
Risk assessment is defined as the process of identifying, estimating and prioritizing risks to an organization’s operations, assets, individuals, other organizations and even the nation
The field of cybersecurity and the businesses within are always concerned about risks and security-related challenges, but organisations far too frequently fail to proactively manage risk. Any organisation should engage in thorough and ongoing risk assessment and analysis. As a Cyber Professional it's our job to participate in risk assessment, analysis, mitigation, remediation, and communication as a security team member for an organisation.
#ISC2
First the Basics, what is the "Risk" that needs managing First, It is a measure of the extent to which an entity is threatened by a potential circumstance or event. It is often expressed as a combination of:
The negative impacts that would arise if the situation occurs, and the likelihood of occurrence.
Information security risk reflects the potential negative impacts that result from the possibility of unauthorized access, use, disclosure, disruption, modification or destruction of data or systems.
#ISC2
Risk Terms:
An asset is something in need of protection.
A vulnerability is a gap or weakness in those protection efforts.
A threat is something or someone that aims to exploit a vulnerability to thwart protection efforts.
#NIST800-30
Likelihood x Impact = The Risk Matrix
While it is subjective to the person carrying out the risk analysis, by estimating the Likelihood of the risk happening against the Impact and affect on business operations this would have, we create a matrix.
QUALITIVE or QUANTITATIVE?
Qualitive is assignment of a descriptor such as Low, Medium and High (see the risk matrix above)
Quantitative is assigning a numerical value a scale for example 1-3 instead of low-high
#NISTIR
Breach Impacts:
Financial;
The Risk of monetary damage to an organization resulting from a data breach.
Reputational;
The Risk of negative publicity , loss of faith from customers or people changing to a competitior who is more reliable.
Strategic;
The Risk the organisation cannot carry out its overall business plans due to the breach.
Operational;
The Risk that a organisation cannot carry out its day-to-day operation due to the breach.
Compliance;
The Risk that the Data breach violates law and regulation affecting your organisation e.g Data Protection Act.
The Grey Area;
As can be seen by the similarity in Strategic and Operational, there can be a risks that cross catergories and will also be breaches that affect multiple catergories.
Control Catergories:
Technical - Enforce confidentiality, itegrity and availability(CIA). E.g Firewall rules, ACLs, IPS and encryption.
Operational - Processes put in place to manage technology in a secure manner. e.g Log monitoring, access reviews and vulnerability management.
Managerial - Procedure that focus on the mechanics of risk management. e.g periodic risk assessments, security planning and intgratikon into business change management.
Control Types:
Preventitive - Stop it before it happens.
Detective - Identify events that have already occured.
Corrective - Remediate events that have occured.
Deterrent - Prevent future reoccurences.
Physical - Physical security such as locks, fences etc.
Compensating - Exceptions are sometimes made to a security policy, these methods try to mitigiate this weakness.
Data Minimization reduces risk by reducing the amount of sensisitve data that is maintained and stored on a regular basis. This includes the secure deletion of data that is no longer required. De-identification or Data Obfuscation can be used to make data unreadable if it cant be completely be removed.
Data Obfuscation tools;
Hashing - Using a hash function to transform data to a hash value . If you apply a strong has value to a data, it may replace the value in the file.
Tokenization - replaces sensitive values with a unique identifier using a lookup table. keeping the secure data in a different data that would mean nothing without the cross lookup.
Masking - Partially removes sensitive data by replacing some or all fields with blank characters, e.g replacing credit cards numbers with "****".
Obfuscation Vulnerability:
These types of Obfuscation are vulnerable to Rainbow Table Attacks, in which a list of likely values are already in a hashed format and can be check againt the hashed data to find matches. e.g a list of common english names against a hashed list of student names and it will bring up matches.