Three Ideas for Cybersecurity Risk Management

The terms “information security” and “cybersecurity” are commonly used to address risk to information. For discussion purposes herein, information security means implementing processes and technology to protect information, whereas cybersecurity deals with precautions taken to guard against crime, which includes monitoring for suspicious network access attempts and steps taken to handle such attempts. Cybersecurity is a subgroup within the information security domain.

COBIT 5 for Risk specifies that “the main drivers for risk management in its different forms include the need to improve business outcomes, decision-making and overall strategy.”¹

As information security is a subset of overall enterprise risk management (ERM), the previous definition applies to cybersecurity risk also, as it enables the enterprise to achieve its goals. As such, the typical IT risk assessment activities such as risk identification, risk analysis, risk response, risk monitoring, and risk reporting and communicating, are applicable for managing cyberrisk, too.

Cyberrisk is increasing due to digitization. The World Economic Forum (WEF) lists cybersecurity as one of the top-five global risk factors for 2019.² In light of these developments, three approaches (figure 1) are likely to improve cybersecurity risk management capabilities in multiple layers. These approaches consider risk to an organization comprehensively. Evaluation to reduce risk happens at the enterprise level, departmental level and application implementation level.

The three approaches to strengthen organizational defense are:

• Strategic: Enterprise-focused approach—Assessment of the organization’s overall preparedness to mitigate cybersecurity risk
• Tactical: Department-focused approach—Evaluation of the security requirements of department or business units that operate within the organization, reducing the likelihood of potential risk hindering business objectives
• Operational: Application-focused approach—Building security resilience to withstand cyberattacks in IT applications/solutions

As shown in figure 1, these ideas can increase the organization’s ability to measure its level of preparedness. It can enable an internal feedback mechanism for improvement. It aids in making required changes in the security strategy to guard itself from cyberattacks.

Regardless of the size of the organization, these ideas are universal. A strategic vision to safeguard its overall IT landscape, a tactical way to handle its business-specific security requirements, and an operational mind-set to embed resilience in all IT systems are essential in every organization.

Strategic: Enterprise-Focused Approach

Protecting the information assets from cybersecurity risk starts with an understanding of the organization’s context and other factors such as its industry affiliation,³ IT arrangements, relevant regulations and geographical dispersion of its workforce. This context provides valuable insights to assess the following features:

• What is the information and data handled by IT systems of the organization?
• Who are the threat actors interested in the organization’s data and information?
• Where are the possible attack surface/entry points for security breach attempts?
• Which part of the technology infrastructure is a likely target to get a foothold in the organization?
• How are the threats to the organization likely to enter the infrastructure?
• What are the different types of threats seen in the organization in the past few years?
• What damages could result if any of the threats materialize?
• How are the existing security controls safeguarding the organization from threat actors?
• Which of the existing security controls require improvement to stop the possible assault of threat actors?

Threat Profile
Clarity on the organizational background helps to create a threat profile. The following are some quick ways to build a threat profile for the organization. Both internally available threat information and external sources are effective.

External Sources
Threat information relevant to the organization can be curated from externally available sources, i.e., enterprises engaged in the same line of business or general threats relevant to all organizations, to build a threat profile. The following are few examples of sources:

• An Information Sharing and Analysis Center (ISAC) relevant to the organization’s line of business can provide organizations with some threat information. The ISAC community typically provides information on cybersecurity threats affecting the organizations operating in a specific industry. Multiple ISACs exist to support cyberthreat information sharing among peers in similar industries and enterprise types.⁴
• The Verizon Data Breach Investigation Report provides a consolidated view of breaches by industry using the Vocabulary for Event Recording and Incident Sharing (VERIS) framework.⁵
• Information can also come from security threat intelligence reports from government-supported Computer Emergency Response Teams (CERT), such as the US-CERT.⁶
• There are threat reports from multiple security vendors and open-source threat intelligence.^{7, 8, 9, 10, 11, 12, 13, 14}
• The threat horizon report from Information Security Forum (ISF)¹⁵ also has some threat information.

Internal Sources
Looking inward also helps in gathering threat information to build a profile from the following sources:

• Security risk, which might derail enterprise goals from an organizational standpoint, can help build a threat profile. Understanding the organization’s business strategies helps to determine the strategic security risk factors or drivers.
• Information on security incident handling from the security operations center (SOC) gives an indication of security breach attempts, commonly targeted assets and attacker techniques.
• Organizational network topology and enterprise security architecture depicting technical security controls in place to protect IT infrastructure can also be an internal source of threat information.

Identification of Threats
Reviewing internal and external sources of information provides a solid base to find threats that are pertinent to the organization. This exercise might lead to a long list of threats. A risk-based approach aids in prioritizing the threats.

Choosing the top threats that are important and relevant to the organization is a must. Having information on organizational IT architecture and network topology is helpful in selecting threats.

Some threats faced by organizations include:

• Cryptojacking
• Data leakage via cloud computing
• Advanced persistent threats (APT)
• Compromise of the network via insecure Internet of Things (IoT) configurations
• Noncompliance with privacy regulations such as the EU General Data Protection Regulation (GDPR)
• Phishing
• Attacks on websites
• Stolen credentials

Mapping Threats With Security Controls
Cryptojacking¹⁶ is the unauthorized use of someone else’s computer for illegal cryptocurrency mining. It is one of the top cyberthreats noted.

To succeed, cryptojacking primarily relies on organizational users. This can happen in two ways. In the first method, users receive an email with an attachment containing cryptojacking malware. Upon opening the attachment, the malware gets installed on the user’s computer. In the second method, hackers compromise genuine websites and inject scripts designed to perform cryptomining. When a user visits such websites, the script executes on the user’s browser.

When a threat is identified as a potential risk, the next step is to find methods to reduce it. Security controls to mitigate cryptojacking risk include:

• Security awareness to prevent users from falling prey to social engineering tricks
• Website proxy/content filtering solutions to minimize malicious content from sneaking into end-user devices used for Internet browsing
• Proactive blocking of suspected cryptomining websites in the website proxy
• Application whitelisting software to permit running of a predefined application alone

Figure 2 shows threat analysis based on the risk management principles followed within the organization to decide if a specific threat would result in a potential risk.

Different approaches exist to perform risk analysis. For brevity and simplicity, the method used here is:

Inherent Risk = Likelihood X Impact, Residual Risk = Inherent Risk – Risk Mitigated by Existing Controls.

To test the strength of controls, it is important to know the enterprise security architecture and security capabilities available within the organization. Hence, the participation of the architecture function is crucial in such evaluations.

Undertaking a comparable exercise to all relevant threats to an organization can showcase deficiencies in the organizational security readiness. Repeating similar assessments annually provides a basis for security budget planning and implementation of security programs.

Assessments of this nature can help the organization investigate overall security preparedness. It is meant to assess the adequacy of foundational security controls of the organization. Additional system-level controls over and above the foundation layer provide extra security.

Example Risk Matrix
A risk scoring method enables the analysis of threats and can help reveal potential risk. Adopt scoring guidelines that are in use within the organization for this purpose. Figure 3 shows a sample risk matrix for illustrative purposes. Inherent risk, i.e., risk as-is without any mitigation, can be determined as shown in figure 3.

Mitigation controls reduce the inherent risk, which results in a residual risk. (figure 4).

Internal Collaboration
There are proponents of the idea that private and public enterprises ought to share cyberthreat information. The reason for this thinking is to enhance protection against security risk. The same approach is relevant within an organization.

The exercise mentioned previously is not possible without the contributions of all relevant participants. Risk management, cyberthreat intelligence, security architecture and the security operations center are a few teams from which cross-functional participation is required (figure 5). Some of these security functions may not exist or a team may perform multiple roles in some organizations, but it is intended as a generic example to describe collaboration.

The involvement of multiple parties also implies the support of security department management, which is essential to succeed in such an attempt.

Tactical: Department-Focused Approach

The previous idea focused on common controls that are applicable throughout the enterprise. Centralized ownership exists to deploy, operate and maintain those controls. These common controls are applicable across the organizational boundary. It is comparable to the defenses of a castle with a motte, moats, gatehouse, wall, towers, bailey -and enceinte.

After evaluating the common security controls, the next area of focus is to assess the security needs of different functions/departments/business units within an organization. Internal entities might process specific data that require safety measures, a third party might provide a service to enable the achievement of departmental goals and an industry regulation might mandate specific security requirements. These are all examples of internal entity-specific security requirements.

Apart from the specific security requirements of an internal entity, there is always a general requisite that organization controls are resilient—the second layer protects the organizational IT assets when the first layer fails.

A risk discussion, even if takes place annually, helps gauge the department’s perspective on security preparedness.

