In this article, we'll see how to access and use the ACSIA CRA platform which is 4Securitas' Cyber Risk Assessment platform.
ACSIA CRA performs numerous passive checks to evaluate your infrastructure, highlighting where your business is weak or strong against a cyber attack. ACSIA CRA makes multiple passive tests and does not simulate an actual cyber attack against your infrastructure.
In simple words: ACSIA CRA collects some data and metrics from your infrastructure; it elaborates them and tells if your infrastructure is weak or strong in the case of a cyber-attack.
2. How to log in and add a company
To log in to the platform, you have to request a username and a password to the ACSIA CRA support team.
After that, you can log in here.
After you've logged in, you can add your company by clicking on "Add company". Then you have to fill in the required fields, and click on "create company":
3. Basics platform understanding
You can see some information if you click on "Overview" (1).
For example, in the red rectangle on the top left (2) of the screen, you can see your Company's information. On the top right of the screen (3), instead, you can see the rating you've been given by CRA. The CRA score (3) refers to your public-facing exposure to the internet. The CRA risk assessment score is measured with an index consisting of 6 clusters and a value of 0 (least secure) to 100 (most secure)
Also, you can see that ACSIA CRA found:
- 114 Assets, but only 78% have been analyzed. This happens because your assets may refer to services such as Amazon Web Service (AWS) or similar: in this case, our scanning doesn't go any further. Also, by Assets, we mean the elements that are assessable from a cybersecurity
perspective, that are exposed, and that make up an organization's attack surface.
- 59 hosts. By host, we mean any information present in a DNS of a domain registered by the organization that typically identifies an internal or external IP address.
- networks. By network, we mean a set of IPv4 or IPv6 announced as a single block in BGP, the minimum network announced in IPv4 is a /24 (256 IPs) and IPv6 /48 (65536 IPs).
- 4 AS. By AS, we mean Autonomous System: a set of IPv4 or IPv6 networks, identified by a number assigned through IANA by the regional internet registries that identify an internal provider and routing policy.
- 3 Domains. By Domain, we mean the Internet domain registered by the organization on a top-level domain (eg. .com/.net/.it/.eu).
- 14 IPs. By IP, we mean the IPv4 or IPv6 Internet address linked to an organization's asset.
- 16 Websites. By Website, we mean any host exposing anything on the internet that responds to port 80 (HTTP) and port 443 (HTTPS).
- 2 Emails. By Email, we mean any mail server or an e-mail service typically linked to a domain providing inbound e-mail services.
- 1 DNS. By DNS, we mean a domain name server, a service configured to respond to an Internet domain registered by the organization in which entries are made identifying the resources accessible via a mnemonic name linked to the linked domain.
Scrolling down, we can see a radar graph like the following:
Here we can see:
- On the left, the radar plot shows how the risk index is distributed, among all the assets. In this example, we can see that the website and the domain have the highest exposure, while the DNS and email have the least exposure.
- On the right, we can see the trend of the risk index over time, starting when the license has been purchased.
The risk index can be read as follows:
This means that:
- an asset with a 0-30 risk index requires immediate action.
- an asset with a 90-100 risk index does not require actions.
Remember that the risk index varies at each scan, which depends on the license you purchased.By clicking the 'Recheck' button. you may request a recheck if desired.
Here's how you can ask for a recheck:
Access a complete report by clicking on Actions --> Generate reports:
When we scroll down, we can see some more details on the exposure to the risk:
For example, the above plot shows that the website is the asset with the highest exposure risk. In fact, the wide red band tells us that here we have a wider band of attack.
If we scroll down, we can see the dependencies of the various assets; meaning we can understand how the assets are related to themselves:
If we, then, click on Assets (1), we can see a detailed list of all the assets scanned. The list is ordered from the asset with the worst risk index to the one with the best one. This helps us understand where to intervene:
When we click on Go to asset (2) we can see the details of the asset: