Mar 8, 2021
Risk Assessments are the topic for this episode of the CISO Dojo Podcast.
What is a risk assessment: The identification, evaluation, and estimation of the levels of risks involved in a situation, with comparisons against benchmarks or standards, and determination of an acceptable level of risk.
There are two types of risk assessments we discuss in this episode:
We are going to discuss two commonly use frameworks often utilized for risk assessments:
FAIR (Factor Analysis of Information Risk)
Defines value/liability as:
FAIR also defines six kinds of loss:
NIST Special Publication 800 – 30 Risk Assessment Framework: NIST 800-30 is a 9 step approach to risk assessments that includes:
In this episode we briefly cover a few common types of risk assessments:
RIA: Risk Impact Assessment
BIA: Business Impact Assessment
PIA: Privacy Impact Assessment
DRIA: Detailed Risk Impact Assessment
We aren’t going to get into Risk Analysis, because there’s a larger conversation that needs to be had here. An organization needs understand what their top risks are so they can know here to start the risk assessment process.
Let’s take a look at where a lot of organizations are incurring the greatest amount of risk with their security posture, or lack of security posture.
Traditionally smaller businesses weren’t an appealing target for threat actors. That changed when ransomware arrived on the scene. Smaller organizations are a more appealing target for ransomeware because they typically have less budget to spend on backing up their data, business continuity, and disaster recovery.
When a small business experiences ransomware, more often than not , they are forced to pay the ransom to recover their data and return to normal operations. If it’s not ransomware, the second favorite cyber attack of threat actors is crypto mining malware that runs silently on the systems consuming resources and mining cryptocurrency for the attacker.
Many of the organizations aren’t aware if they are over invested or under invested in security. Over investments takes funds away from other strategic business objectives, while under investment incurs too much risk for the organization.
Over investment isn’t a difficult problem to solve, but under investment can be challenging to rectify. The best approach to determining where you stand is to map out the maturity of your organization in relation what the industry is doing. I’ll use the NIST Cybersecurity Framework functions to measure the maturity of the security program:
Next, map the maturity levels of 0-5 using the Capability Maturity Model. 0 is the least mature and 5 is the most mature. Most organizations should strive for a maturity level of 3 across the five functions of the NIST CSF. If you are not at level 3, you are under invested in that particular function. If you are at a 4-5 maturity level for a particular function, you might be over invested in that function.
An effective cyber security program includes patching and vulnerability management. Unpatched vulnerabilities provide opportunities for threat actors to compromise your systems and networks. Even in the best organizations achieve about a 75% success rate. In an organization that lacks patching and vulnerability management the risk for a breach is considerable.
A successful patching and vulnerability management program starts with asset inventory. You need to know what assets you have and then you need a way to identify and monitor your patching and vulnerability exposure and remediation progress.
Breaches often start with malware, phishing, or spam as the entry point into the organization. This indicates a lack of technical controls at the email server, as well as the administrative control of a security awareness program.
If you are hosting email in house with no spam filtering, anti-malware, or other technical controls, now is a good time to consider outsourcing email to Office 365 or Google Apps. The benefits are less maintenance, more security, reduced costs and administration time.
A lot of organizations lack a backup plan, back up retention, and testing of backups. The problem is usually a lack of understanding of what their mission critical data is. This goes back to the lack of a mature security program.
Organizations that are backing up their data usually fail to test their backups due to a lack of time and lack of staff. This is something that should also be addressed in the over all security program for the organization or perhaps outsourced to a third party for business continuity and disaster recovery purposes.
Mobile devices are growing in popularity as an entry point for threat actors and careful consideration should be given to BYOD programs.
While there is a lot of benefit to BYOD (bring your own device) there are also a lot of risks. The main issues are co-mingling of data, eDiscovery, terminations, data security, and mobile device management.
Mobile device manage is critical if you allow employees to utilize their own mobile devices for work purposes. You should also include and mobile device threat prevention solution that detects and prevents malware, phishing over text message (smishing), and rooting or jail breaking of mobile devices.
Also consider a VPN for secure connections from the mobile device back to the corporate network.
This by far is one of the most common problems I encounter when consulting with small, medium, and even large enterprise level businesses.
There should be an overarching policy from the executive level that the organization understands the importance of cyber security and will have a cyber security program.
A typical cyber security program should include:
The above is not a comprehensive list and will differ from organization to organization. Preventing breaches, business impact, and security incidents starts with risk assessments and a cyber security program.
Having a formal security program also means having someone in charge of security to drive it forward. This is usually a CISO or VCISO depending on the size of the organization.