RISKRECON RELEASE NOTE
May 10, 2020
Release Name: Risk Priority Matrix Update – Network Filtering and HTTP Headers
Availability Date: Immediately
License Requirements: Available to all Customers
Summary
RiskRecon is pleased to announce that the Network Filtering and HTTP Security Header criteria have been folded into the full capabilities of the RiskRecon platform. Issues of these criteria are now part of the Risk Priority Matrix. Additionally, the related findings are included in the Summary and Detailed reports. These criteria are also now part of the Risk Policy, enabling you to include them in your Action Plans.
Please take a moment to review your risk policy configuration to ensure that you have the desired scope of Network Filtering and HTTP Security Header issues included in your action plan policies.
Increase in Count of Issues in the Risk Priority Matrix
The inclusion of Network Filtering and HTTP Security Header findings increases the number of shown in the Risk Priority Matrix. While most organizations have very few Network Filtering issues, most do have a significant number of missing HTTP security headers.
HTTP Security Header Issues
Most companies have many systems missing important HTTP security headers. As such, the number of issues shown in the Risk Priority Matrix has increased significantly. RiskRecon rates all HTTP security header issues as “Low” severity. In the example shown below, the assessed company has 51 systems missing one or more important HTTP security headers.
The Risk Priority Matrix now reflects the 51 systems with missing HTTP security headers. They are all shown as Low severity issues, distributed based on asset value.
Network Filtering Issues
RiskRecon rates the severity of Internet-accessible IOT devices and unsafe network services across severity ranges from “Medium” to “Critical”. In the example below, the assessed organization is exposing three MySQL services, rated as “Critical” severity, and one Point-to-Point Tunneling service, rated as “High” severity.
These issues are reflected in the Risk Priority Matrix based on the dimensions of issues severity and asset value, as shown below.
You can now configure your Risk Policy to set the scope of HTTP Security Header issues and Network Filtering issues that you include the action plans that you share internally and with your vendors. In the example shown below, the Risk Policy is configured to include all Network Filtering issues and only HTTP Security Header issues for assets rated as “High” value.
Customer Support
You can learn more about this and other RiskRecon functionality through the support center, accessible from the RiskRecon portal. There you will find additional documentation and user videos. You are always encouraged to contact us directly through support@riskrecon.com or through the chat feature in the RiskRecon portal.