Security risk assessments allow us to make reasoned decisions about security budget allocations. We’re not always right, but that shouldn’t stop us from exercising due diligence by determining our current level of risk and what to do about it. Unfortunately most risk assessment methodologies are complex and take days or weeks to execute. They’re too slow and too expensive. Managing risk in today’s rapidly-evolving cybersecurity landscape requires a more agile approach.
When we push aside the details of a security risk assessment methodology like the Canadian Harmonized Threat and Risk Assessment (HTRA), at its very root we have assets, threats, and vulnerabilities. Assets are the things we need to protect. Threats are possible danger. Vulnerabilities are the characteristics of a system that could facilitate a threat acting on the asset. Risk is the product of asset value, threat magnitude, and vulnerability severity.
The HTRA methodology provides a solid framework for conducting detailed, thorough risk assessments. In some situations – for example if you’re designing financial transaction software — that makes sense. However, by streamlining each of the three major components (assets, risk, and vulnerabilities) we can derive a rapid cybersecurity risk assessment methodology.
Traditional risk assessments place a lot of emphasis on identifying, categorizing, and valuing assets. The reality in most IT environments is that while information assets vary greatly in value, the porous boundaries between them make it a moot point. Our SQL database server may contain two dozen different types of information, but if our DBA’s workstation is compromised by advanced malware the data is essentially all in the same bucket.
From an intruder’s perspective low sensitivity systems may be bonus data, collateral damage, or useful hopping-off points within your network. Since our goal is to protect our most sensitive assets, we can streamline our assessment by identifying the smallest number of assets necessary to conduct the analysis. If at all possible, consider all information and IT systems within the scope of the assessment to be a single asset and value it accordingly.
At this point you may be contemplating your investment in firewalls, VLANs, and DMZs. If your architecture is designed to restrict communication between related systems — for example by restricting which ports on the database server are accessible from application servers — consider it all within the scope of the same assessment. Far too many organizations have conducted a separate risk assessment on each individual server and determined the risk to be acceptable only to find out that there are holes in the overall system large enough to drive a proverbial truck through. On the other hand, if you have isolated separate systems to the point that a total compromise of one is highly unlikely to impact another, conduct separate risk assessments on each isolated system.
In a detailed risk assessment it’s easy to identify dozens or even hundreds of threats. However, unless your organization is very specialized, the threats you face are far from unique. Intellectual property is targeted by foreign governments and competitors. Payment card transactions attract organized criminals. Intelligence agencies and identity thieves want personal information. Add opportunistic hackers, disgruntled insiders, accidents by authorized users, and natural disasters and your cybersecurity threat landscape emerges.
Governments, organized crime, and sophisticated individual hackers use the same attack methodologies, and the same controls are therefore required to thwart them. Similarly, attacks by insiders and natural disasters require disaster recovery and business continuity plans. As a result cybersecurity threats can usually be summarized into four categories:
- External adversaries;
- Malicious insiders;
- Accidents; and,
- Natural disasters.
In our search for efficiency it’s also worth considering that the same threat profile likely applies to all of the organization’s information assets. While it is possible that an adversary may direct their efforts at a high-value asset with surgical precision, it is also likely that they may, to use a physical analogy, kick in every door and rifle through every drawer until they find enough stuff, run out of time, or get caught.
From a practical perspective, we need to reduce the amount of time spent considering assets and threats. If you process payment cards, your asset value is high, as are the threats from external adversaries and malicious insiders. It need not be more difficult than that.
Vulnerabilities are where cyber rubber hits the virtual road. Risk mitigation recommendations address vulnerabilities. The challenge is that we don’t always discover the vulnerabilities first, and assessing vulnerabilities has traditionally depended primarily upon the skill and experience of the analyst. Different analysts looking at the same system often come to radically different conclusions about the level of risk and rolling multiple risk assessments into an enterprise-level view has been difficult at best.
Governments have been struggling with this problem and have started to place more emphasis on controls. NIST Special Publication 800-53A Revision 1 includes a long list of security controls, and profiles suggest which controls should be applied based upon the sensitivity level of the assets. Communication Security Establishment Canada (CSEC) has followed suit with ITSG-33.
Adopting a more controls-centric approach to assessing cybersecurity risk makes sense because they’re the primary tools we have to reduce the risk to operational systems. We usually can’t modify software to make it more secure, we can’t change the value of the assets, and direct threat mitigation is generally not an option. What we can do is develop a standard set of controls for our organization and use them as a barometer in the vulnerability component of our risk assessments. We need to conduct cybersecurity risk assessments in a few hours and spend more of our time and budgets addressing risks.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…