Last week, we presented some risk management strategies organizations should consider. This week, we discuss some of the tactics organizations should use.
Risk assessments should be an ongoing practice as opposed to an event. While security teams should continuously monitor systems, applications and networks on an ongoing basis to identify anomalous behavior as a matter of course, monitoring is not a substitute for risk assessments.
According to the U.S. National Institute of Science and Technology (NIST), risk assessment typically includes:
- A risk assessment process
- An explicit risk model, defining key terms and assessable risk factors and the relationships among the factors.
- An assessment approach (e.g., qualitative, quantitative or semi-qualitative), specifying the range of values those risk factors can assume during the risk assessment and how combinations of risk factors are identified/analyzed so that values of those factors can be functionally combined to evaluate risk; and
- An analysis approach (e.g., threat-oriented, impact-oriented, or vulnerability-oriented), describing how combinations of risk factors are identified and analyzed to ensure adequate coverage of the problem space at a consistent level of detail.
While conducting the assessment, security teams should:
- Identify threat sources and events that could be produced by those sources.
- Identify vulnerabilities and predisposing conditions that could affect successful exploitation.
- Determine the likelihood of occurrence.
- Determine the magnitude of impact.
- Determine the information security risks.
Risk classification defines security requirements for different levels of severity or sensitivity. Typically, a three-tier system is used ranging from low risk to high risk, although risks can be classified differently.
Risk Impact Evaluation and Prioritization
Cyber security risk impacts extend considerably past IT systems to include business operations, finance, regulatory and legal exposure, reputation, and safety. While the evaluation of any incident is fact-specific, the evaluation and prioritization of risks should occur as part of cybersecurity and incident response planning.
Risk evaluation also uses a high-to-low score impact rating, albeit with five tiers ranging from very high to very low, with probabilities assigned to each tier.
Monte Carlo simulations can help quantify the probabilities. They can also help identify threats.
Risk mitigation begins well before an incident. One tactic is to use threat modelling to identify and prioritize potential threats. Historically, this was a manual process but modern systems automate the process using IT asset and network scanner data.
- A description, design or model of what’s worrisome.
- A list of assumptions that can be proved or disproved as the threat landscape changes.
- A list of potential threats to the system.
- A list of actions to be taken on each threat.
- A way of validating models and threats and verifying the success of actions taken.
The U.S. National Security Agency recommends the following to mitigate cyber security threats generally:
- Update and upgrade software immediately
- Defend privileges and accounts. Assign privileges based on risk exposure and as required to maintain operations.
- Enforce signed software execution policies.
- Exercise a system recovery plan.
- Actively manage systems and configurations.
- Continuously hunt for network intrusions
- Leverage modern hardware security features.
- Segment networks and deploy application-aware defenses.
- Integrate threat reputation services.
- Transition to MFA.
IT governance association ISACA offers a CMMI cybermaturity platform which helps companies pinpoint the risks relevant to their business. It generates a risk profile for the organization, identifies gaps and provides recommendations for closing those gaps. The platform aligns with globally accepted industry frameworks.
Every company has its own “risk appetite” which is the amount of risk it is willing to accept. This is another piece of context that helps determine:
- The company’s risk exposure.
- Risk/benefit tradeoffs.
- Resource allocation.
- The level of trust third parties may have in the organization including customers, employees, partners, investors, etc.