Building an Effective Risk Management Toolkit to Ward Off IT Risks

essidsolutions

Simple approaches to managing information security risk usually rely superficially on one of the popular formulaic models, such as RISK = THREATS * BUSINESS IMPACT. However, this is never enough. To effectively use this model, organizations must perform several activities to fully understand the elements contributing to the probability of attack and business impact.  These include:

    • Inventory and classify information systems
    • Research relevant threats
    • Know your vulnerabilities
    • Manage controls
    • Monitor and measure

This article does not include how to conduct the actual assessment.  For a detailed risk assessment document, see NIST SP 800-30 Rev 1 Guide for Conducting Risk AssessmentsOpens a new window . 

Inventory and Classify Information Systems

To understand the cost (the business impact) of possible attacks, an organization must first understand potential targets’ value: both for itself and attackers. This is done by classifying each system. Classification requires data ownersOpens a new window to rank the data stored on, processed, or passing through each system. Following this, data owners then work with the security team to determine the business impactOpens a new window if a system is compromised. 

In this articleOpens a new window , Thomas Eck and Anne Grahn lay out a detailed process for classifying data. They remind us that all data is not created equal. Consequently, we need to focus our resources on the data and systems that provide the most value to the organization or result in the most considerable business impact when an incident occurs.

Research Relevant Threats

Knowing the threats faced is necessary to understand the probability that someone or something (the threat) will use one or more weaknesses (vulnerabilities) to compromise one or more systems.  Each industry is subject to diverse types of threats.

In a videoOpens a new window , I describe four different motives human threats might have for attacking an organization: financial gain, politics, terrorism, and hactivismOpens a new window .  In general, the time and effort attackers are willing to spend on financial gain attacks are lower than those based on political or social motivations.  In financial attacks, it is all about return on investment.  

Using threat intelligence resources is an essential start to understanding the threat landscape.  

Learn More: Cyber Threat Intelligence: A Useful Tactic To Reduce Cyber Risks  

Know Your Vulnerabilities

Understanding vulnerabilities that might exist in your network includes three activities: 

    • Monitoring vendor and vulnerability tracking information
    • Vulnerability scans of sensitive network segments and systems
    • Penetration tests

Monitoring vendor and vulnerability tracking information

Daily checking for newly discovered vulnerabilities is necessary.  Many vendors post and track these and quickly notify customers when a new weakness is found. However, organizations cannot count on this.  

One valuable resource for tracking vulnerabilities and their potential impact is the National Vulnerability DatabaseOpens a new window (NVD).  The NVD provides a list of vulnerabilities, but it also supplies information about how to determine each vulnerability’s criticality to your unique operating environment.

Just because a vulnerability is listed in the NVD as critical does not mean it is a big problem for a specific organization.The NVD’s CVSS calculator helps security teams figure out the actual risk associated with a vulnerability based on the assets and controls affected in its organization.  The CVSS calculator process is a form of risk assessment for a specific vulnerability.

Vulnerability scans of sensitive network segments and systems/Penetration Tests

In addition to application and network device vulnerabilities that may show up in the NVD, known configuration and application vulnerabilities can also exist. One straightforward way to find known vulnerabilities is to run a vulnerability scanner like NessusOpens a new window .

Penetration tests dig deeper, looking for application and hardware weaknesses. Pen tests also determine how easy it is to exploit these weaknesses without being detected.  Pen tests are an excellent activity to perform once an organization believes that risk is acceptable because even simple things are often missed.

When conducting pen tests, organizations must consider two general attack paths: through the perimeter and via users. Each of these has its own set of steps an attacker uses to compromise assets.  

Manage Controls

Once an organization performs a risk assessment, management can accept, avoid, mitigate, or transfer the risk.  

    • Accept – Management might decide that the risk is low enough or that the risk is worth the financial return.
    • Avoid – An organization can eliminate the risk by removing the system, application, or process that creates the risk.
    • Transfer – Risk is measured in how much an incident might cost an organization.  Transferring risk is moving the bulk of this cost to another entity.  A common approach is buying cyber incident insurance.
    • Mitigation – Management can direct the security team to reduce the risk to acceptable levels with controls.

Mitigation should not immediately drive a security team to go looking for new controls. Existing controls are often enough if reconfigured or moved.  The team should track all controls, their capabilities, and current configurations. HereOpens a new window , I describe using a spreadsheet to do this.  Figure 1 shows part of a spreadsheet used to implement this approach that you can download hereOpens a new window .

Figure 1

Monitor and Measure

Finally, organizations must “inspect what they expect.” The assessments and risk mitigation activities should be designed to achieve specific security goals (metrics).  Many believe that security metrics are difficult to develop.This is not true.

First, metrics must conform to the SMART model. Each metric:

    • Is a clearly defined, SPECIFIC outcome
    • Includes one or more indicators that we can MEASURE
    • Must be something we can accomplish, must be ATTAINABLE
    • Must be something that moves us toward an overall objective, like system security; it must be RELEVANT
    • Must be something achievable within a specific TIMEFRAME

Learn More: Practical Application of System Security Engineering to SDLC Security, Part 1 

Figure 2 shows one example of how to develop a security metric.  Each metric links to one or more security requirements.

Figure 2

In Conclusion

Conducting risk assessments requires time and commitment. Preparing for the assessments and managing the results requires digging deep into the vulnerabilities faced by an organization. Understanding the information assets available for attack and their business value is necessary to know where to assess first and apply security resources.  Organizations must know the implementation of all security controls and their configuration to enable quick response to emerging threats.Finally, security teams must use metrics to determine if the outcomes management expects for managing risk are met.

Do you think security teams should use metrics to improve cyber risk management? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA