CIS Risk Assessment Method (CIS RAM) v2.1

Attackers compromise untracked devices connected to the network that are invisible to security tooling, using them as persistent footholds for lateral movement.

Critical vulnerabilities remain unpatched on devices not included in the asset inventory, allowing ransomware or worms to propagate through unmanaged endpoints.

Sensitive data resides on assets not captured in the inventory, leading to unprotected PII/PHI exposure during a breach and regulatory penalties.

An attacker or insider connects an unauthorized device (e.g., rogue wireless AP, USB-tethered device) to the corporate network to intercept traffic or establish a backdoor.

Unauthorized IoT devices with default credentials remain on the network indefinitely, providing persistent attack vectors that bypass endpoint security controls.

Unmanaged personal devices infected with malware connect to the enterprise network without quarantine or review, spreading infections to production systems.

Without active scanning, attacker-controlled devices or compromised hosts remain invisible on the network, enabling long-term data exfiltration campaigns.

Assets that bridge network segments but are not discovered by active tools allow attackers to pivot between zones that should be isolated.

Malicious or backdoored software installed without inventory tracking evades security review, enabling supply chain attacks like those seen in SolarWinds-type compromises.

Unlicensed or pirated software installed outside inventory controls introduces trojanized versions or cracks that contain embedded malware and credential stealers.

Applications installed for past projects but never inventoried remain on systems with known vulnerabilities, providing easy exploitation targets for attackers.

Unsupported software no longer receives security patches, allowing attackers to exploit publicly disclosed CVEs with readily available exploit code.

Unsupported applications with zero-day vulnerabilities will never be patched by the vendor, giving attackers permanent exploitation capabilities against those systems.

Unauthorized software including remote access trojans, cryptominers, or backdoors persists on endpoints because no process exists to identify and remove them.

Employees install unauthorized cloud sync clients or SaaS tools that exfiltrate corporate data to unmanaged cloud storage outside organizational visibility.

Attackers install persistence tools, keyloggers, or lateral movement utilities that go undetected because no automated tooling monitors for new software installations.

Without a data management process, sensitive data proliferates across uncontrolled locations including personal drives, shadow IT services, and unsecured file shares.

Absence of defined data sensitivity levels and handling requirements leads to GDPR, HIPAA, or PCI DSS violations when regulated data is processed without appropriate safeguards.

Without data retention and disposal requirements, organizations retain data indefinitely, massively increasing the volume and sensitivity of data exposed during a breach.

Without a data inventory, the organization cannot determine what sensitive data was exposed in a breach, leading to delayed notifications and underestimated impact assessments.

Sensitive data on systems being decommissioned or migrated is not properly handled because no inventory tracks where sensitive data resides.

Users with excessive file system, database, or application permissions access sensitive data beyond their need-to-know, increasing insider threat risk and breach blast radius.

Attackers who compromise a single user account gain access to broadly shared file systems and databases lacking access control lists, enabling rapid data harvesting.

Without proper access control lists, unauthorized users or compromised accounts can modify critical business data, financial records, or configuration files.

Attackers exploit out-of-box default configurations including open ports, unnecessary services, and weak security settings that were never hardened according to a secure baseline.

Over time, systems drift from secure configurations through ad-hoc changes, reintroducing vulnerabilities that were previously mitigated and creating inconsistent security postures.

Ransomware propagates rapidly through systems lacking hardened configurations, exploiting enabled-by-default protocols like SMBv1 and unnecessary remote access services.

Attackers gain administrative access to routers, switches, and firewalls using well-known default credentials or SNMP community strings that were never changed from vendor defaults.

Network devices configured without security hardening allow traffic mirroring, unauthorized VLAN access, or routing manipulation enabling man-in-the-middle attacks.

An attacker or malicious insider accesses sensitive data, installs malware, or executes commands on an unattended workstation that never locked due to missing auto-lock configuration.

In shared office spaces or public locations, unlocked idle sessions expose sensitive data on screen and allow passersby to interact with authenticated application sessions.

Attackers who compromise one server move laterally to others through open ports and services that a host-based firewall would have blocked, escalating the breach scope.

Former employees, contractors, or third parties retain active accounts that are not tracked in an inventory, using them to access systems and data after their authorization has ended.

Accounts not tracked in an inventory accumulate permissions over time through role changes without review, creating over-privileged accounts that represent high-value targets.

Shared or generic accounts not captured in the inventory are compromised, and investigations cannot attribute actions to a specific individual due to lack of account tracking.

Attackers use credentials leaked from third-party breaches to access enterprise accounts where employees reused the same password across personal and work systems.

Attackers perform password spraying attacks using common passwords like 'Spring2026!' that meet basic complexity rules but are predictable, compromising multiple accounts simultaneously.

Attackers who obtain password hashes crack short or simple passwords rapidly using GPU-accelerated brute force or rainbow tables, gaining access to accounts with weak passwords.

Attackers compromise dormant accounts through credential stuffing or phishing, using them for persistent access since inactive accounts are rarely monitored for suspicious activity.

A former contractor's account remains active and unmonitored for months after contract end, providing an entry point if the contractor turns hostile or their credentials are leaked.

Without a formal granting process, new employees receive access by cloning another user's permissions, inheriting unnecessary privileges accumulated through that user's role changes.

Users changing roles accumulate access from both old and new positions because no structured process ensures previous access is reviewed when new access is granted.

A terminated employee retains access to enterprise systems for days or weeks after departure because no revocation process exists, enabling data theft or sabotage out of retaliation.

Third-party contractor accounts remain active indefinitely after their engagement ends because no revocation process triggers deprovisioning when the business relationship terminates.

Users who change departments or roles retain their previous access in addition to new role permissions, gradually accumulating excessive privileges across the enterprise.

Attackers use leaked credential databases to perform automated login attempts against externally-exposed applications that rely solely on passwords without MFA.

An employee's credentials stolen through a phishing campaign provide immediate access to externally-exposed applications because no second factor is required for authentication.

Attackers perform sustained brute-force attacks against internet-facing login pages where single-factor authentication allows unlimited credential guessing at scale.

Without a documented vulnerability management process, critical vulnerabilities like Log4Shell or MOVEit are addressed inconsistently, with some teams patching immediately while others remain exposed for months.

Absence of a formal process means vulnerabilities are triaged based on individual judgment rather than risk-based criteria, allowing high-severity vulnerabilities in internet-facing assets to persist while low-risk internal issues consume remediation resources.

Auditors and regulators find no evidence of a structured vulnerability management program, resulting in compliance failures and potential fines under frameworks like PCI DSS or HIPAA that mandate documented vulnerability management.

Attackers exploit known vulnerabilities that persist for months because no risk-based remediation timeline exists, allowing threat actors to weaponize public exploits long before patches are applied.

Without a structured remediation process, hastily applied patches cause system instability and are rolled back, re-exposing the vulnerability while the organization scrambles for a stable fix.

Vulnerabilities are permanently deferred without documented risk acceptance or compensating controls, creating a growing backlog of unpatched systems that accumulate exploitable weaknesses over time.

Threat actors leverage automated scanning tools to identify enterprise systems running unpatched operating systems and deploy ransomware or cryptominers through known OS-level vulnerabilities like EternalBlue or PrintNightmare.

A wormable vulnerability in an unpatched operating system allows malware to propagate laterally across the network without user interaction, as seen with WannaCry and NotPetya, because automated OS patching is not in place.

Advanced persistent threat actors operate undetected for months because the organization has no standardized logging requirements, leaving critical assets without the audit trails needed to identify malicious activity.

When a breach is discovered, incident responders cannot determine the scope, root cause, or timeline because the audit log management process was never defined, resulting in inconsistent and incomplete log collection across systems.

Regulatory audits reveal that the organization has no formal audit log management process, resulting in compliance violations under SOX, HIPAA, PCI DSS, or GDPR that require documented logging standards and retention policies.

Attackers specifically target assets where audit logging is disabled or not collected, knowing their activities will leave no forensic trail, enabling prolonged dwell times and undetected data exfiltration.

Malicious insiders or external attackers modify critical data, configurations, or access controls on systems where audit logs are not collected, making it impossible to detect or attribute unauthorized changes.

Sophisticated attackers route their activities through assets without log collection, using these blind spots as staging areas for lateral movement and data staging while remaining invisible to security monitoring.

Critical audit log data is silently overwritten or discarded when logging destinations run out of storage, destroying evidence of ongoing attacks or compliance-required records during the exact periods when they are most needed.

Attackers intentionally generate massive volumes of log entries to exhaust available storage, causing legitimate audit events to be dropped and creating a window of unmonitored activity for their actual malicious operations.

Outdated or unsupported browsers contain known vulnerabilities that exploit kits target to deliver malware through malicious advertisements, compromised websites, or watering hole attacks without requiring any user interaction beyond visiting a page.

Unsupported email clients with known rendering or parsing vulnerabilities are exploited to execute malicious code when users preview or open specially crafted emails, bypassing attachment-based security controls.

Outdated browsers supporting deprecated TLS versions or weak cipher suites allow man-in-the-middle attackers to intercept and decrypt sensitive web sessions, including banking, email, and enterprise application traffic.

Malware on enterprise assets communicates with known malicious domains for command-and-control instructions, payload downloads, and data exfiltration, and without DNS filtering these connections succeed unimpeded.

Users click phishing links that resolve to known malicious domains mimicking legitimate login pages, and without DNS-level blocking these domains are freely accessible, enabling credential harvesting at scale.

Enterprise assets connect to domains hosting cryptomining scripts or malicious advertisements that deliver drive-by downloads, consuming resources and potentially installing malware because no DNS filtering blocks these known threats.

Users visit legitimate but compromised websites that redirect to malicious URLs hosting exploit kits, and without network-based URL filtering these malicious redirects succeed in delivering malware payloads.

Sophisticated phishing campaigns use newly created domains that mimic corporate login portals, and without URL reputation filtering and category-based blocking these sites are accessible to all enterprise users.

Without anti-malware software deployed, enterprise assets are vulnerable to commodity malware including ransomware, banking trojans, information stealers, and cryptominers that are routinely blocked by even basic AV solutions.

Ransomware variants like LockBit, BlackCat, or Cl0p execute and encrypt data on systems without anti-malware protection, causing operational disruption and potential data loss because no software exists to detect or prevent the encryption process.

Information-stealing malware (RedLine, Raccoon, Vidar) executes on unprotected endpoints, harvesting saved browser credentials, session cookies, cryptocurrency wallets, and VPN configurations for sale on dark web marketplaces.

Anti-malware software with stale signature databases fails to detect recently released malware variants that would be caught by current signatures, leaving endpoints vulnerable to threats that are days or weeks old.

New ransomware variants released after the last signature update execute freely on endpoints with stale definitions, encrypting files before the anti-malware engine recognizes the threat pattern.

Malware-laden USB devices automatically execute malicious payloads when inserted into systems with autorun enabled, a technique used in targeted attacks (Stuxnet-style) and opportunistic campaigns where infected USB drives are distributed in public areas.

Self-propagating worms spread across the enterprise via removable media by leveraging autorun functionality to copy themselves to every USB device inserted, then executing automatically on each new system the device connects to.

Attackers deliberately leave infected USB drives in parking lots, lobbies, or conference rooms, and autorun functionality causes malicious payloads to execute immediately when curious employees insert the devices into their workstations.

Ransomware encrypts critical business data and the organization has no documented recovery process, recovery priorities, or tested procedures, resulting in chaotic response, extended downtime, and potential permanent data loss.

A major incident destroys data across multiple systems, and without a documented recovery process defining which systems and data sets to restore first, teams waste time recovering low-priority systems while critical business operations remain offline.

Backup data is stored without encryption or access controls because the recovery process documentation does not address backup security requirements, allowing attackers to access sensitive backup data or encrypt backup repositories.

Hardware failures, storage corruption, or accidental deletion destroy critical data, and without automated backups running on a defined schedule the organization cannot restore to a recent state, resulting in permanent data loss.

After a ransomware attack, the organization discovers that backups are weeks or months old because automated backup schedules were never configured, forcing a choice between paying the ransom or accepting significant data loss.

Manual backup processes are skipped during busy periods, staff transitions, or organizational changes, creating gaps in backup coverage that are only discovered when data recovery is needed during an incident.

