Cyber Security Fundamentals
Threat Assessment Methodology
This is a process that makes use of threat intelligence in order to determine what threats are relevant or not to an organization. While there are several guidelines out there on the web today, I've always relied upon Gartner and the National Institute of Standards and Technology (NIST) as industry standards. That said, frameworks such as NIST Risk Management Framework (RMF) are a frame of reference from which to adapt according to your needs and situation. There are new efforts within the federal government to push for more agile methods of adapting security frameworks in order to expedite authorizations to operate or (ATO's). This change can see organizations being granted ATO's in as little as 3 days.
This is a process that makes use of threat intelligence in order to determine what threats are relevant or not to an organization. While there are several guidelines out there on the web today, I've always relied upon Gartner and the National Institute of Standards and Technology (NIST) as industry standards. That said, frameworks such as NIST Risk Management Framework (RMF) are a frame of reference from which to adapt according to your needs and situation. There are new efforts within the federal government to push for more agile methods of adapting security frameworks in order to expedite authorizations to operate or (ATO's). This change can see organizations being granted ATO's in as little as 3 days.
Identification of Vulnerabilities
Vulnerability is an inherent weakness in an information system that can be exploited by a threat or threat agent, resulting in an undesirable impact in the protection of the confidentiality, integrity, or availability of the system (application and associated data). A vulnerability may be due to a design flaw or error in configuration which makes your network, or a host on your network, susceptible to malicious attacks from local or remote users. Vulnerabilities can exist in multiple areas of your system or facilities, such as in your firewalls, application servers, Web servers, operating systems or fire suppression systems.
Whether or not a vulnerability has the potential to be exploited by a threat depends on a number of variables including (but not limited to):
• The strength of the security controls in place
• The ease at which a human actor could purposefully launch an attack
• The probability of an environmental event or disruption in a given local area
An environmental disruption is usually unique to a geographic location. Depending on the level of the risk exposure, the successful exploitation of a vulnerability can vary from disclosure of information about the host to a complete compromise of the host. Risk exposure to organizational operations can affect the business mission, functions, or the organizational reputation.
Vulnerability is an inherent weakness in an information system that can be exploited by a threat or threat agent, resulting in an undesirable impact in the protection of the confidentiality, integrity, or availability of the system (application and associated data). A vulnerability may be due to a design flaw or error in configuration which makes your network, or a host on your network, susceptible to malicious attacks from local or remote users. Vulnerabilities can exist in multiple areas of your system or facilities, such as in your firewalls, application servers, Web servers, operating systems or fire suppression systems.
Whether or not a vulnerability has the potential to be exploited by a threat depends on a number of variables including (but not limited to):
• The strength of the security controls in place
• The ease at which a human actor could purposefully launch an attack
• The probability of an environmental event or disruption in a given local area
An environmental disruption is usually unique to a geographic location. Depending on the level of the risk exposure, the successful exploitation of a vulnerability can vary from disclosure of information about the host to a complete compromise of the host. Risk exposure to organizational operations can affect the business mission, functions, or the organizational reputation.
CSOL 500 Reflections
For starters lets imagine you run a multi-billion dollar company, if you don't have to imagine then I envy you, and you decide that your information systems are safe, secure, and have zero vulnerabilities. Wow! That's amazing. You probably won't remain the leader of this multi-billion dollar company for long if you think this way. Guess what? There are actual business leaders out there today that had this very thought process. Granted they are probably fewer and farther between then say 10 years ago. But if you do a quick search for data breaches recently, you'll find this type of mentality still exists!
How can this be? Well companies may find that in doing a risk assessment the information systems they maintain might not be worth the effort to protect by scanning them for vulnerabilities. Or that they amount of effort placed on not only scanning for vulnerabilities within their information systems, but remediation of them is too daunting of a task to perform at the rate vulnerabilities are discovered. This is generally the case in most businesses. Not sure on how fast a vulnerability is discovered? Well, take a home computer with Windows 10 on it and check how many times your system gets updates pushed to it weekly, monthly, and yearly. I assure you it is more than you may expect (if you're not privy to this type of thing).
Those updates pushed to your Windows 10 machine are generally just for the operating system too. How many other software packages or applications are installed on your system? Are you patching those too? I'll refrain from using the term "Hacker" as this term is thrown around too much as a "bad guy", when in actuality it is just a person who enjoys taking things apart (from a software/hardware prospective) and seeing what they can do with it beyond its intended purpose. So lets just lead off by saying an attacker may constantly be looking for ways to exploit new loopholes in mainstream software or "vulnerabilities" so they might execute an attack on a single system or multiple if the exploit is widely spread.
So as a company think about this same analogy but on the scale of your business. If some attacker were to discover a vulnerability today, what is the likelihood they would be able to execute this attack against your system? I'll go out on a limb and say you're probably going to be OK as you may not be a prime target of an attack or have other safe guards in place that would prevent a would be attacker from entering your companies network to execute a vulnerability on those one or two machines that are vulnerable. Now what if you're a large financial institution? Would an attacker have more of an incentive to find ways to bypass those other safe guards? Are they vulnerable? How often do you scan them?
More often than not, companies will scan or are aware of vulnerabilities as they are discovered. However, having an effective patch management and testing process may be the real factors here.
How can this be? Well companies may find that in doing a risk assessment the information systems they maintain might not be worth the effort to protect by scanning them for vulnerabilities. Or that they amount of effort placed on not only scanning for vulnerabilities within their information systems, but remediation of them is too daunting of a task to perform at the rate vulnerabilities are discovered. This is generally the case in most businesses. Not sure on how fast a vulnerability is discovered? Well, take a home computer with Windows 10 on it and check how many times your system gets updates pushed to it weekly, monthly, and yearly. I assure you it is more than you may expect (if you're not privy to this type of thing).
Those updates pushed to your Windows 10 machine are generally just for the operating system too. How many other software packages or applications are installed on your system? Are you patching those too? I'll refrain from using the term "Hacker" as this term is thrown around too much as a "bad guy", when in actuality it is just a person who enjoys taking things apart (from a software/hardware prospective) and seeing what they can do with it beyond its intended purpose. So lets just lead off by saying an attacker may constantly be looking for ways to exploit new loopholes in mainstream software or "vulnerabilities" so they might execute an attack on a single system or multiple if the exploit is widely spread.
So as a company think about this same analogy but on the scale of your business. If some attacker were to discover a vulnerability today, what is the likelihood they would be able to execute this attack against your system? I'll go out on a limb and say you're probably going to be OK as you may not be a prime target of an attack or have other safe guards in place that would prevent a would be attacker from entering your companies network to execute a vulnerability on those one or two machines that are vulnerable. Now what if you're a large financial institution? Would an attacker have more of an incentive to find ways to bypass those other safe guards? Are they vulnerable? How often do you scan them?
More often than not, companies will scan or are aware of vulnerabilities as they are discovered. However, having an effective patch management and testing process may be the real factors here.
Resources for Risk Management and Vulnerability Assessment
NIST Guide for Conducting Risk Assessments
Gartner Research: How to Plan and Execute a Threat Assessment
Microsoft Safety Scanner
NIST Guide for Conducting Risk Assessments
Gartner Research: How to Plan and Execute a Threat Assessment
Microsoft Safety Scanner