Managing Cyber Security Risk

Cyber Security, Risk Management

Contents

Cyber Security Risk

Whilst ‘Risk Based Design’ is fast becoming the mantra used to build corporate infrastructure, there are many interpretations of what this means. Although clearly defined, it has led to a global growth in risk assessment and management tools, which whilst excellent for collecting and assessing data, require some pragmatic analysis to ensure the information they generate, can be used to support effective decision making alongside all other ‘risks’ the Executive has to consider. The following is intended to try and normalise what is meant be risk in the cyber security context.

Background

Managing cyber risk is now a frontline activity and should be considered by the Executive alongside other business strategies such as business transformation, market analysis and financial investment. Poor cyber risk management can result in any of these being adversely affected with potentially disastrous consequences.

Risk is defined in ISO 31000 (ISO Guide 73 – Vocabulary) as the “effect of uncertainty on objectives”. To assist with the application of this definition, Guide 73 also states that an effect may be positive, negative or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence.

This definition links risks to objectives. Therefore, this definition of risk can most easily be applied when the objectives of the organisation are comprehensive and fully stated. Even when fully stated, the objectives themselves need to be challenged and the assumptions on which they are based should be tested, as part of the risk management process.

The approach to risk management as defined in ISO 31000 is consistent whether it applies to investment risk, project risk or cyber risk. Cyber Security Risk

1. Identify the risks:

Potential Threats – what could affect the ‘system’ defined in the context.

Vulnerabilities – how could the ‘system’ be affected.

2. Evaluate the risk – what would be the business impact should the threat materialise.

3. Define the risk treatment

Alongside this, a defined communications and continuous improvement strategy must be in place.

To ensure the organisation has a good understanding of the risks facing the technology environment, a continuous programme of risk management must be in place and maintained. This will provide the Executive with a sound basis for decision making; but only if it is current and accurate – this is known as Continuous Assurance.

The following summarises the activities at each stage.

Establish Context

The first stage is to ensure the risk assessment covers the scope of the system in its entirety and does not try to identify and manage risks in other areas.

Scope

Firstly, establish the scope of the risk assessment. As in ISO 27k, the first step is to contextualise what is being considered. The danger of not establishing the scope at the outset, is to become embroiled in side-issues over which the risk review has no authority or control. These may be identified as dependencies.

What does the system look like?

A good understanding of what the system looks like at the time of review is essential. This must include its business purpose or objective, technology platform, build levels, location, service levels, resilience measures etc. This must be maintained as part of an overall architectural definition.

Dependencies

Any dependencies must be identified. That includes infrastructure dependencies – power, storage, CPU expansion etc. as well as any system and data dependencies. Upstream and downstream data flows must be clearly identified along with data attributes. Any system access restriction must also be defined in line with the assessed sensitivity of the system.

Ownership

Finally, the system must have a business owner who has a vested interest in ensuring the system is meeting its required business objective.

Cyber Security Risk Identification

Identifying risk is not just a matter of looking at the growing number of technology failings and tools being developed to exploit them; it must consider these alongside the potential business impact. This impact may be considered in a range of areas including:

  • Injury or death.
  • Political embarrassment.
  • Financial loss, direct or consequential.
  • Loss of market share.
  • Loss of Intellectual Property.
  • Damage to infrastructure.

Threat analysis

Threat analysis is now a major business stream. Any organisation needs to know what is emerging that could potentially affect their infrastructure. These are emerging daily and will affect each aspect of an operational infrastructure:

  • People – are they trustworthy?
  • Processes – are they being followed and maintained correctly (consider the Carnegie Mellon Process Maturity Model)?
  • Technology – is it trustworthy and has it been tested?

This may be considered on a macro level – how is the organisation affected by global changes. The Information Security Forum (Threat Horizon) provides a good overview on what global industry security leaders believe are their next big challenges.

There are several organisations that now provide more detailed information on targeted analysis of threats to the organisation particular infrastructure on a subscription basis. They will provide up to date information on what may affect the corporate systems. This information, whilst less targeted is also available from AusCert and the Australian Cyber Security Centre (ACSC) as well as other international sources of threat analytics.

Vulnerability assessment

The operational infrastructure must be regularly assessed for potential vulnerabilities or exposure to these threats. This is done in two parts:

  • Regular penetration tests that will assess if the infrastructure can be broken in to and how easily using either automated tools or suitability qualified people. A ‘white hat’ approach will work with the system owners at each step of the way and fix identified issues. A ‘black hat’ approach will also test the alertness of the security operators.
  • Vulnerability scans run regularly against the systems and operational infrastructure, will identify potential exposures that could be exploited. This can be run internally or as a service and should use a capability that has up to date vulnerability data, ease of exploitation levels and potential system impacts.

In both cases, the results must be assessed, and appropriate action taken.

Threat assessment

The threat assessment role must relate those threats identified as having the potential to affect the infrastructure, the vulnerability of the infrastructure to the threat being successful and the technical and business impact if it is successful.

Threat hunting

Threat hunting refers to the capabilities put in place to identify possible threats that are targeted at the corporate infrastructure. These may use tools specifically designed to exploit a system vulnerability, a phishing email designed to gain entry into the infrastructure, a targeted phishing email aimed at gathering specific information (Spear Phishing), or a ransomware application designed to disrupt operations.

Advanced Persistent Threat (APT)

An advanced persistent threat, as its name implies, may have no immediate effect, but remains dormant, gathering information about system structure and operation, until it is triggered. It can then cause mayhem within the complete operational infrastructure. It is estimated these can remain in an organisation’s system for over a year without being detected.

Cyber Security Risk Evaluation

A key aspect of the overall risk management process is in the evaluation stage. This provides the basis for the business plan to request investment in future security capabilities and should be comparable to other corporate functions.

Business impact analysis

The first part is to assess the impact on the business should the system fail, be compromised or be inaccessible. As outlined above this impact may be measured across a number of facets, but essentially, can come down to a dollar value. This can be used to assess or justify the investment required to mitigate or manage the risk.

Ownership, accountability, and responsibility

All systems and consequently, all risks must have an owner. The system must be owned by an identified person in the business with sufficient authority to ensure the system is operating as expected. They may assume or delegate accountability for ensuring the system is operationally acceptable to the business and ensure there is sufficient funding available for ongoing operation. Lastly, their must be an identified area of responsibility for ensuring the system is operational, effective, and properly maintained.

Consequential risk

In some cases, systems may have dependencies or may provide (trusted) paths through to other systems. Where this is the case, the risk owner cannot accept any risk which may have a consequential impact on a related system.

Cyber Security Risk Treatment

Once a good understanding of the risk is defined, a decision must be taken on how to treat or mitigate the risk to reduce the impact or reduce the likelihood.

Risk Mitigation

The following are accepted approaches that can be considered:

Risk acceptance

Accept the risk as having too low and impact or too low a likelihood to be of immediate concern. This must remain on the risk register in case circumstances change

Risk reduction

Reduce the scale of the risk by either minimising the potential impact or by reducing the vulnerability. This may be done using the NIST (Cyber Security Framework) approach – Protect, Detect, Respond and Recover.

Risk elimination

Eliminate the risk entirely by changing the way the service is provided. This must be considered alongside the potential loss of business opportunity.

Risk avoidance

Avoid operating in the exposed or vulnerable space. Again, this must be balanced against business need.

Risk offset

Pass the level of risk over to someone else more capable or qualified to manage it, such as cyber insurance or a third-party SaaS or PaaS service.

Residual risk

Whichever approach is chosen, there may always be some residual risk. That is the remaining exposure or impact after the treatment is applied.

Advanced Threat Protection (ATP)

ATP, not to be confused with APT (above) is the emerging suite of products providing a combined set of security controls which operate together to provide an overall security control ecosystem. For most organisations, the Microsoft Defender ATP suite is being considered to address many of the concerns. This includes:

  • Malware scanning.
  • Defender firewall.
  • Disc protection.
  • Protective marking.
  • Data loss protection.
  • APT scanning.
  • User access reviews.
  • Application whitelisting.

Patch management

One of the key security controls identified by ACSC and listed under the Essential 8, is patch management. This must be run regularly as a documented process based on the output from the Penetration Tests and Vulnerability Scans. It is very easy for a system to become unstable and unsustainable if this is not done. This will potentially leave the organisation open to exploitation, not just of the unpatched system, but potentially the whole infrastructure.

Risk reduction

Risk should always be reduced to an acceptable level where possible. Where this is not possible for operational or technical reasons, consideration must be given to compensating controls. These may take the form of insurance, limiting time in an exposed area or business continuity/disaster recovery. Whichever path is chosen, it must be documented and accepted by the business owner and possibly the Board.

Enterprise Risk

Enterprise risk management (‘ERM’ as defined by Gartner) is identifying, analysing, and treating the exposures an organisation faces as seen by the executive levels of management. ERM does not apply to one aspect of the organisation’s operational strategy alone but must be considered alongside other key decision-making areas. That is, looking at exposures in finance, credit, fraud, strategic and operational matters for the whole organisation.

Author: Stewart Hayes (MSc; CRISSC, CIPM, SABSA, CISM)

Managing Risk: Maximising Innovation

Stewart is an experienced industry professional with over 40 years of experience in Security and Risk Management covering cyber, physical and personnel protective measures specialising in integrated services and converged security capabilities.

 

You may also like

About us

Welcome to Australia's fastest-growing blog for professionals, senior executives, managers and graduates! We cover a range of topics relevant to business and technology professionals.

Contribute to our Blog

Newsletter

Training & Certification

× How can I help you?