Ransomware operators specifically target backup systems and encrypt or delete backup data that is stored without adequate protection, eliminating the organization's ability to recover without paying the ransom.

Unencrypted backup media or repositories are accessed by unauthorized parties, exposing sensitive data including PII, financial records, and intellectual property that exists in an easily restorable format within the backup archives.

Attackers exploit known vulnerabilities in outdated router, switch, and firewall firmware (such as CVEs in Cisco IOS, Fortinet FortiOS, or Palo Alto PAN-OS) to gain control of network infrastructure and intercept, redirect, or disrupt all traffic flowing through compromised devices.

Network infrastructure running end-of-life firmware that no longer receives security patches accumulates exploitable vulnerabilities, and attackers who compromise these devices gain persistent network-level access that is difficult to detect and remediate.

Network devices running unsupported software experience stability issues and crashes that cannot be resolved because vendor support has ended, causing unpredictable network outages that affect business operations.

Attackers who compromise a single endpoint move freely across the entire network because no segmentation exists, accessing databases, file servers, and critical systems that should be isolated from general user traffic.

Ransomware spreads to every reachable system on the network because the lack of segmentation provides no barriers to propagation, turning a single-host infection into an enterprise-wide encryption event.

A network architecture that does not enforce least privilege allows users and systems to access network resources far beyond their operational needs, enabling attackers to reach high-value targets from any compromised entry point.

Attackers intercept network device management traffic using insecure protocols (Telnet, HTTP, SNMPv1/v2) to capture administrative credentials, then use those credentials to reconfigure devices, create backdoor access, or disrupt network services.

Network device configurations are modified without version control, change management, or audit trails, and unauthorized changes create security gaps such as opened firewall rules, disabled logging, or new route entries that redirect traffic.

An attacker compromises a single endpoint and moves laterally across the network undetected because security events from different sources are not correlated in a centralized platform.

A data exfiltration campaign persists for months because firewall, endpoint, and authentication logs are reviewed independently rather than correlated, preventing analysts from connecting related indicators of compromise.

Analysts miss critical attack indicators buried across dozens of independent log sources, allowing ransomware operators to complete their kill chain before detection.

An attacker deploys fileless malware using PowerShell or WMI that operates entirely in memory, evading network-level detection because no host-based intrusion detection solution is monitoring process behavior.

A malicious insider installs credential harvesting tools or keyloggers on their workstation, which go undetected without host-based intrusion detection monitoring local system activity.

An attacker installs a kernel-level rootkit that persists across reboots and hides malicious processes from standard OS tools, remaining invisible without a dedicated HIDS examining system integrity.

An attacker establishes encrypted C2 communications over HTTPS or DNS tunneling that bypass perimeter firewalls, remaining undetected because no network intrusion detection system is inspecting traffic patterns.

An attacker exploits a vulnerability in an internal service, and the exploit traffic crosses network segments without triggering any alert because no NIDS is deployed to analyze east-west traffic.

A sophisticated phishing campaign targets employees who have received no security awareness training, resulting in widespread credential compromise because staff cannot recognize social engineering tactics.

An employee unknowingly installs malware by clicking a malicious link or opens a weaponized attachment because they have never been educated on safe computing practices through a formal awareness program.

An attacker impersonates a vendor over the phone and convinces an employee to share system credentials, succeeding because no security awareness program has established a culture of verification and skepticism.

An attacker sends a targeted spear-phishing email mimicking an internal executive, and the recipient enters credentials on a fake login page because they were never trained to identify phishing indicators.

An attacker impersonates a CEO via email and instructs finance staff to wire funds to a fraudulent account, succeeding because employees have not been trained to recognize pretexting and verify unusual requests.

An unauthorized person follows an employee through a badge-controlled door by carrying boxes and appearing to need help, gaining physical access because staff have not been trained on tailgating awareness.

An attacker uses credentials leaked from a third-party breach to access enterprise accounts because employees were never trained on password uniqueness and the dangers of credential reuse across services.

An attacker tricks an employee into approving a fraudulent MFA push notification because the employee was never trained on how MFA fatigue attacks work or how to recognize unauthorized authentication requests.

A service provider with access to enterprise data is compromised, but the organization cannot assess impact or respond effectively because it has no inventory of which providers have access to what data.

A department independently contracts a cloud service provider that processes sensitive data, and the security team is unaware of the relationship because no centralized service provider inventory exists.

A former service provider retains active access to enterprise systems months after the contract ended because no inventory tracks provider relationships or designated contacts responsible for lifecycle management.

Different business units apply varying and often inadequate security requirements to service providers because no unified management policy defines standards for vendor assessment, monitoring, and decommissioning.

A service provider handling sensitive regulated data is engaged without any security assessment because no policy exists that mandates evaluation criteria before onboarding vendors.

A service provider processing large volumes of sensitive regulated data is treated with the same minimal oversight as a low-risk office supply vendor because no classification system distinguishes provider risk levels.

An organization fails a regulatory audit because it cannot demonstrate risk-appropriate oversight of service providers handling protected health or financial data, as no classification scheme exists.

A service provider suffers a breach affecting enterprise data but delays disclosure for months because no contractual requirement mandates timely breach notification, leaving the organization unable to respond.

Multiple applications developed in-house contain the same categories of vulnerabilities such as injection flaws and broken authentication because no secure development process defines coding standards or security requirements.

Developers incorporate open-source libraries with known critical vulnerabilities into production applications because the development process has no requirements for vetting third-party code security.

Applications are rushed to production without any security testing because no formal secure development process mandates security gates in the release pipeline.

A security researcher publicly discloses a vulnerability in the organization's application after responsible disclosure attempts fail because no process exists to receive and triage vulnerability reports.

An attacker discovers and exploits a vulnerability that had been reported by a user but was never processed because the organization has no intake mechanism for vulnerability reports.

The same class of vulnerability such as SQL injection recurs across multiple applications because individual flaws are patched without analyzing the root cause, allowing the systemic coding error to persist.

A development team continues producing code with the same authentication bypass flaw because no root cause analysis identifies the underlying process or knowledge gap causing the recurring vulnerability.

A widely used third-party library included in the application is compromised by an attacker who injects malicious code into an update, and the organization is unaware because it has no inventory of third-party components.

A security incident escalates because no designated personnel exist to coordinate the response, resulting in ad hoc decision-making, duplicated efforts, and extended attacker dwell time.

The only person with incident handling knowledge is unreachable during a ransomware attack, and no backup is designated, leaving the organization paralyzed during the critical early hours of the incident.

After a data breach, the organization fails to notify required regulatory agencies within mandated timeframes because no maintained contact list exists for incident reporting parties.

The organization's cyber insurance claim is denied because the insurer was not notified within the required timeframe, as the insurance provider's incident contact information was not readily available.

During an active ransomware attack, critical hours are lost trying to identify the correct law enforcement contacts because no pre-established contact list exists for security incident reporting.

An employee observes indicators of compromise but does not report them because no enterprise reporting process defines how, when, or to whom incidents should be reported.

An employee reports a suspected breach to their direct manager instead of the security team, and the information takes days to reach the right people because no formal reporting process exists.

During a significant breach, response efforts are uncoordinated because no documented process defines roles, responsibilities, escalation paths, or communication plans, leading to evidence destruction and extended attacker access.

Critical exploitable vulnerabilities in the enterprise's network, applications, and services remain undiscovered because no penetration testing program exists to proactively identify them before attackers do.

The organization relies solely on automated vulnerability scanning, which misses complex attack chains and configuration weaknesses that only a structured penetration testing program would uncover.

The organization fails to meet regulatory or contractual requirements for penetration testing because no program with defined scope, frequency, and remediation processes has been established.

An attacker exploits a misconfigured external-facing service that would have been identified through an external penetration test, gaining initial access to the enterprise network.

Publicly available information such as exposed credentials, internal documents, or infrastructure details is leveraged by an attacker because no external penetration test with reconnaissance phase identified the exposure.

An attacker discovers an overlooked external entry point such as an old VPN endpoint or forgotten subdomain that perimeter security controls do not cover, because no external penetration test mapped the full attack surface.

An attacker exploits a vulnerability that was identified in a penetration test but never remediated because no process exists to track and prioritize the remediation of pentest findings.

A critical penetration test finding is deprioritized by a development team focused on features because no organizational policy mandates remediation timelines based on finding severity.