manual audits.
o Commercial: RSA Archer, MetricStream, ServiceNow GRC.

2. Risk Assessments

 Description: Identifies and analyzes potential risks to assets, operations, and data.
 Benefits: Helps prioritize security efforts and resource allocation based on risk exposure.
 Tools:
o Open-Source: OpenRA, Risk Assessment Toolkit (RAT), RiskWatch.
o Commercial: RSA Archer, Qualys Risk Management, IBM OpenPages.

3. Compliance Assessments

 Description: Verifies adherence to regulatory requirements and industry standards.

 Benefits: Mitigates legal and regulatory risks, avoids fines, and maintains trust with
stakeholders.
 Tools:
o Open-Source: Lynis, OpenSCAP.
o Commercial: Tripwire, Qualys Compliance, McAfee Policy Auditor.

4. Security Assessments

 Description: Evaluates the effectiveness of technical security controls and defenses.

6
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
  Benefits: Identifies vulnerabilities and weaknesses in systems and applications.
 Tools:
o Open-Source: Nmap, OpenVAS, Nikto, Metasploit.
o Commercial: Nessus, Qualys Vulnerability Management, Rapid7 InsightVM.

5. Privacy Impact Assessments (PIA)

 Description: Assesses the impact of information processing systems on individual privacy.

 Benefits: Ensures compliance with data protection laws (e.g., GDPR, CCPA).
 Tools:
o Open-Source: None specifically; often conducted through manual audits.
o Commercial: OneTrust, TrustArc.

6. Business Continuity and Disaster Recovery (BCDR) Assessments

 Description: Evaluates readiness to respond to and recover from disruptions.

 Benefits: Ensures business operations can be quickly restored after incidents.
 Tools:
o Open-Source: None specifically; often conducted through manual audits.
o Commercial: IBM Resilient, Datto, Zerto.

7. Third-Party Risk Assessments

 Description: Evaluates security posture of vendors and partners.

 Benefits: Minimizes supply chain risks and ensures third-party compliance.
 Tools:
o Open-Source: None specifically; often conducted through manual audits.
o Commercial: RSA Archer, BitSight, SecurityScorecard.

Tools for Conducting Assessments

 Open-Source Tools:
o Nmap: Network scanning and enumeration.
o OpenVAS: Vulnerability scanning and management.
o Metasploit: Penetration testing framework.
o Lynis: System and security auditing.
o OpenSCAP: Security compliance checking.
o Risk Assessment Toolkit (RAT): Risk assessment framework.
 Commercial Tools:
o RSA Archer: Comprehensive GRC platform.
o Qualys Suite: Vulnerability management and compliance.
o IBM OpenPages: Risk and compliance management.
o ServiceNow GRC: Governance and risk management.
o McAfee Policy Auditor: Compliance auditing and reporting.
o Nessus: Vulnerability scanning and management.

7
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
Choosing the right tools depends on specific needs, budget, and integration requirements. InfoSec
professionals should also consider the scalability, reporting capabilities, and vendor support when
selecting GRC assessment tools. Regular assessments and audits based on these frameworks and tools
are crucial for maintaining a robust security posture and regulatory compliance within organizations.

Further Readings\Info

InfoSec professionals play a critical role in safeguarding organizations from cyber threats. To achieve
this, they have a diverse toolkit of assessments at their disposal. Here's a breakdown of various types,
along with benefits and potential tools (both open-source and commercial):

1. Vulnerability Assessments (VAs):

 Description:
These assessments identify weaknesses in systems, applications, and networks that attackers
can exploit. VAs involve automated scans using vulnerability scanners and manual penetration
testing.

Opens in a new window hitachi-systems-security.com

 Benefits:
o Proactively identify security holes to patch them before attackers find
them.
o Prioritize vulnerabilities based on severity and exploitability.
 Tools (Open-Source):
o OpenVAS: A free and open-source vulnerability scanner that can identify
a wide range of vulnerabilities in various systems.
(https://www.openvas.org/)
o Nessus (Community Edition): A popular vulnerability scanner with a
large community and extensive plugin library (limited features in the
free version). (https://community.tenable.com/s/article/Nessus-
Essentials)
 Tools (Commercial):
o Qualys Vulnerability Management Platform: A cloud-based platform
offering comprehensive vulnerability assessment, prioritization, and
8
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
 remediation capabilities. (https://www.qualys.com/community-
edition/)
o Rapid7 Nexpose: An on-premises or cloud-based vulnerability
management solution with advanced features like asset discovery and
risk scoring. (https://www.rapid7.com/products/nexpose/)

2. Penetration Testing (Pen Testing):

 Description:
Pen testing simulates a cyberattack to identify exploitable vulnerabilities and assess the
effectiveness of security controls. Pen testing can be internal (finding weaknesses) or external
(simulating real-world attacks).

Opens in a new window cybersecurity.att.com

 Benefits:
o Provides an in-depth view of an organization's security posture from an
attacker's perspective.
o Helps validate the effectiveness of existing security controls.
 Tools (Open-Source):
o Kali Linux: A Linux distribution specifically designed for penetration
testing, pre-loaded with various security tools.
(https://www.kali.org/get-kali/)
o Metasploit Framework: A powerful open-source framework for
developing, testing, and executing exploit code.
(https://www.metasploit.com/)
 Tools (Commercial):
o Cobalt Strike: A commercial pen testing framework known for its
advanced adversary simulation capabilities.
(https://www.cobaltstrike.com/)
o Breach & Attack Simulations (BAS) platforms: These platforms automate
penetration testing processes and provide repeatable attack scenarios.
(Various vendors offer BAS solutions)

9
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
3. Wireless Network Assessments:

 Description:
These assessments evaluate the security of wireless networks for unauthorized access points,
weak encryption protocols, and misconfigurations.

Opens in a new window www.vistainfosec.com

 Benefits:
o Ensure secure wireless connectivity to prevent data breaches and
unauthorized access.
o Identify and address vulnerabilities in wireless network configurations.
 Tools (Open-Source):
o Kismet Wireless Network Detector: A free and open-source tool for
detecting wireless networks and analyzing their traffic.
(https://www.kismetwireless.net/docs/api/wifi_scanningmode/)
o aircrack-ng: A powerful suite of tools for wireless network security
assessments, including password cracking and network injection.
(https://www.aircrack-ng.org/doku.php?id=cracking_wpa)
 Tools (Commercial):
o AirMagnet WiFi Analyzer: A comprehensive suite for wireless network
security assessments, offering features like rogue access point detection
and traffic analysis. (https://www.flukenetworks.com/blog/cabling-
chronicles/fluke-networks-offers-new-wireless-bundle)
o Network Instruments Observer: A network performance monitoring and
troubleshooting tool that also offers wireless security assessment
capabilities. (https://www.viavisolutions.com/en-
us/ptv/solutions/performance-management-and-security)

10
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
4. Security Configuration Assessments:

 Description:
These assessments analyze the configuration of systems, applications, and network devices to
ensure they are secure and meet best practices.

Opens in a new window thehackernews.com

 Benefits:
o Identify misconfigurations that could lead to vulnerabilities and ensure
consistent security settings across the organization.
o Improve overall system stability and performance by enforcing secure
configurations.
 Tools (Open-Source):
o OpenSCAP: An open-source vulnerability scanner specifically designed
for assessing system configurations against security baselines.
(https://www.open-scap.org/)
o CIS-CAT Pro (Configuration Assessment Tool): A tool from the Center for
Internet Security (CIS) that helps assess system configurations against
their CIS Controls. (https://www.cisecurity.org/)
 Tools (Commercial):
o Tripwire Enterprise: A commercial solution for configuration
management and change detection, helping

11
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
GRC Assessments for InfoSec Professionals
GRC Assessments for InfoSec Professionals

While Vulnerability Assessments and Penetration Testing are crucial for InfoSec
professionals, a holistic approach to security requires Governance, Risk, and
Compliance (GRC) assessments. These assessments evaluate an organization's overall
security posture, considering not just technical controls but also governance
frameworks and compliance requirements.

Here's a breakdown of various types of GRC assessments:

1. Risk Assessments:

 Description:
The foundation of GRC, risk assessments identify potential threats, analyze their likelihood and
impact, and prioritize them based on risk level. This helps inform decisions about security
controls and resource allocation.

Opens in a new window www.linkedin.com

 Benefits:
o Allocate resources effectively to address the most critical risks.
o Develop mitigation plans to reduce the impact of potential security
incidents.
o Improve decision-making by providing a data-driven understanding of
the security landscape.

 Tools (Open-Source):

12
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
 o Open-Risk (open-risk.org): An open-source framework for managing and
analyzing enterprise risks.
 Tools (Commercial):
o RiskWatch: A cloud-based platform for managing enterprise risks,
including IT security risks. (https://www.riskwatch.com/)
o MetricStream: A comprehensive GRC platform offering features for risk
management, compliance management, and internal audit.
(https://www.metricstream.com/)

2. Compliance Assessments:

 Description:
These assessments evaluate an organization's adherence to relevant industry regulations (e.g.,
HIPAA, PCI DSS) or internal security policies.

Opens in a new window www.pwc.com

 Benefits:
o Ensure compliance with regulations to avoid legal penalties and
reputational damage.
o Identify gaps in security controls that could lead to compliance
violations.
o Demonstrate a commitment to data security and privacy to
stakeholders.
 Tools (Open-Source):
o Many industry-specific compliance frameworks provide self-assessment
tools. (e.g., HIPAA Security Risk Assessment (HRA) Tool)
 Tools (Commercial):
o Numerous commercial tools are available depending on the specific
compliance standard. (e.g., PCI DSS compliance management platforms)

13
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
3. Security Posture Assessments (SPAs):

 Description: These assessments provide a high-level overview of an organization's overall

security posture, encompassing vulnerabilities, configuration issues, and compliance gaps.

Opens in a new window hitachi-systems-security.com

 Benefits:
o Offer a comprehensive view of security strengths and weaknesses to
prioritize remediation efforts.
o Help benchmark an organization's security posture against industry
standards.
o Identify areas for improvement across different security domains.
 Tools (Open-Source): (Typically involve combining outputs from individual assessments
mentioned above.)
 Tools (Commercial):
o SecurityScorecard: Provides a security ratings platform that allows
organizations to benchmark their security posture against industry
peers. (https://securityscorecard.com/)
o BitSight Security Ratings: Offers security ratings based on an
organization's external security posture, including vulnerabilities and
misconfigurations. (https://www.bitsight.com/)

How GRC Assessments Improve Security:

 Proactive Approach: By identifying risks and compliance gaps, organizations

can take steps to mitigate them before they become security incidents.
 Informed Decision-Making: Assessments provide data-driven insights to
prioritize security investments and resource allocation.
 Improved Compliance: Regular assessments ensure adherence to regulations,
reducing the risk of fines and legal issues.
 Continuous Improvement: Assessments provide a baseline for measuring
progress and identifying areas for ongoing improvement.

14
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills
Remember: The specific assessments used will depend on the organization's size, industry, and risk
profile. By incorporating a combination of these assessments, InfoSec professionals can build a robust
security program and create a more secure environment.

15
Access ALL CyberJA Resources to enhance your Cyber-GRC Skills