Threat Agent / Source - the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability.
Threat Vector - the method or path a threat uses to access the target.
Threat Assessment - a structured process used to identify and evaluate various risks or threats that an organization might be exposed to.
Threat Assessment Types
Environmental - Natural Events
Examples: Weather, storms, flooding, earthquakes, fire, etc.
Manmade - Human Cause
Internal vs External
Origin of the threat source.
Is the threat agent inside your organization?
Employee, contractor, consultant, etc.
Risk Assessments
Also known as risk analysis or risk calculation.
Analyzing threats, vulnerabilities, and impacts of a loss of information-processing capabilities (systems) or a loss of information itself.
Process:
Identify assets.
Identify associated threats & vulnerabilities.
Determine likelihood of exploit or compromise.
Determine impact of exploit or compromise.
Prioritize risk activities / security controls.
NIST Risk Management Framework
Quantitative vs Qualitative Risk Analysis
Qualitative
Estimating risk values (likelihood & impact).
Normally using a scale (1-5)
Subjective and less accurate.
Quantitative
Using real values to calculate risk equation.
Numeric.
Return on Investment (ROI) / Return on Security Investment (ROSI)
SLE x ARO = ALE
Risk Calculation
SLE x ARO = ALE
ALE (Annual Loss Expectancy) Value: A monetary measure of how much loss you could expect in a year.
SLE (Single Loss Expectancy) Value: How much you could expect to lose at any one time.
SLE can be divided into two components:
AV (Asset Value): The value of an item.
EF (Exposure Factor): The percentage of loss.
ARO (Annualized Rate of Occurrence): The likelihood, often drawn from historical data, of an event occurring within a year.
Risk Calculation Example
'You can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be the equivalent of $1000 and that there will be seven such occurrences a year (ARO), then the ALE is $7000.
Conversely, if there is only a 10% chance of an event occurring within a year time period (ARO = 0.1) then the ALE drops to $100.
Risk Response / Strategies
Avoidance - making the decision not to engage in the actions associated with that risk.
Transfer - sharing the burden of the risk with another party (insurance).
Mitigation - taking steps to reduce the likelihood or impact of a risk.
Acceptance - choosing to live with a risk. Must be a conscious choice by management.
Risk Register
Recording information about an identified risk.
Can be specialized software program, cloud service, or master document (spreadsheet).
Contains details about the risks, risk decisions, mitigating controls, risk owner, time frames, residual risk, etc.
Ensures organization is aligned.
Supply Chain Assessments
AKA Third-Party Assessments
Review vendor's security posture.
Any organization connected to yours (virtual or physical).
Often accomplished with checklists.
Change Management
Change (IT) - the addition, removal, or altering of information technology environment.
Change management process goal - to allow for change without disruption, or with only minimal disruption, to these systems and services.
Need to reassess security risks with any change.
The change itself.
The after-effects.
Testing
Part of the Risk Analysis process.
Provides visibility into the risk components.
Vulnerability assessments.
Penetration tests.
Table-top exercises.
Risk Management Methods
Acceptance - Deciding to bear the cost of a potential risk.
Avoidance - Deciding to no longer employ the actions associated with a particular risk.
Deterrence - Discouraging certain actions from being taken to protect against risk.
Mitigation - Taking steps to reduce risk.
Transference - Sharing the burden of a potential risk with another entity.