Guidelines to Define Security Threats and Requirements
Department representatives must work together internally to prepare themselves for the risk assessment. The purpose of this discussion is to define the security risk drivers that can obstruct the smooth execution of departmental goals. The following is an example of topics to consider when defining department-specific security requirements in an organization:

• Define all security variables or risk drivers relevant to the department. Examples include compliance requirements, safeguarding customer interest on the service provided by the department and managing risk from third parties’ access.
• Define all the IT assets that are in direct management of the department. Examples include web servers in a data center, departmental data and the use of cloud services managed by the department without the organization’s IT support.
• Define threats related to business units/departments.
• Define threats from external threat reports that are closely connected with a department’s normal activity, for example, a department involved in software development for in-house needs.

Performing an internal review can produce a lengthy list of security threats that are relevant to the department. Prioritization becomes important in such cases. If an organization has multiple business units or departments, performing a similar exercise across all such internal entities brings broader representation of cybersecurity threats to the organization.

Top Departmental Threats
Due to resource constraints, it is impossible to deploy controls to mitigate all threats. Also, not all threats pose a risk to the organization. A risk-based approach is an option to rank the threats.

Performing risk analysis results in a risk priority for each threat. It is up to the departmental participants to decide which threats to mitigate in the short term and long term, based on the departmental goals.

Figure 6 shows prioritized threats that can pose risk to an organization, along with a corresponding risk mitigation plan.

Operational: Application-Focused Approach

The third approach focuses on building cybersecurity resilience in IT solutions. Given the dependence on IT solutions and the increasing role of digital technologies, it has become paramount to embed cybersecurity risk resistance capabilities in the IT solution itself. It enables safeguarding against cybersecurity breach attempts until the security monitoring alerts trigger security incident response efforts.

IT solutions used across the organization, e.g., enterprise resource planning (ERP) and applications managed by the IT department to enable business goals, require the execution of an operational-focused risk approach.

Risk identification is one of the major tasks in the comprehensive risk management life cycle. It is time-consuming and resource-intensive when it comes to operational cybersecurity risk assessments. Establishing a repeatable approach would make the efforts much easier. Use of the threat model^{17, 18} principle combined with design review and an architecture risk analysis¹⁹ approach is a quick formula to speed up the risk assessment of applications.

Design and architectural risk analysis identifies flaws in the architecture of an IT solution. A threat model assesses the potential threats, which can exploit vulnerabilities in the IT solution. A database containing sensitive password information kept in the demilitarized zone (DMZ) is a design flaw. Enabling administrative access to Internet-facing applications with simple authentication is a vulnerability.

Pragmatic Method
Both design review and threat modeling start by reviewing the architectural diagrams. Having a high-level view enables a deep dive and can provide an understanding of the multiple IT assets comprised in the solution, such as a web server, application server, database and network connectivity. Simplification of a complex solution makes it easy to find security threats.

In a typical threat model review, people from different roles with sufficient technical expertise would evaluate the solution to identify potential threats. A pragmatic approach is essential because of the need for a repeatable model to execute risk assessments on numerous applications. Also, bringing together all the subject matter experts (SMEs) frequently to review a threat model for a larger number of applications is difficult.

Using the design review and threat model concepts, along with predefined, real-world threats and controls either from the organizational security policies/standards or best practices, provides a light-weight model. This method operates in the following way. Each task is independent of the others:

• Determine the IT assets within the scope of an assessment. For this purpose, review the solution architecture to discover multiple assets, such as web server, application server, database server, network connectivity, user interactions and data flow between components.
• Perform control effectiveness evaluation for each of the assets discovered. Some prework is critical to execute this step successfully.
  • Extract relevant security controls that are considered prerequisite from organizational security policies/standards. If an organization does not have a comprehensive security control inventory, best practices such as the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53,²⁰ Essential Eight²¹ and Critical 20 controls²² are options to reference.
  • Map selected controls to asset groups, such as those mentioned in step 1, e.g., web server, application server, database server and network communications, based on their relevancy.
• Identify potential vulnerabilities that can be misused by a threat agent using the outcome of the control effectiveness evaluation.
  • For example, non-removal of default generic accounts in an IT asset and nonexistence of separate accounts for an administrator to do admin tasks and normal tasks indicate a vulnerability that can be misused by both human and nonhuman threat actors. The resulting threat from this example is misuse of credentials.
  • Map the outcome of control evaluation with relevant threats. It is similar to mapping a selected control to asset groups, as in step 2. For this purpose, establishing a threat taxonomy is essential. The threat taxonomy must contain threats curated from multiple sources, such as the industry ISAC, the Verizon Data Breach Investigation Report, threat reports, internal incident tickets from the SOC, The Open Web Application Security Project (OWASP) Top 10 risk factors for application security and advisories from CERT.
• Understand that non-operation of controls indicates a probable vulnerability. It would enable the threat actor to misuse it. If a threat actor abuses a vulnerability, then it may become a potential risk. Figure 7 is an illustration of IT assets, security controls and threat mapping.
• Analyzing results from this exercise in a risk management analysis methodology used within the organization. Figure 8 is the sample of analyzed risk using a sample risk matrix.

