Unit 3 - Risk Assessment

Why Risk Assessment is important?

• Practically every organization has internet connectivity and some
form of IT infrastructure, which means nearly all organizations are at
risk of a cyber attack.
• To understand how great this risk is and to be able to manage it,
organizations need to complete a cybersecurity risk assessment, a
process that identifies which assets are most vulnerable to the cyber
risks the organization faces.
• Mitigating the risks identified during the assessment will prevent and
reduce costly security incidents and data breaches and avoid
regulatory and compliance issues.
Steps in performing Risk Assessment
1. Determine the scope of the risk assessment
2. How to identify cybersecurity risks
3. Analyze risks and determine potential impact
4. Determine and prioritize risks
5. Document all risks
Determine the scope of the risk assessment
• A risk assessment starts by deciding what is in scope of the
assessment.
• It could be the entire organization, but this is usually too big an
undertaking, so it is more likely to be a business unit, location or a
specific aspect of the business, such as payment processing or a web
application.
• It is vital to have the full support of all stakeholders whose activities
are within the scope of the assessment as their input will be essential
to understanding which assets and processes are the most important,
identifying risks, assessing impacts and defining risk tolerance levels.
How to identify cybersecurity risks?
• Identify Assets:
• Identify and create an inventory of all physical and logical assets that are
within the scope of the risk assessment.
• When identifying assets, it is important to not only establish those which are
considered the organization's crown jewels -- assets critical to the business
and probably the main target of attackers, but also assets attackers would
want to take control over, such as an Active Directory server or picture archive
and communications systems, to use as a pivot point to expand an attack.
How to identify cybersecurity risks
• Identify threats:
• Threats are the tactics, techniques, and methods used by threat actors that
have the potential to cause harm to an organization's assets.
• Refer trustable threat libraries (MTT ATT and CK Knowledge Base) to help
identify potential threats.
How to identify cybersecurity risks
• Identify what could go wrong:
• This task involves specifying the consequences of an identified threat
exploiting a vulnerability to attack an in-scope asset. For example:
Threat: An attacker performs an SQL injection on an
Vulnerability: unpatched
Asset: web server
Consequence: customers' private data stolen, resulting in regulatory fines and
damage to reputation.
Analyze risks and determine potential impact
• Determine the likelihood of the risk scenarios documented in Step 2
actually occurring, and the impact on the organization if it did
happen.
• Ranking likelihood on a scale of 1: Rare to 5: "Highly Likely," and
impact on a scale of 1: Negligible to 5: "Very Severe," makes it
straightforward to create the risk matrix illustrated below in Step 4.
Determine and prioritize risks
• Using a risk matrix like the one
below where the risk level is
"Likelihood times Impact," each
risk scenario can be classified.
• If the risk of a SQL injection
attack were considered "Likely"
or "Highly Likely" our example
risk scenario would be classified
as "Very High.“
• Based on the priority, the risks
can be avoided, transferred, or
mitigated.
Document all risks
• It's important to document all identified risk scenarios in a risk register. This
should be regularly reviewed and updated to ensure that management always
has an up-to-date account of its cybersecurity risks. It should include:
 Risk scenario
 Identification date
 Existing security controls
 Current risk level
 Treatment plan -- the planned activities and timeline to bring the risk within an acceptable
risk tolerance level along with the commercial justification for the investment
 Progress status -- the status of implementing the treatment plan
 Residual risk -- the risk level after the treatment plan is implemented
 Risk owner -- the individual or group responsible for ensuring that the residual risks
remain within the tolerance level
Security Threat
Correlation
Security Threat Correlation
• Security threat correlation is the process of collecting, analyzing, and
correlating data from various security sources to detect and respond
to cybersecurity threats more effectively.
• Threat correlation helps security managers gain knowledge by
connecting the dots between information on cyber threats and using
it to make critical decisions.
Security Threat Correlation - Architecture
• A robust and efficient threat correlation architechture consists of three critical steps
addressing the organization’s threat intelligence.
1. Collection: A security solution (tools of choice) collects data from the organization’s
network by pulling sensor log files and uploading them to a central repository.
