Historically, aside from the enabling tools (like mobile VPN access), security spending is essentially insurance with no visible return. This is starting to change as more businesses insure against breach and loss. While many of the costs of a breach are not directly financial, there are plenty of references available to attributed financial loss. And there is more data available to make a better risk assessment of potential loss. In December 2015, the EU reached agreement on GDPR which proposed a maximum fine of up to 4% of annual worldwide turnover. As more companies look at insuring against loss, there is a direct and immediate link between the insurance premium, maximum indemnity and the security posture of an organisation. Hardware.com adopts a ‘top down approach’ to network security to help demonstrate that an improved security posture can deliver a return on investment.
From The Top
Ultimately, the CEO is responsible for network security, and the information security posture of a company sits on the risk register with all the other high level considerations such as physical theft, service availability and staffing etc. Given the standard metrics of likelihood vs impact, Hardware.com increase the accuracy of the assessment by providing improved visibility of threats and a better understanding of the potential costs of a breach. When dealing with the likelihood of a breach, Hardware.com encourages customers to consider:
What are the threats facing the business?
How comprehensive is the security strategy in dealing with and preventing these risks?
The immediate technical / physical impact of a breach can easily be determined as hard fact but the knowledge that customer data has been exfiltrated has greater implications. In terms of the wider business impact, there is more information available today on possible fines, and daily operational turnover should be simple to calculate. The eventual cost of reputational damage and customer shift are far more subjective, but the certain pain of those factors should be clear enough to ask:
What are the potential immediate financial costs of a breach?
What are the long term financial costs from information and reputation losses?
The responses to these questions only provide an answer in summary to a more detailed assessment of an organisations’ security posture. They should however, be sufficient to justify the expense and effort of a comprehensive security plan designed to mitigate the risks to an appropriate level. In reality, there are far too many individual threats and vulnerabilities to list on the global risk register which need to be investigated as part of the security plan.
The Security Risk Management Framework
There are several options for companies looking to adopt a formal risk management approach and many organisations use the ISO/IEC 27001:2013 standard both as a framework for risk management and a formal accreditation. Hardware.com assists with the key requirements to investigate and fully understand the ‘Big 3’. What are the:
Once we have answered those questions, we can begin to define a security strategy making the best use of the resources to hand.
1. Key Asset Evaluation
Each asset can be mapped against the relevant vulnerabilities to determine likelihood of a successful breach and the resulting technical / physical impact. Common assets and their respective threats might include, but not be limited to any of the following:
Intellectual property – stolen design plans, software, music
Customer Data – personal details, financial or medical records
Computer power and internet connection – for use in staging botnet attacks
Cash – taken from duped transfer scams, unauthorised payments
Physical property – taken from transfer scam, fraudulent transactions
Service availability – website taken offline from DDOS attack
System availability and data – ransomware locking machines for ransom
2. Vulnerabilities Evaluation
Vulnerabilities are harder to quantify. Since, at any time, there can be many unknown issues which later surface as zero day exploits in common software. Initially we need to look at the attack surface – the interfaces at which an attacker can launch an attack. This includes both machine and human elements such as web servers exposed to the internet and staff that receive inbound phone calls. The term vulnerability in this sense does not imply a poor security posture. But identifies any element on the attack surface where a valued asset might be subject to a threat that requires risk mitigation. Some examples include:
Unpatched server and user systems – Common Vulnerabilities and Exposures – CVE-2010-333
Poor exploitable website code – CSRF, Injection
Weak password policies – easy to guess or brute force
Open external access allowing reconnaissance and probing
Poor user behaviour – password noting and sharing accounts
Poor process and policy which fails to protect users from mistakes or scams
Ineffective logging and visibility of systems and network activity
Poor third party external device separation
3. Threat Evaluation
The threats to an organisation are the factors, human or otherwise, that can inflict a negative impact on its resources. These would include power outages and other physical risks. But, for the purpose of the security risk assessment, would normally include some of the following:
Opportunist hacker looking for open systems on the internet
Hacker scanning public servers with specific version for known issues
Hacker looking to exploit poor code on public server
DDOS attacker from botnet designed to take a site offline
Advanced persistent threat determined to attack an enterprise
Phishing emails targeting known users
Advanced social engineers looking to exploit staff for access
Physical threats to access systems from intruders
Knowledgeable insider misusing systems
Malicious insider with systems access
Malicious outsider with personal grudge (fired employee)
Advanced scams designed to dupe users into theft or systems access
At this point you may have a relatively comprehensive list of your valued assets. Those actors that would impact those assets and a good idea of the targets that may get hit. This forms the basis of an in-depth analysis of the impact / likelihood risk assessment where all known threats to each vulnerability are considered. With an honest appraisal of an organisation’s staff and systems, some elements may be relatively secure.
The Security Strategy
Hardware.com aim to understand the customer’s security strategy. This should identify business priorities, the intended security posture the organisation wishes to achieve at a given point. And the way in which that should be achieved. This might include a strategic decision to outsource operations to cloud providers or focus effort on key risk areas. This should be a periodic exercise rather than a one-time only task. As the strategic direction changes, new risks may be introduced which must be identified and assessed. Moving services to the cloud removes some risks but introduces others, such as lack of visibility of access. Hardware.com delivers a comprehensive risk assessment which should identify the overall security posture of the organisation. Plus identify the greatest areas of concern. A distilled version of the report summarising the threats and local impact, can be presented to C-level staff to determine the wider impact on the risk register for each of the major asset groups. At this point, the top down strategy can begin with direction from C-level on the budget, scope and priorities for the organisation’s security strategy.
The Security Plan
Hardware.com helps the customer to build a robust security plan. The goal of which, is to achieve the aims of the security strategy. Also provide the most effective risk mitigation with the given resources. With as many as possible of the risks identified and prioritised, the security plan defines how each risk is mitigated. Against each asset and the relevant vulnerabilities, control measures and mitigation techniques are planned for implementation and periodic review. The security plan is not necessarily a technical document but should identify the steps taken to mitigate risk. Hardware.com can address 7 out of the 10 key areas outlined by the National Cyber Security Centre.
Risk Management Regime
User Training & Awareness
Removable Media Controls
Home & Mobile Networking✔
In order to maximise the effectiveness of the budget and resources, Hardware.com advise a ‘top down approach’ when looking at technology solutions for enterprise security. By identifying assets, vulnerabilities and threats, we can assess overall priorities. And apply the appropriate level of resource to each area. When evaluating a range of technology options, it is simpler to match the value of a particular product, feature or solution against the requirements of the security plan. Tags: networking, Security
3 Major Challenges to the Security of Your Data
5 Signs It’s Time To Upgrade Your IT Infrastructure
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.