Release Note: High Value System Encryption Assessment

RISKRECON RELEASE NOTE
March 10, 2019

RELEASE NAME: High Value System Encryption Assessment
AVAILABILITY DATE: October 17, 2019
LICENSE REQUIREMENTS: Available to all Customers

Abstract

On October 30, 2019 RiskRecon intends to release a new security assessment criterion that identifies high value web servers that do not implement encryption. High value web servers are those identified by RiskRecon as processing sensitive data or providing sensitive functionality. RiskRecon is applying this criterion to high value systems only because it is in those systems where encryption is specifically required to protect sensitive data in transit and provide system users high assurance of the system authenticity. Encryption is less important for brochure sites, intentionally excluded from assessment, where no sensitive data is at risk.

This new criterion represents yet another example of RiskRecon s expanding value proposition, enabling you to easily understand and act on your risk by automatically verifying compliance to your security risk requirements.

Background

Encryption of sensitive data in transit across untrusted networks is a critically important security control. It prevents unauthorized access to data in transit and provides clients a strong method for authenticating the identify of the system, reducing exposure to fraud. While encryption of brochure sites is useful, the risk benefit of doing so pales in comparison to systems that process sensitive data.

RiskRecon is combining its unique, powerful capabilities to automatically assess compliance to this important control requirement: sensitive data is encrypted in transit across untrusted networks. These capabilities are:

• • System Discovery - RiskRecon automatically discovers the publicly visible systems of companies through continuous mining of the Internet and related data feeds.
  • Security Assessment - RiskRecon algorithms analyze the security state of every system across over 40 security criteria spanning thousands of security configuration checks.
  • Asset Valuation - RiskRecon automatically determines the system value based on analytics of pre authentication accessible system code, content, and configurations through which RiskRecon identifies the types of data the system collects and the functionality the system provides to users.

Assessment Criterion

The High Value System Encryption assessment criterion automatically validates that systems that collect sensitive data are encrypting data in transit. RiskRecon is intentionally ignoring in this criterion brochure sites and parked domains because lack of encryption in this class of systems does not represent material risk.

The High Value System Encryption criterion is a member of the Web Application Security domain.

Expanding the Web Application Security summary reveals the criterion details.

Expected Issue Prevalence

Based on analysis of millions of web servers, 4.3% of all web servers that collect or transmit sensitive data do not encrypt communications.

Pre-Release Assessment Information

RiskRecon has a database of all web servers that transmit or collect sensitive data that do not encrypt communications. If you would like visibility into this data in advance of it being released to the portal, please request the information from your customer success manager. Alternatively, reach out to support at or through the chat feature in the RiskRecon portal.

Customer Support

You can learn more about this and other RiskRecon functionality through the support center, accessible from the RiskRecon portal. There you will find additional documentation and user videos. You are always encouraged to contact us directly through support@riskrecon.com or through the chat feature in the RiskRecon portal.