Completing a risk assessment will allow an organization to allocate resources (time, money, and human capital) to reduce overall risk in an intelligent and strategic way. Cybersecurity defenses and controls should never be deployed arbitrarily; they should be deployed with the intention to reduce risk. Below are the basic steps taken to complete a risk assessment.
Sequential Steps Involved in Conducting a Risk Assessment
1. Identification: Determine all critical assets of the technology infrastructure. Next – diagnose sensitive data that is created, stored, or transmitted by these assets. Create a risk profile for each.
2. Assessment: Administer an approach to assess the identified security risks for critical assets. After careful evaluation and assessment, determine how to effectively and efficiently allocate time and resources towards risk mitigation. The assessment approach or methodology must analyze the correlation between assets, threats, vulnerabilities, and mitigating controls.
3. Mitigation: Define a mitigation approach and enforce security controls for each risk.
4. Prevention: Implement tools and processes to minimize threats and vulnerabilities from occurring in your firm’s resources.
Different Types of Risk Events
1. Malware: Malware is when an unwanted piece of programming or software installs itself on a target system, causing unusual behavior. This ranges from denying access to programs, deleting files, stealing information, and spreading itself to other systems.
2. Password Theft: “I’ve been hacked!” A common conclusion when you log in to an account, only to find your password changed and details lost. The reality is an unwanted third party managed to steal or guess your password and has since run amok with the information. It’s far worse for an enterprise, which may lose sensitive data.
3. Traffic Interception: Also known as “eavesdropping,” traffic interception occurs when a third-party “listens” to info sent between a user and host. The kind of information stolen varies based on traffic but is often used to take log-ins or valuable data.
4. Phishing Attacks: Typically, an end user receives a message or email which requests sensitive data, such as a password. Sometimes, the phishing message appears official, using legitimate appearing addresses and media. This compels an individual to click on links and accidentally give away sensitive information.
5. DDoS: Distributed Denial of Service is an attack method in which malicious parties target servers and overload them with user traffic. When a server cannot handle incoming requests, the website it hosts shuts down or slows to unusable performance.
6. Cross Site Attack: Referred to as an XSS attack. In this instance, a third party will target a vulnerable website, typically one lacking encryption. Once targeted the dangerous code loads onto the site. When a regular user accesses said website, that payload is delivered either to their system or browser, causing the unwanted behavior. The goal is to either disrupt standard services or steal user information.
7. Zero-Day Exploits: Occurring after the discovery of a “zero-day vulnerability,” an exploit is a targeted attack against a system, network, or software. This attack takes advantage of an overlooked security problem, looking to cause unusual behavior, damage data, and steal information.
8. SQL Injection: An SQL attack is essentially data manipulation, implemented to access information that isn’t meant to be available. Essentially, malicious third parties manipulate SQL “queries” (the typical string of code requests sent to a service or server) to retrieve sensitive info.
9. Social Engineering: Similar to phishing, social engineering is the umbrella method for attempting to deceive users into giving away sensitive details. This can occur on any platform, and malicious parties will often go to great lengths to accomplish their goals, such as utilizing social media info.
10. MitM Attack: A Man-in-the-Middle attack occurs when a third-party hijacks a session between client and host. The hacker generally cloaks itself with a spoofed IP address, disconnects the client, and requests information from the client. For example, attempting to log in to a bank session would allow a MITM attack to hijack user info related to their bank account.
11. Ransomware: A nasty variant of malware, ransomware installs itself on a user system or network. Once installed, it prevents access to functionalities (in part or whole) until a “ransom” is paid to third parties.
12. Cryptojacking: Cryptojacking is an attempt to install malware that forces the infected system to perform “crypto-mining,” a popular form of gaining crypto-currency. This, like other viruses, can infect unprotected systems. It is deployed because the act of crypto-mining is hardware intensive.
A penetration test, also known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system. This is not to be confused with a vulnerability assessment. The test is performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data, as well as strengths, enabling a full risk assessment to be completed.
The process identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal. A penetration test target may be a white box (about which background and system information are provided in advance to the tester) or a black box (about which only basic information—if any—other than the company name is provided). A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor). A penetration test can help identify a system's vulnerabilities to attack and estimate how vulnerable it is.
Security issues that the penetration test uncovers will be reported to the system owner. Penetration test reports will also assess potential impacts to the organization and suggest countermeasures to reduce the risk.
Penetration Testing can be described as: "A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might."
The goals of a penetration test vary depending on the type of approved activity for any given engagement, with the primary goal focused on finding vulnerabilities that could be exploited by a nefarious actor and informing the client of those vulnerabilities along with recommended mitigation strategies.
Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes. Penetration testing also can support risk assessments as outlined in the NIST Risk Management Framework SP 800-53.
Several standard frameworks and methodologies exist for conducting penetration tests. These include the Open Source Security Testing Methodology Manual (OSSTMM), the Penetration Testing Execution Standard (PTES), the NIST Special Publication 800-115, the Information System Security Assessment Framework (ISSAF) and the OWASP Testing Guide.
There are different types of penetration testing, depending upon the goal of the organization which include: Network (external and internal), Wireless, Web Application, Social Engineering, and Remediation Verification.
The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of malicious cyber-attacks against an organization’s information system(s).
What is Incident Response?
Incident response (IR) is the steps used to prepare for, detect, contain, and recover from a data breach.
What is an Incident Response Plan?
An incident response plan is a document that outlines an organization’s procedures, steps, and responsibilities of its incident response program.
Incident response planning includes the following details:
- how incident response supports the organization’s broader mission
- the organization’s approach to incident response
- activities required in each phase of incident response
- roles and responsibilities for completing IR activities
- communication pathways between the incident response team and the rest of the organization
- metrics to capture the effectiveness of its IR capabilities
It’s important to note that an IR plan’s value doesn’t end when a cybersecurity incident is over; it continues to provide support for successful litigation, documentation to show auditors, and historical knowledge to feed into the risk assessment process and improve the incident response process itself.
Conducting Vulnerability Assessments on a regular basis provides a real-time view of weaknesses that could easily be exploited by malicious actors like computer hackers. Understanding current vulnerabilities offer an opportunity to fix or remediate weaknesses before a successful cyber-attack is launched. Most of our clients perform Vulnerability Assessments on a Quarterly basis.
What is a Vulnerability Scan?
A vulnerability scan is an automated, high-level test that looks for and reports potential known vulnerabilities. For example, some vulnerability scans are able to identify over 50,000 unique external and/or internal weaknesses (i.e., different ways or methods that hackers can exploit your network).
An external vulnerability scan is performed outside of your network (e.g., at your network perimeter), and it identifies known weaknesses in network structures. An internal vulnerability scan is performed within your network, and it looks at other hosts(active IPs) on the same network to identify internal vulnerabilities.
Think of your environment as a house. External vulnerability scanning is like checking to see if doors and windows are locked, while internal vulnerability scanning is like testing if bedroom and bathroom doors are locked.
Our vulnerability scans generate an extensive report of found vulnerabilities and give references for further research on these vulnerabilities.
Despite what many businesses believe, scanning isn’t enough. You shouldn’t just scan and sit on the report. Act quickly on any discovered vulnerabilities to ensure security holes are fixed, and then re-scan to validate that vulnerabilities have been successfully addressed.
Vulnerability scanning identifies potential harmful vulnerabilities so that you can remediate processes to ensure network security.