Using risk assessments to find cybersecurity vulnerabilities
By Laura Dugan
Life inherently comes with risks, those unpredictable moments that may not have the outcome we expect. Humans have become adept at mitigating those risks. Driving involves moving a two-ton vehicle on four rubber wheels at high speeds, but air bags, seat belts, blind spot detectors, and a host of other features increase safety. Skydiving may seem like a risky quest, but it would be far more so without a parachute.
When it comes to technology, lessening risks is vital and best accomplished by introducing risk assessments. Risk assessments are a proactive way to identify risks from a hacker’s perspective, ultimately providing protection for IT systems.
According to a white paper by James Bayne of the SANS Institute, a research and education organization dedicated to information security training and security certification, the five questions that should be answered by a risk assessment include:
- What needs to be protected?
- Who/What are the threats and vulnerabilities?
- What are the implications if they were damaged or lost?
- What is the value to the organization?
- What can be done to minimize exposure to the loss or damage?
Bayne notes that the risk assessment should “be a collaborative process," and adds, "Without the involvement of the various organizational levels, the assessment can lead to a costly and ineffective security measure.”
Risk assessments can be conducted on internal or external threats, or both. The business needs will drive which assessment is best suited at the time. After the scope of the assessment is decided, data should be collected. Collecting data can include collecting policies, procedures, interviewing personnel, and reviewing systems and software.
The collected information is then analyzed for vulnerabilities to determine if the current security methods are sufficient to protect the systems reviewed. This is done by testing the system “to determine the current exposure, whether current safeguards are sufficient in terms of confidentiality, integrity or availability,” writes Bayne.
After the vulnerability analysis, a threat analysis is conducted. “Threats are described as anything that would contribute to the tampering, destruction or interruption of any service or item of value,” writes Bayne. Threats may include anything from hackers to theft to poorly trained staff to hurricanes.
Threats and vulnerabilities should each be tested and rated, looking at both the level of severity and exposure for the area of concern. Items with a high level of severity and exposure are those that should be addressed first.
It’s also important to look at threats and vulnerabilities together as they are often connected. If the current process for updating antivirus software is out of date, for example, it is a vulnerability that creates a threat of hackers getting into the system. Both the vulnerability and the threat need to be addressed and remediated.
Bayne emphasizes that the risk assessment is not something to be done once and then forgotten, but instead should become a part of the business’s infrastructure. “It is a continual process that once started should be reviewed regularly to ensure that the protection mechanisms currently in place still meet the required objectives.”
Read the full white paper, “An Overview of Threat and Risk Assessment,” by James Bayne.