Establishing a model with predefined mapping of assets, controls and threats enables repeating the assessment on demand. It can enable a cybersecurity risk assessment of a large volume of IT solutions in an efficient manner.

Monitoring and Managing Risk
Identification of risk, prioritizing it and agreeing on a mitigation plan are the first crucial tasks. Even more important is periodic follow-up on the progress made on the agreed plan. This helps lag any deviations. Consider the outcomes in the following year’s annual threat identification exercise.

A summarized report that indicates the overall security preparedness of the organization should be communicated to relevant stakeholders. This provides transparency on risk and guides in risk reduction programs.

Conclusion

A strategic approach helps in understanding business strategy and IT landscape, which drive the security needs of the organization. Collaboration between cross-functional security teams enables the establishment of a threat profile and enables continuous improvement toward the organization’s security defense. A tactical approach is relevant to address the specific security requirements of business units/functions/departments within an organization. An operational approach is focused on protecting IT solutions from cybersecurity risk. Threat model and design review concepts can be used to create repeatable risk assessment models.

Applying these concepts can help in reporting relevant information on an organization’s security posture to decision makers, measuring the effectiveness of security and improving the overall security posture.

Endnotes

¹ ISACA, COBIT 5 for Risk, USA, 2013, www.isaca.org/COBIT/Pages/Risk-product-page.aspx
² World Economic Forum, “The Global Risks Report 2019,” 15 January 2019, https://www.weforum.org/reports/the-global-risks-report-2019
³ United States Census Bureau, “North American Industry Classification System,” USA, 2017, https://www.census.gov/eos/www/naics/
⁴ National Council of ISACs, “Member ISACs,” https://www.nationalisacs.org/member-isacs
⁵ Verizon, 2018 Data Breach Investigations Report, USA, 2018, https://enterprise.verizon.com/resources/reports/dbir/
⁶ Department of Homeland Security, “APTs Targeting IT Service Provider Customers,” USA, https://www.us-cert.gov/APTs-Targeting-IT-Service-Provider-Customers
⁷ McAfee, “McAfee Labs 2019 Threats Predictions Report,” 29 November 2018, https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-2019-threats-predictions/
⁸ FireEye, “Facing Forward: Cyber Security in 2019 and Beyond,” 2018, https://content.fireeye.com/predictions/rpt-security-predictions-2019
⁹ Thompson, H.; S. Trilling; “Cyber Security Predictions: 2019 and Beyond,” Symantec, 28 November 2018, https://www.symantec.com/blogs/feature-stories/cyber-security-predictions-2019-and-beyond
¹⁰ Sophos, “Sophoslabs 2019 Threat Report,” 2018, https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophoslabs-2019-threat-report.pdf
¹¹ Barlow, C.; “IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape,” SecurityIntelligence, 20 December 2018, https://securityintelligence.com/ibm-x-force-security-predictions-for-the-2019-cybercrime-threat-landscape/
¹² KPMG, “Ten Trends Driving Cyber Security in 2019,” 9 January 2019
¹³ AlienVault, https://otx.alienvault.com/
¹⁴ IBM X-Force Exchange, https://exchange.xforce.ibmcloud.com/
¹⁵ Information Security Forum, “Threat Horizon,” https://www.securityforum.org/consultancy/threat-horizon/
¹⁶ Nadeau, M.; “What Is Cryptojacking? How to Prevent, Detect, and Recover From It,” CSO, 13 December 2018, https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html
¹⁷ The Open Web Application Security Project, “Application Threat Modeling,” https://www.owasp.org/index.php/Application_Threat_Modeling
¹⁸ Microsoft, “Threat Modeling,” https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling
¹⁹ Peterson, G.; P. Hope; S. Lavenhar; “Architectural Risk Analysis,” 3 October 2005, https://www.us-cert.gov/bsi/articles/best-practices/architectural-risk-analysis/architectural-risk-analysis
²⁰ National Institute of Standards and Technology, “Security and Privacy Controls for Federal Information Systems and Organizations,” Special Publication SP 800-53, Rev. 4, USA, April 2013, https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-53r4.pdf
²¹ Australian Cyber Security Centre, “Essential Eight Explained,” 2017, https://acsc.gov.au/publications/protect/essential-eight-explained.htm
²² Center for Internet Security (CIS), “CIS Controls,” https://www.cisecurity.org/controls/