Support 416-591-6711 option 1 or Email Us

Security for Businesses with Limited IT Resources Part 4

Mon, 08 Jul 2019

This is the fourth, and final, blog in a series exploring how you can strengthen your own organizations' cybersecurity. The first three topics already covered were threat intelligencedetection and analytics, and adversary emulation or red teaming. This post focuses on risk assessment for the protection of your network. We aimed to fill each article with practical cyber techniques for companies that have limited IT resources and analysts – we hope that you’ve had a chance to read the entire series and that you’ve been able to take some tangible advice away that you can apply at your own company. At ISA, we aim to protect the cyber presence of all Canadian businesses. The safer your company's cyber is, the safer all Canadian cyber is.

Part 4: Risk Assessment for Your Company’s Protection (or Putting it All Together)

Security for Businesses with Limited IT Resources Part 4

Cyber risk assessment is a broad term. It is performing an assessment or evaluation of the cyber risks facing your organization. The National Institute of Standards and Technology (NIST) defines it as follows: “Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.”[i] 

NIST had federal agencies in mind with this definition and its subsequent guide, hence the “and the Nation.” For most businesses, your cyber incidents will not rise to the level of national security threat. Even so, understanding and assessing risk of any type is vital in a business model. In the digital age, that includes cyber. The primary goal of a cyber risk assessment is to help educate and inform decision-makers and to support incident response strategy.

To do that effectively, you need to identify:

  • What are the pertinent cyber threats to your company?
  • What internal and external system vulnerabilities are there?
  • What would the impact be if those vulnerabilities were exploited?
  • What is the likelihood is of exploitation?

All of these questions can be answered through threat intelligence, analytics, and adversary emulation. It is a matter of compiling all of the information and data you’ve gathered to create a big picture of your company’s cyber presence in order to assess your entire system for risk.

1.      Identify and Record Cyber Threat Sources

You’ve already examined your system for vulnerabilities to adversarial threats – determined from your threat intelligence. Those are the threats that have the potential to be exploited by third-party actors. 

Now, turn your attention to non-adversarial threats. These are threats due to negligence, an error, or some other non-malicious means that could cause risk to your business brought on by an employee, administrator, vendor, or regular website end-user. 

Brainstorm and list all of the things that COULD happen from both adversary and non-adversarial threats your business faces.

For adversarial threats, assess the capabilities of your adversaries and their resources (again, this relies on the threat intelligence you’ve gathered). Here’s a NIST scale used to quantify threats. 

Security for Businesses with Limited IT Resources Part 4[ii]

Notice how the assessment is broken up into levels of threat with associated values. These are going to be important in calculating your cyber risk. As for non-adversarial threats, you need to make an educated guess, weighing the possible impact should an incident take place. 

Security for Businesses with Limited IT Resources Part 4[iii]

2.      Classify Threat Events 

Threat events or incidents are the actual attacks that have the potential to be committed against your company. Once you’ve listed all of the adversaries your organization faces, you are going to list every potential cyber attack, mistake, or glitch you can imagine both adversarial and non-adversarial. Threat events are characterized by both the threat sources that could 

Threat incidents are characterized by the threat sources that could originate the events, and it is an adversarial event, the tactics, techniques and procedures (TTPs) that they use to execute the cyber attacks. You need to define these threat events (in detail) in order to assess your risk properly. Be as comprehensive as possible and ensure that the descriptions you create, apply to the particulars of your organization. NIST’s example (found here on page E-2), is five pages long. That should give you a good idea of how detailed you need to be. You can’t prepare a robust incident response plan or protect your company from threats you did not anticipate.

Common threats across industries include:

  • Unauthorized access
  • Misuse of information by authorized users
  • Data leaks/accidental exposure of Personal Identifying Information (PII)
  • Loss of data
  • Service/productivity disruptions

So, how do you actually assess the relevance of each cyber threat to your organization? 

Use this scale.

Security for Businesses with Limited IT Resources Part 4[iv]

Create a three-column table. In column one list the threat. In column two list the possible source(s) of the event. Finally, in column three, list the relevance.

3.      Identify Vulnerabilities and How They Can Be Exploited 

Now make the move from hypothetical into real-world applications. Until now, you've been dealing in the world of "what ifs and could happens." It's time to measure the threats against your actual system and current cybersecurity. This is when your red team results need to be considered to assess the potential seriousness.

As per NIST: “The severity of a vulnerability is an assessment of the relative importance of mitigating such a vulnerability. Initially, the extent to which mitigation is unplanned can serve as a surrogate for vulnerability severity. Once the risks associated with a particular vulnerability have been assessed, the impact severity and exposure of the vulnerability given the security controls implemented and other vulnerabilities can be taken into consideration in assessing vulnerability severity.”[v]

4.      Identify the Likelihood of Adversarial Success 

So, you’ve identified the threats to your company’s security posture and infrastructure. Now it’s time to evaluate the likelihood of these incidents. The knowledge from your red teaming or adversary emulation outlined in blog three comes in here as well. You want to answer the question, if these events were to occur, how successful might an adversary be? You want to create a “likelihood score” based on evidence, expert judgement, educated guesswork and experiences of your red team. Basically, you're creating an equation weighing the likelihood of an incident against the possibility that such an incident would have an undesirable outcome for your business. 

For cyber incidents initiated by threat groups or actors, companies consider the characteristics of associated threat sources. For non-adversarial threat incidents, companies must take into account the projected seriousness and length of the event. To do this, use the assessment scales.


5.      Identify the Possible Impact 

What you’ve now put together is, in essence, your company’s threat model. Now, use the threat model to define the impact these incidents would actually have. Create another table, this time with two columns. In column one organize the various types of impact your company could face (harm to operations, theft of intellectual property, damage to assets) and in column two list the different ways that impact might play out.


6.      Assessing Your Company’s Risk

Your risk is ultimately determined by the convergence of the likelihood of an incident and the potential impact on your business that the incident poses. There’s a variety of ways to calculate this, such as the NIST scales (click here for the full document and scales), assigning numbers to incident likelihood and effect or you can use another method recommended for your industry or by a regulatory body. 

Whatever methodology you use, once you've determined a number, you're satisfied with and feel have a clear picture of your current threat model and network vulnerabilities you're ready to move on to improving your security posture. Share the assessment with shareholders and company executives so that they can determine the appropriate funds to be allocated and which high-risk areas receive the funds, as well as re-evaluating operations and policies to be more secure. 

Your risk assessment is not a static document and needs to be revisited and updated often. You will never be able to mitigate all cyber risk. But, through assessment, you can minimize risk and increase safeguards where they are most required.

Final Thoughts

Now, the real work begins of actively defending your network, ensuring appropriate security software is in place, and that employees are practicing good cyber hygiene, and most importantly you’ve created a strong incident response plan and are prepared should an incident occur.

Along with the NIST document referred to throughout this article, there’s also a great resource aimed at small and medium businesses from the Canadian government. Of course, your best defence is to partner with cybersecurity experts who have vast threat intelligence specific to your industry, know how to extract the most from your analytics, can test your system in the same capacities as hackers can attack, and offer a layered and accurate risk assessment of the security measures your company needs to take.


‹ Back