For example, it might be more beneficial to first resolve a medium severity vulnerability on mission critical website rather than a high severity vulnerability on a website of marginal value to the business. Without the intelligence of website valuation and vulnerability severity, effective decision-making is impaired. Another piece of intelligence we’ll discuss later on is what we at WhiteHat call a vulnerability threat rating, or how difficult a particular vulnerability is to exploit. Not all vulnerabilities are created equal either, but we’re getting a little ahead of ourselves.
As a continuation of the end of part 1, visit each website in the asset inventory spreadsheet, then answer a series of questions about them. These answers assist in a subjective value rating process. I say subjective, rather than objective, because I’ve yet to see a generic value rating system for websites that was quantifiable. If you happen to have one specifically for your company, fantastic, use it. Heck if you can, post it so others can learn from it! If you don’t have one don’t worry, over time you should be able to tailor this methodology specifically for your company.
1) What does this website do and who is responsible for it?
Click around the website, exercise the functionality, fill out a few forms, register an account if you need to. Is it a shopping cart? Web bank? Brochure? Who manages the content and/or security?
2) What would the business impact be if the website were to be compromised or suffer more than 24 hours of downtime?
Sometimes unplugging the network cord (not recommended) on a website is the only way to tell if someone cares about it or if its important. Before you do that though, consider if the website were unreachable or suffered a publicly known data/system compromise. Sometimes organizations have downtime in quantifiable terms. If so, great, use it. If not, terms such will suffice such as:
- Major/moderate/low loss of revenue
- Major/moderate/low reputation impact and brand damage
- Hundreds/thousands/millions of registered users
- Thousands/millions/billions of page views / unique visitors per month
- Personal and private information (names, addresses, phone numbers, social security numbers, etc.)
- Regulated information (credit card numbers, bank account numbers, patient records, attorney privileged data, etc.)
- Intellectual property (source code, customer lists, business plans and objectives, etc.)
a) 1 – 4 times per month
d) Never or as needed
Answering these questions takes time and a lot of research, but the spreadsheet you’re building will be of huge benefit to the company, especially those with a substantial Web footprint. Taking these answers into account with the appropriate weighting, assign a rating from 1 – 5 to each website with 5 being the most valuable. Share the document around internally for feedback. After you have completed the process, what you’ll have is something that most do not. A well defined and prioritized website asset inventory.
The spreadsheet will look something like this: