Blog

Identifying Risk — RockCyber

- by Your Trusted Cybersecurity Partners - Leave a Comment

[ad_1]

Last time I introduced the 3rd principle of leading coso of ImplementationS This week we will move on to the first point pursuing that is Identifies the risk

The performance has 5 points:

  1. Identifies the risk

  2. Evaluates the weight of the risk

  3. Prioritize the risk

  4. Realizes risky answers

  5. Develops portfolio views

Strangely enough, the risk minimization begins with the first risk identification, but with all the seriousness, the risk identification is easier than to do. It is impossible to identify every possible risk, but it is possible to identify the most likely risks to influence the purpose of the organization to achieve its goals.

In terms of cyber risk, identification of risk includes four main entrances:

  1. Inventory and value of assets

  2. Identify potential threats

  3. Identify successful attack scenarios

  4. Evaluation of potential consequences

Let’s talk about some key activities that you need to take for each of these entrances.

Inventory and value of assets

Every risk assessment must first understand the digital and physical assets of your organization and their value for the organization. Organizational value always breaks down to dollars and centers, but it is not always easy to translate in these conditions. The risk of revenue can be easy to calculate, but the risk of reputation or risk to health and safety? Not so much.

Traditionally, a Business Impact Analysis (BIA) allows you to achieve the goal of understanding the meaning of assets for your organization. BIA evaluates the amount that the organization is a loss when there is a business interruption and is necessary to distinguish critical and non -critical services, technologies or processes so that you can prioritize security control and elimination efforts.

For this reason, the organization cannot conduct BIA in a vacuum. It must be undertaken and led by the senior management throughout the organization.

Identify potential threats

Now is the time to perform a threat modeling exercise. Modeling threats is a structured process in which potential threats can be identified and listed so that mitigation can be prioritized.

There are many sources of information on cyber threat, ranging from paid subscriptions to free sources, such as the Cybersecurity and Infrastructure Security Agency (CISA).

There are several techniques for modeling threats to analyze these threats. These techniques focus on two approaches: top down and bottom up.

The top -down approach is a view of assets, which evaluates critical assets about what could potentially go wrong. The bottom -up approach is a threat view that evaluates the potential impact of a set of defined threat scenarios. Some examples of each type of approach are:

  • Operationally critical threat, assets and vulnerability evaluation (Octave®) (top down): Helps organizations to bind the assets that are crucial in achieving organizational goals. The threats to these assets and vulnerabilities that these threats can use.

  • Microsoft Stride (bottom -up): Step means forgery, forgery, rejection, disclosure, refusal of service and escalation.

  • Miter’s Att & CK ™ (bottom up): A worldwide base of knowledge of enemy tactics and techniques based on real -world observations

  • Regardless of which method you use, it is vital to look at them in the context of your business, the participants in the threat (eg the children’s childcare against nation -states) and the impact of their actions.

Identify potential scenarios to attack

Now that we understand how to identify threats, we need to determine how they can use environmental weaknesses by identifying potential attack scenarios. Remember that the threat cannot become a risk unless there is a weakness or vulnerability that the threat can use.

Here’s another example of why understanding a business context is essential. Attack scenarios will differ in your type and size of the organization. Starting Fintech will have significantly different scenarios for attacking an nuclear power plant. Take the time to identify the attack scenarios that attackers are most likely to use in your environment.

There are three basic methods for identifying potential attack scenarios that are similar but still clearly different: penetration testing, red equipment and threat hunting.

Evaluation of potential consequences

Now that we understand the potential scenarios of threats and attacks, we need to evaluate the potential consequences that threats and attacks or incident scenarios may have on our identified assets.

The impact of incident scenario should take into account our business context. Through BIA, assets must have appointed values ​​based on their financial costs and the consequences of the business, if damaged or compromised.

Examples of some consequences that need to be taken into account are:

  • Health and safety (especially in operational technological environments)

  • Time to investigate and repair

  • Working time

  • Cost

  • Costs to enter external assistance for removal activities

  • Reputation of image and goodwill

Next time, he talks well about evaluating the weight at any risk.

As always, I love your comments and if you want to have a direct conversation, please shoot me a message and we will set up something.

Have a nice week!

[ad_2]

Related Posts

The Only Constant is Change. Can You Keep Up? — RockCyber

How Hungry Are You For Risk?

Strategy, Frameworks and More Frameworks — RockCyber

About Your Trusted Cybersecurity Partners

View all posts by Your Trusted Cybersecurity Partners →

Leave a Reply

Your email address will not be published. Required fields are marked *