• Practically every organization has internet connectivity and some form of IT infrastructure, which means nearly all organizations are at risk of a cyber attack. • To understand how great this risk is and to be able to manage it, organizations need to complete a cybersecurity risk assessment, a process that identifies which assets are most vulnerable to the cyber risks the organization faces. • Mitigating the risks identified during the assessment will prevent and reduce costly security incidents and data breaches and avoid regulatory and compliance issues. Steps in performing Risk Assessment 1. Determine the scope of the risk assessment 2. How to identify cybersecurity risks 3. Analyze risks and determine potential impact 4. Determine and prioritize risks 5. Document all risks Determine the scope of the risk assessment • A risk assessment starts by deciding what is in scope of the assessment. • It could be the entire organization, but this is usually too big an undertaking, so it is more likely to be a business unit, location or a specific aspect of the business, such as payment processing or a web application. • It is vital to have the full support of all stakeholders whose activities are within the scope of the assessment as their input will be essential to understanding which assets and processes are the most important, identifying risks, assessing impacts and defining risk tolerance levels. How to identify cybersecurity risks? • Identify Assets: • Identify and create an inventory of all physical and logical assets that are within the scope of the risk assessment. • When identifying assets, it is important to not only establish those which are considered the organization's crown jewels -- assets critical to the business and probably the main target of attackers, but also assets attackers would want to take control over, such as an Active Directory server or picture archive and communications systems, to use as a pivot point to expand an attack. How to identify cybersecurity risks • Identify threats: • Threats are the tactics, techniques, and methods used by threat actors that have the potential to cause harm to an organization's assets. • Refer trustable threat libraries (MTT ATT and CK Knowledge Base) to help identify potential threats. How to identify cybersecurity risks • Identify what could go wrong: • This task involves specifying the consequences of an identified threat exploiting a vulnerability to attack an in-scope asset. For example: Threat: An attacker performs an SQL injection on an Vulnerability: unpatched Asset: web server Consequence: customers' private data stolen, resulting in regulatory fines and damage to reputation. Analyze risks and determine potential impact • Determine the likelihood of the risk scenarios documented in Step 2 actually occurring, and the impact on the organization if it did happen. • Ranking likelihood on a scale of 1: Rare to 5: "Highly Likely," and impact on a scale of 1: Negligible to 5: "Very Severe," makes it straightforward to create the risk matrix illustrated below in Step 4. Determine and prioritize risks • Using a risk matrix like the one below where the risk level is "Likelihood times Impact," each risk scenario can be classified. • If the risk of a SQL injection attack were considered "Likely" or "Highly Likely" our example risk scenario would be classified as "Very High.“ • Based on the priority, the risks can be avoided, transferred, or mitigated. Document all risks • It's important to document all identified risk scenarios in a risk register. This should be regularly reviewed and updated to ensure that management always has an up-to-date account of its cybersecurity risks. It should include: Risk scenario Identification date Existing security controls Current risk level Treatment plan -- the planned activities and timeline to bring the risk within an acceptable risk tolerance level along with the commercial justification for the investment Progress status -- the status of implementing the treatment plan Residual risk -- the risk level after the treatment plan is implemented Risk owner -- the individual or group responsible for ensuring that the residual risks remain within the tolerance level Security Threat Correlation Security Threat Correlation • Security threat correlation is the process of collecting, analyzing, and correlating data from various security sources to detect and respond to cybersecurity threats more effectively. • Threat correlation helps security managers gain knowledge by connecting the dots between information on cyber threats and using it to make critical decisions. Security Threat Correlation - Architecture • A robust and efficient threat correlation architechture consists of three critical steps addressing the organization’s threat intelligence. 1. Collection: A security solution (tools of choice) collects data from the organization’s network by pulling sensor log files and uploading them to a central repository. 2. Consolidation: Also referred to as aggregation or normalization, the stage involves the filtration of obsolete data to focus on the core security protocols defined by the users or the security solution. The stage eliminates false positives by weeding out duplicate data to ensure uniform standards are met during correlation for easier comparison with other parameters. 3. Correlation: It involves pulling and correlating data from different security platforms to provide threat response teams with timely, accurate, relevant intelligence on a potential threat. Apply correlation rules and algorithms to identify patterns and anomalies. Data Sources for Correlation • Security Information and Event Management (SIEM) systems • Firewall logs • Intrusion detection/prevention systems (IDS/IPS) • Antivirus and anti-malware solutions • Network traffic analysis • User authentication and access logs • Vulnerability assessment tools Event Correlation Types • There are two types of event correlations that enterprises can use to detect, identify, and defend against any potential cyber threats. 1. Dynamic Correlation: Dynamic correlation detects security breaches or incidents in real-time. The events are subjected to real-time correlation rules and look for attack patterns by analyzing incoming data. Dynamic correlation enables enterprises to benefit from fast detection and response rate and keep their networks safe from attacks at all times. 2. Static Correlation: Static correlation is the process of analyzing historical logs to investigate a security breach after an incident has occurred. The method identifies complex patterns from the past by analyzing log data to help security experts discover ongoing threats or threats that compromise network security. Static correlations enable enterprises to analyze why and how an occurred to prevent or reduce the future impact of similar incidents. Security Threat Correlation- Example Scenario: • A retail company experiences a series of fraudulent transactions on its e-commerce platform. Some customers report unauthorized credit card charges. Correlation: • The company's fraud detection system correlates transaction data with customer login information. • It identifies a pattern where multiple fraudulent transactions are linked to a specific group of user accounts. • Further analysis reveals that all these accounts accessed the website from a single geographical location. Response: • The company temporarily suspends the affected user accounts. • The security team conducts a deeper investigation, identifying a data breach that exposed customer credentials. • They implement two-factor authentication and notify affected customers to change their passwords. Vulnerability Sources and Assessment Vulnerability Assessment • First step in any security protection plan begins with assessment of vulnerabilities. • A vulnerability assessment in cybersecurity is a systematic process used to identify, assess, and prioritize security weaknesses or vulnerabilities in an organization's digital infrastructure, software, and networks. • Types of Vulnerabilities • Software Vulnerabilities: Flaws in software applications, operating systems, and firmware. • Configuration Weaknesses: Inadequately configured devices, services, or systems. • Access Control Issues: Unauthorized access, weak authentication mechanisms, or misconfigured permissions. • Policy Violations: Non-compliance with security policies, standards, or regulations. • Physical Security Gaps: Weaknesses in physical security measures that could impact digital systems. Elements of Vulnerability Assessment • Assets Identification: Process of inventorying the items with economic value • Identify what needs to be protected • Determine the assests’ relative value • Threat Evaluation: List potential threats from threat agent • Classify threats by category • Design attack tree • Threat Modelling: Goal of understanding the attackers and their methods. • Vulnerability Appraisal: • Determine current weaknesses in protecting the assets • Use Vulnerability assessment tools. • Risk Assessment: • Estimate the impact of vulnerability on organization • Calculate risk likelihood and impact of the risk • Risk Mitigation: Decide what to do with the risk Vulnerability Assessment Tools • Port Scanners: Software that can be used to search system for port vulnerabilities. A port scan can provide a wealth of information about a target system. • Banner grabbing tools: Software used to intentionally gather message that service transmits when another program connects to it. Gains information about a computer system on a network and the services running on its open ports • Protocol analysers: A device or software application that enables the user to analyze the performance of network data so as to ensure that the network and its associated hardware/software are operating within network specifications. • Vulnerability scanners: automated software that searches a system for known security weaknesses. • Honeypots and Honeynets: To trick the attackers into revealing their techniques. A security mechanism that creates a virtual trap to lure attackers