2. Consolidation: Also referred to as aggregation or normalization, the stage involves the
filtration of obsolete data to focus on the core security protocols defined by the users
or the security solution. The stage eliminates false positives by weeding out duplicate
data to ensure uniform standards are met during correlation for easier comparison
with other parameters.
3. Correlation: It involves pulling and correlating data from different security platforms
to provide threat response teams with timely, accurate, relevant intelligence on a
potential threat. Apply correlation rules and algorithms to identify patterns and
anomalies.
Data Sources for Correlation
• Security Information and Event Management (SIEM) systems
• Firewall logs
• Intrusion detection/prevention systems (IDS/IPS)
• Antivirus and anti-malware solutions
• Network traffic analysis
• User authentication and access logs
• Vulnerability assessment tools
Event Correlation Types
• There are two types of event correlations that enterprises can use to detect,
identify, and defend against any potential cyber threats.
1. Dynamic Correlation: Dynamic correlation detects security breaches or
incidents in real-time. The events are subjected to real-time correlation rules
and look for attack patterns by analyzing incoming data. Dynamic correlation
enables enterprises to benefit from fast detection and response rate and keep
their networks safe from attacks at all times.
2. Static Correlation: Static correlation is the process of analyzing historical logs to
investigate a security breach after an incident has occurred. The method
identifies complex patterns from the past by analyzing log data to help security
experts discover ongoing threats or threats that compromise network security.
Static correlations enable enterprises to analyze why and how an occurred to
prevent or reduce the future impact of similar incidents.
Security Threat Correlation- Example
Scenario:
• A retail company experiences a series of fraudulent transactions on its e-commerce platform. Some
customers report unauthorized credit card charges.
Correlation:
• The company's fraud detection system correlates transaction data with customer login information.
• It identifies a pattern where multiple fraudulent transactions are linked to a specific group of user
accounts.
• Further analysis reveals that all these accounts accessed the website from a single geographical
location.
Response:
• The company temporarily suspends the affected user accounts.
• The security team conducts a deeper investigation, identifying a data breach that exposed customer
credentials.
• They implement two-factor authentication and notify affected customers to change their passwords.
Vulnerability Sources and
Assessment
Vulnerability Assessment
• First step in any security protection plan begins with assessment of
vulnerabilities.
• A vulnerability assessment in cybersecurity is a systematic process used to
identify, assess, and prioritize security weaknesses or vulnerabilities in an
organization's digital infrastructure, software, and networks.
• Types of Vulnerabilities
• Software Vulnerabilities: Flaws in software applications, operating systems, and firmware.
• Configuration Weaknesses: Inadequately configured devices, services, or systems.
• Access Control Issues: Unauthorized access, weak authentication mechanisms, or misconfigured
permissions.
• Policy Violations: Non-compliance with security policies, standards, or regulations.
• Physical Security Gaps: Weaknesses in physical security measures that could impact digital
systems.
Elements of Vulnerability Assessment
• Assets Identification: Process of inventorying the items with economic value
• Identify what needs to be protected
• Determine the assests’ relative value
• Threat Evaluation: List potential threats from threat agent
• Classify threats by category
• Design attack tree
• Threat Modelling: Goal of understanding the attackers and their methods.
• Vulnerability Appraisal:
• Determine current weaknesses in protecting the assets
• Use Vulnerability assessment tools.
• Risk Assessment:
• Estimate the impact of vulnerability on organization
• Calculate risk likelihood and impact of the risk
• Risk Mitigation: Decide what to do with the risk
Vulnerability Assessment Tools
• Port Scanners: Software that can be used to search system for port vulnerabilities. A
port scan can provide a wealth of information about a target system.
• Banner grabbing tools: Software used to intentionally gather message that service
transmits when another program connects to it. Gains information about a
computer system on a network and the services running on its open ports
• Protocol analysers: A device or software application that enables the user to
analyze the performance of network data so as to ensure that the network and its
associated hardware/software are operating within network specifications.
• Vulnerability scanners: automated software that searches a system for known
security weaknesses.
• Honeypots and Honeynets: To trick the attackers into revealing their techniques. A
security mechanism that creates a virtual trap to lure attackers