In order to properly evaluate potential risk, an organization should:
Evaluate organizational structure Identify proper threat intelligence sources and gather useful information Perform risk assessment
Before we go more in-depth in each of these three steps, let’s look at a quick example below.
Example
Tom and Bob, two friends and budding entrepreneurs, decide to start an international shipping company. They perform all of the initial steps to get started:
Register their company Obtain all needed licenses Purchase trucks, ships and so on
As an international shipping company, there are risks particular to their industry they need to evaluate. A few issues they face could include:
Piracy Theft Loss of shipment(s) to natural disaster(s) Issues related to currency exchange rates
But how do they know that those are their potential issues? They could perform an internet search to do some research, or even watch the news. Current issues with pirates in certain parts of the world have been reported by news outlets. If their shipping routes travel through some of these areas, they could easily determine this is information they would want to pay attention to. They could also look at other international shipping companies and see areas in which they have had issues or have fallen victim. If those companies have similar structures to Tom and Bob’s company, they could learn from their mistakes and ensure that they don’t overlook the same threats. To get started, they should perform an evaluation of their company’s structure.
Evaluating organizational structure
The first step in not only determining risk, but identifying what types of risk are truly applicable to your organization, is to evaluate your organizational structure. This includes providing details about:
Organizational personnel: Leadership structure, roles and so on Assets evaluation: Take inventory of physical assets, evaluate IT structure Identify compliance needs: HIPAA, ISO, DoD, federal and more Evaluating the organizations posture in its market: Is the organization comparable to others in their industry? Do they pay their employees similar wages? These considerations are what can contribute to insider threat concerns
Going back to the first step, you want to know and list all of your assets. This includes personnel as well as physical assets. Once you have all of your inventory listed, you can delve deeper into your infrastructure. If you have digital assets, e.g., servers, workstations and so on, you can then take a logical dive into that infrastructure as well. Identify and evaluate the software and applications in use. Say, for example, that your company is using Adobe flash in their browsers. It would be important to know that this software will no longer be supported after 2020. This could present a possible future vulnerability. Or maybe you have Microsoft servers: you want to be aware of current vulnerabilities associated with that operating system. No matter your industry, there is some level of compliance you have to follow. Medical entities are bound by HIPAA laws. Industrial industries have multiple regulatory standards they must comply with. DoD organizations also have various regulations to follow: for example, to assess their IT infrastructure, they use NIST standards and the Risk Management Framework (RMF). These standards help to minimize risk and enforce compliant with current security best practices. It is imperative to determine what compliance needs your organization is bound to, as this will also help you to identify risks specific to you. These compliance standards are written based on current trends and projected needs.
Threat intelligence
Threat intelligence has been defined as: …evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard. In the world of cybersecurity, we often think of threat intelligence as only being cyber-related. However, threat intelligence is any information that helps identify threats to your industry and organizational setup. For example, the news could be a source of threat intelligence. It may not always be the most reliable one, but it is still one, nonetheless. If Tom and Bob from our example saw a news story about pirates in the Indian Ocean, that is important to them and their operation. Finding a good source of relevant threat intelligence that is pertinent to your organization is beneficial. It can help you adjust your operations. It is also useful in performing risk assessments and creating more in-depth threat models.
Risk assessment
Performing a risk assessment is a form of evaluating potential threats and how they could cause harm to an organization. Performing a risk assessment includes, or should include, creating threat models. According to OWASP (Open Web Application Security Project), a threat assessment should include:
A description/design/model of the asset(s) you’re worried about A list of assumptions that can be checked or challenged in the future as the threat landscape changes A list of potential threats to the system A list of actions to be taken for each threat A way of validating the model and threats, and verification of success of actions taken
Using collected threat intelligence is helpful in performing a more thorough risk assessment. Threat modeling can be used to assess business processes and organizational structure, as well as technical items. These technical items include:
Infrastructure Networks Systems Software Applications Internet of things (IoT) items
A well-done risk assessment will expose potential weak spots in your processes and architecture. The assessment and threat models can show where to place proper protections and countermeasures.
Conclusion
The combination of performing the organizational evaluation, identifying appropriate threat intelligence and applying that intelligence while performing a risk assessment will help to expose the threats associated with your organization. This subsequently will help you understand what risks to focus on. Time is valuable. No organization wants to waste time or resources working to combat risks that aren’t applicable to them. Threats are all around, and ascertaining which ones are targeting your organization ensures you can be prepared to thwart an attack and protect your assets.
Sources
7 strategies for managing the big risks of international distribution, TradeReady What Is Threat Intelligence?, Recorded Future Application Threat Modeling, OWASP Category:Threat Modeling, OWASP