Individuals within a threat population; Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable. -"An Introduction to Factor Analysis of Information Risk (FAIR)" (PDF). Riskmanagementinsight.com. November 2006
Also includes God (as in “acts of”), “Mother Nature,” and random chance. -http://veriscommunity.net/schema
Non-Human Elements: Floods, Lightning strikes, Plumbing, Viruses, Fire, Electrical, Air (dust), Heat control -SANS: An Overview of Threat and Risk Assessment
From a cybersecurity perspective, you are looking to protect assets -- things that have value to a company. They could be physical hardware, logical software, data, information, company trade secrets, and even employees. A threat is a looming danger that can change or damage your assets. Think of the actual actions like fires, floods, hackers getting into your network, malware infecting your systems, your server crashing without backups to go to, or even a cleaner accidentally pulling out the plug to an important server. Threat agents or actors are the ones carrying out the threats. Yes, hackers are the first things that come to mind, but Mother Nature through earthquakes, tornadoes, fires, and floods is also a threat agent. A vulnerability is a weakness, a flaw in a program, device, network, and even a person. Weak authentication checks, default user name password combinations, incorrectly configured firewalls, and even a gullible or naive employee are all vulnerabilities. When threat actors carry out the threat, they exploit the vulnerability. Exploit can be a verb meaning penetrating a system to exploit, or a noun meaning the tool or method used to penetrate a system and exploit. Interestingly enough, exploits are usually named after the vulnerability they exploit. For example, MS08067 is a famous exploit from 2008 that allowed hackers to gain control of a Windows XP or a Windows Server 2003 system. Any systems running Windows XP today are vulnerable to that exploit. Incredibly enough, Windows XP still has close to 10% market share, even without security updates from Microsoft. Hackers like to go after the low-hanging fruit first, and this is a prime example. Risk is the combination of the probability of an event or loss from zero to 100% and its consequence or impact. For example, if your users' passwords are stored in plain text, the actual passwords and not hashed as we'll see a future module, there's a high risk that a data breach could result in those accounts being hacked. You could suffer loss of reputation and customer goodwill -- for some companies that could be fatal. There are three things that can be done to risk but eliminate is not one of them. You could reduce or mitigate the risk. We can eliminate some vulnerabilities and block some threats, but nothing is ever going to be 100%. Encryption, hashing, VPN's, firewalls, intrusion detection and prevention systems, and more can reduce the risk. Another thing you can do to risk is transfer it. You can purchase cybersecurity insurance, which is a growing industry now, or even use cloud computing and another company's resources. Your cloud provider is now responsible for securing your data. Last but not least, we can accept the risk. Does the cost to protect a resource outweigh the cost of losing it or even replacing it? If so, accepting the risk might make the most sense. Before you spend your time and money, ask yourself the following questions: What are the critical assets; what business processes require these assets; what could interfere with normal operations; what are the risks; which ones present the highest and most negative outcomes and should be prioritized; given a range of solutions, which is the most cost-effective way of reducing the risks?
From a cybersecurity perspective, you are looking to protect assets -- things that have value to a company. They could be physical hardware, logical software, data, information, company trade secrets, and even employees. A threat is a looming danger that can change or damage your assets. Think of the actual actions like fires, floods, hackers getting into your network, malware infecting your systems, your server crashing without backups to go to, or even a cleaner accidentally pulling out the plug to an important server. Threat agents or actors are the ones carrying out the threats. Yes, hackers are the first things that come to mind, but Mother Nature through earthquakes, tornadoes, fires, and floods is also a threat agent. A vulnerability is a weakness, a flaw in a program, device, network, and even a person. Weak authentication checks, default user name password combinations, incorrectly configured firewalls, and even a gullible or naive employee are all vulnerabilities. When threat actors carry out the threat, they exploit the vulnerability. Exploit can be a verb meaning penetrating a system to exploit, or a noun meaning the tool or method used to penetrate a system and exploit. Interestingly enough, exploits are usually named after the vulnerability they exploit. For example, MS08067 is a famous exploit from 2008 that allowed hackers to gain control of a Windows XP or a Windows Server 2003 system. Any systems running Windows XP today are vulnerable to that exploit. Incredibly enough, Windows XP still has close to 10% market share, even without security updates from Microsoft. Hackers like to go after the low-hanging fruit first, and this is a prime example. Risk is the combination of the probability of an event or loss from zero to 100% and its consequence or impact. For example, if your users' passwords are stored in plain text, the actual passwords and not hashed as we'll see a future module, there's a high risk that a data breach could result in those accounts being hacked. You could suffer loss of reputation and customer goodwill -- for some companies that could be fatal. There are three things that can be done to risk but eliminate is not one of them. You could reduce or mitigate the risk. We can eliminate some vulnerabilities and block some threats, but nothing is ever going to be 100%. Encryption, hashing, VPN's, firewalls, intrusion detection and prevention systems, and more can reduce the risk. Another thing you can do to risk is transfer it. You can purchase cybersecurity insurance, which is a growing industry now, or even use cloud computing and another company's resources. Your cloud provider is now responsible for securing your data. Last but not least, we can accept the risk. Does the cost to protect a resource outweigh the cost of losing it or even replacing it? If so, accepting the risk might make the most sense. Before you spend your time and money, ask yourself the following questions: What are the critical assets; what business processes require these assets; what could interfere with normal operations; what are the risks; which ones present the highest and most negative outcomes and should be prioritized; given a range of solutions, which is the most cost-effective way of reducing the risks?
No comments:
Post a Comment