NISTIR 8286A Risk Management Guidance Part 3: Tracking Risk and Performing Risk Assessments

essidsolutions

In parts 1 and 2 in this three-part series, I described the first steps in setting up and managing system cybersecurity risk as detailed in NISTIR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management. In this article, we walk through how to use the tools described in the NIST guidelines to perform a risk assessment and track risk throughout a system’s lifetime.

What is Risk Assessment

A risk assessment determines the potential annual loss associated with each probable security or business continuity incident associated with a system. This is often depicted in the formulaic model RISK = THREATS x VULNERABILITIES x BUSINESS IMPACT.  NISTIR 8286AOpens a new window , published in November by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), uses a different model, as shown in Figure 1.

Figure 1: Inputs to Risk Scenario Identification

The NIST model shows how the elements of risk relate to each other. Human and non-human threats, or threat actors, exploit vulnerabilities. Vulnerabilities are weaknesses in a system and the environment in which it operates caused by misconfiguration, coding errors, lack of adequate layered controls, lack of policies and user training, or other factors.

The assessment process

NISTIR 8286A lists four phases in assessing a system’s risk:

  •         Identification of the organization’s assets and each system’s classificationOpens a new window and categorization 
  •         Determination of probable threats to the system’s confidentiality, integrity, and availability
  •         Identification and assessment of vulnerabilities and other predisposing conditions
  •         Evaluation of potential business impact if a threat actor exploits one or more vulnerabilities to achieve attack objectives

Identification and valuation of assets

To effectively manage information resource risk, an organization must know the systems in operation and the data each system processes, manages, or stores. This inventory is needed to create the risk register (see part 2 in this series) and assessment schedule for each system.

Once the risk management team (RMT) documents each system, it must classify and categorize them. Classification relates directly to confidentiality and privacy and is directly related to data. In other words, we rank data based on how important it is to keep it from unauthorized entities. The military classifies information as confidential, secret, and top secret. This can also apply to data owned by private organizations.

In addition to classification, an organization must categorize its systems. Categorization measures the adverse business impact if the confidentiality, integrity, or availability of the system and its data are compromised. The video Data Classification and CategorizationOpens a new window explains the process.

Categorization is mainly based on the data processed and the information created by the system. Consequently, the impact on downstream systems is also part of determining the value of a system to business operation. 

Determination of probable threats

There are many global threats to organizations. However, only a subset of those threats is likely to target a specific organization.  Consequently, security teams must identify probable threats to resources and potential attack vectors. Attack vectors are used in the next step.

An organization can determine if a specific threat is probable by looking at:

  •         Industry attack history.  Some industries are larger targets than others. Also, the RMT must understand what types of resources are common targets and whether those resources exist within its organization.
  •         Types of Attacks. Threat actors target organizations for various reasons, including

o   Terrorism

o   HacktivismOpens a new window

o   Financial gain

o   Nation state theft of secrets

  •         Geographic Location. One threat associated with geographic location is the weather. Is the area subject to hurricanes, typhoons, tornados, flooding, etc. Other considerations include political instability, crime rate, and the local legal environment.

In summary, probable threats are based on a set of conditions that apply to an organization and its social, political, or other roles or positions. A comprehensive list of possible threats is available at the Cybersecurity & Infrastructure Security Agency websiteOpens a new window and Appendix A of the Guidebook on Best Practices for Airport CybersecurityOpens a new window . However, these are general threats. Specific threat identification and analysis requires continuous threat intelligence activities.

Identification and Assessment of Vulnerabilities

Vulnerabilities are weaknesses that a threat actor exploits to achieve attack objectives. Vulnerabilities exist because of:

  •         Misconfiguration of controls and assets
  •         Coding errors
  •         Failure to effectively manage trust with entity authentication and segmentation
  •         Lack of effective employee training
  •         Missing controls
  •         Use of only one safeguard to protect an attack path (lack of a layered defense)

When a threat is identified, the RMT must understand the attack paths taken by the threat actor. The attack paths are then plotted over an attack treeOpens a new window or using a misuse diagram. Using the tree or diagram, the team identifies weaknesses in systems, network devices, or safeguards that might enable an attack. 

It is important to remember that a threat actor must often use two or more vulnerabilities without detection and intervention. A threat actor’s ability to do this largely depends on the safeguards already in place, and the resulting impact is determined by the categorization of affected systems and data. 

Evaluation of Potential Business Impact

Business impact is informed by two factors: the likelihood of occurrence and the adverse effect of a single occurrence. The likelihood of occurrence measures the probability that a threat actor will launch a successful attack against the system being assessed. 

The likelihood is generally affected by three factors:

  • Threat actor motivation
  • Skills required for the attack
  • The nature of the existing vulnerabilities 

Motivation

Motivation increases as the value of the target increases. Target value is not always about the financial gain achieved by threat actors. Motivation is also affected by the threat actor’s motives.

For example, a hacktivist might target an organization because the victim participates in or promotes social positions with which the threat actor disagrees. In another example, a nation-state threat actor might target a system to steal weapon system specifications. Each organization must assess whether it is a high-value target based on industry, societal perceptions, and the value of potential targets on its network.

Skills and vulnerabilities

Skills needed and the nature of existing vulnerabilities are closely tied together.  Every organization has some vulnerabilities: both known and unknown.  However, the level of expertise necessary to exploit all of the required vulnerabilities to achieve attack objectives changes based on the type of vulnerability and the existing prevention, detection, and response safeguards.

It is not easy to collect all of this information and then determine the potential risk.

CVSS Calculator

One effective tool for assessing likelihood and impact is the CVSS calculatorOpens a new window . The assessment team enters information about the vulnerability, the existing safeguards, and the effect of confidentiality, integrity, and availability compromise.

The video Vulnerability Management and CVSSOpens a new window explains how to use the calculator to identify the actual risk to an organization based on the factors discussed in this article. It is a qualitative tool, but it is very helpful in understanding gaps in protecting against existing and emerging threats.

Reporting the Risk

Both organization managers and IT teams must understand identified risk. While the detailed risk description document for each threat is a good way of communicating with the technical teams, the risk register Risk Description must be more meaningful to managers. The following two descriptions are from NISTIR 8286A 

  •         External criminal attack exploits a software vulnerability in the internet-facing customer data site, resulting in “significant” customer confidential data exfiltration with revenue, reputation, and regulatory implications.
  •         A flood event enters the first floor data center, causing water damage to several critical servers and interrupting services to more than 10% of customers.

These are very general descriptions. I would be more specific about the actual threat and vulnerabilities involved. In any case, the description should be general enough for management but also specific enough to engage in risk management discussions.

Final Thoughts

Many approaches exist for identifying and managing risk. This series brings together recent NIST recommendations with other practical approaches. It is designed to provide guidance for establishing your approach based on your organization’s unique operating environment.

How efficient is your organization in tracking and managing cyber risk? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA