Security

RiskRater: An IT-security test that no one fails

Three minutes. That's it. Take the RiskRater challenge. You could save yourself, your fellow employees, and family members from a costly Internet oops.

Ask yourself: how sure am I that fellow employees and family members can fend off phishing or social engineering attacks; how sure am I that their computers are correctly prepared to keep them safe while traversing the internet; or, how sure am I those "can't live without" smartphones they own are okay attaching to public or company Wi-Fi networks?

If those questions touch a chord, I have 18 more I'd like you to look at.

RiskRater1.jpg

People at Rapid7, purveyor of security-testing tools Nexpose, Mobilisafe, and H.D. Moore's all-powerful Metasploit understand the angst. They know how difficult it is for everyone — from IT professionals responsible for hundreds, or even thousands of users, to people owning one personal computing device — to keep current with the epidemic of malicious attacks and vulnerabilities sweeping the Internet.

To help bridge the ever-widening knowledge gap, Rapid7 devised and built RiskRater, an 18-question, interactive assessment tool that focuses on what are currently regarded as the most vulnerable categories of Internet computing:

"Essentially, RiskRater is a straightforward grading tool focused on security. It poses a number of questions for each of the categories, and calculates a score from 1-10 based on the answers. The scoring is determined using an algorithm, and then mapped against benchmarks for the three categories."

RiskRater2.jpg

The above slide shows the results from my taking RiskRater. The following slide shows an additional feature of RiskRater. When you click on "View Details" for one of the categories, the assessment tool explains why answering "yes" to the question is important. In my case, RiskRater explains why it is necessary to keep operating systems up to date.

RiskRater3.jpg

That's what I gleaned from the website, but I was concerned it might be more market-speak than anything. So, I contacted Rapid7. Jen Ellis, Director of Communications, introduced me to Roy Hodgman, Senior Software Engineer at Rapid7. Jen told me Roy helped create the threat model and the algorithm driving RiskRater.

RiskRater4.jpg

To begin, I asked Roy what Rapid7 was trying to accomplish with RiskRater:

"The questions in RiskRater are specifically designed for those operating in the IT -security function of an organization. We wanted to help them get a snapshot of their security program across three critical categories — Endpoint Security, User-based Risk, and Mobile Security. We identified these areas of criticality as being top priorities based on our own knowledge, customer feedback, and security protocols."

The website mentioned that Rapid7 worked with over 600 organizations when fine-tuning RiskRater. I asked Roy what role the organizations actually played:

"First, we created the questions and algorithm for RiskRater, then we surveyed our database. Next, we asked organizations to answer the questions in RiskRater. From their responses, we were able to create benchmark scores across industries and geographies, meaning once RiskRater was launched, organizations could see not only where they ranked against Rapid7's scoring algorithm, but also against a group of their peers."

Roy mentioned earlier that RiskRater was specifically created for IT-security professionals. So, I asked Roy about the job titles of those who responded. They were:

  • Security architect

  • CIO

  • CISO

  • Information-security analyst

  • IT director

  • IT-security engineer

  • Security administrator

  • Security consultant

  • Systems engineer

To be honest, I was having a hard time understanding why Rapid7 wanted to focus on IT-security professionals. I asked several colleagues, who are bona fide IT-security pros, what they thought about the questions. All were fully aware of their significance, adding they already recommend what RiskRater suggested as proper security practices.  

Roy explained the error in my reasoning:

"When we talk to people who are purchasing, installing, supporting, and otherwise managing the tools providing services covered in RiskRater; they have differing opinions of the services' importance and feasibility given time, employee, and budgetary constraints.  

"The feedback you've received highlights that everyone is aware of the importance of these areas, but that's where it stops. Few people are doing a good job managing all of them. RiskRater is designed to help security professionals focus on what will have the most impact based on where they currently stand."

So, now the question begging to be asked is how did the 600 do? The average score for each of the categories was:

  • Endpoint Security: 7

  • User-based Risk: 5

  • Mobile Security: 3

Definitely not what I expected based on the comments made by my colleagues, but the results supported Roy's explanation. I'm realizing now RiskRater is not about knowing what should be done, but truthfully answering what the company or individual is willing to do.

The importance of RiskRater was also becoming clear to me. So, I asked Roy if he had the attention of every person who traversed the Internet, what would he say to convince them to try RiskRater. Here's his response:

"Your time is valuable and security is a huge complex challenge. We realize RiskRater isn't going to solve it for you, but spending three minutes on RiskRater might help you get a sense of how well your security system stacks up against the threats we see today. It may also help you direct your limited time and resources to the areas of security that most deserve your attention."

My last question is one I promised TechRepublic members I would ask whenever personal information is required to get something — in this case, RiskRater test results from Rapid7. Roy, can I have your guarantee that this is not a marketing gimmick to get information from people for future Rapid7 marketing campaigns?

Roy passed this question to Jen:

"Anyone who signs up for our free tools gets added to our database, but the responses to the 18 questions used to evaluate the effectiveness of your security programs are submitted and stored anonymously as mentioned in the User Agreement. You won't get a call from us saying ‘we see you have no mobile risk management solution in place' or anything of the sort."

Final thoughts

I started out saying that no one fails this test, and I still believe that. Getting a zero in all three categories of RiskRater is still light years better than not understanding where your computers stand security-wise.

Thank you Jen Ellis, Roy Hodgman, and Rapid7 for seeing a need, doing something about it, and helping with this post. 


About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks