Let’s face it, in today’s world, humans are almost completely dependent on digital systems. These systems have become woven into the fabric of our lives, affecting nearly every aspect of our world. As technology advances, so do the intricacies of potential vulnerabilities that could compromise the integrity, confidentiality, and availability of sensitive information held within these systems.
The relentless evolution of cyber threats demands a proactive and comprehensive approach to risk. This involves the analysis of computer systems, and the protection of computer systems against potential dangers and threats is of the utmost importance in the linked digital environment of today.
In this article, we delve into the intricacies of identifying, assessing, and mitigating risks, providing insights that empower organizations to fortify their defenses and stay ahead of evolving threats.
The looming threat of an attack is something every organization has to contend with. With that in mind, many organizations conduct a risk/threat analysis to be better able to counteract such threats. Before we get into risk and threat analysis, let’s first understand what risk is in the context of computer security.
At a very basic level, risk refers to the likelihood that your computer information system or enterprise might be damaged as a result of an accident or an assault. An assault on an information system, often known as an IT system, is a series of activities that are carried out in order to exploit vulnerabilities inside the system. This process continues until the objectives of the attacker have been accomplished. In light of this, it is essential for an organization to conduct a risk assessment in the event of an attack.
This assessment may be carried out by determining the extent of the harm that is being caused and the probability that the assault will take place. This possibility will be determined by the motivation of the attacker as well as the manner in which the assault is carried out.
Let’s now move on to identifying and determining risk. To accomplish that we must engage in the process of risk analysis, and determine what are assets, liabilities and threats.
Assets
Within an organization, assets can be classified as tangible and intangible. In the context of information security, tangible items would include hardware components such as PCs, laptops, servers, routers, etc., and intangible items such as software applications, source code, object code, data and information, and digital content etc.
A critical component of risk analysis to identify and value the assets in the organization, the latter presents more of a challenge. Although it may be relatively easy to put a price on hardware components such as servers, laptops, and routers, it’s not so easy to quantify the value of data and information, especially if it’s confidential data and information about their customers, or strategic information about plans for the company.
In the same breath, if hardware items are destroyed or stolen, you would first have to identify the cost to replace the component and then consider the value of the data that was stored on it, and as mentioned before, that’s not always an easy task. When an asset has been lost, damaged, or destroyed, it is important to determine if the company can survive without it, and if so, for how long.
Vulnerabilities
Any weaknesses or defects in a system that may be exploited by attackers to undermine the system’s security, integrity, or availability are referred to as vulnerabilities. Vulnerabilities can be found in a system and can be accidentally or intentionally exploited. The software, the hardware, the networks, and the human aspects that make up a system are all potential places where these vulnerabilities may be found. Typical vulnerabilities include:
Software Vulnerabilities
- Programming Errors: Bugs, coding mistakes, or logical errors in software code.
- Buffer Overflows: Occurs when a program writes more data to a buffer than it can hold, potentially allowing an attacker to execute arbitrary code.
- Injection Attacks: Techniques like SQL injection or code injection where malicious code is injected into input fields or command strings.
Hardware Vulnerabilities
- Firmware Exploits: Vulnerabilities in the firmware of hardware components, which can be exploited for unauthorized access or control. Firmware is software that provides low-level control for a particular device. It is embedded into hardware components and provides this control.
- Hardware Backdoors: Design flaws in the system hardware that can be either unintentional or malicious that allow unauthorized access or control.
Network Vulnerabilities
- Weak Encryption: I can talk about encryption for days, but suffice it to say that the use of outdated or weak encryption algorithms can be easily compromised.
- Man-in-the-Middle Attacks: This is when an attacker intercepts and inserts itself on a communication path between two parties, where it pretends to be either one of the parties.
Human Factor Vulnerabilities
- Social Engineering: Exploiting human psychology to manipulate individuals into divulging confidential information or performing actions that compromise security.
- Weak Passwords: Well, this is a no-brainer, but you’d be surprised to know how many people still use their names as passwords or even use the word “password”. Easily guessable or common passwords are one of the simplest and most common ways to compromise a system.
Configuration and Security Policy Weaknesses
- Default Settings: Systems configured with default settings, which may have well-known vulnerabilities. Proper system protection usually requires the system to be properly configured for the particular task.
- Lack of Updates/Patching: This is one area that is often overlooked. Failure to apply security patches and updates leaves the system vulnerable to known exploits. This can be simply avoided by scheduling an automatic update to install on servers, PCs, and laptops at prescribed intervals.
Physical Security Weaknesses
- Unauthorized Access: Lack of controls to prevent unauthorized physical access to systems or infrastructure. Modern server rooms should have several layers of physical security, and only authorized personnel who can be authenticated should have access to sensitive equipment.
- Data Leakage: This is where unprotected physical access to storage media or devices may lead to data leakage. Similarly, as mentioned before, physical storage devices should be kept in a secured area where only authorized personnel should have access to them.
Supply Chain Vulnerabilities
- Third-party Software Risks: Although using third-party software can sometimes be quicker and cheaper to implement than developing such software on your own, using third-party software or components does come with the added risk of containing known vulnerabilities. Therefore, before using any third-party software, a proper investigation should be conducted to determine if any such risk exists.
Vulnerabilities can be rated according to their impact. A vulnerability that allows an attacker to assume control of an administrator account is obviously more severe than a vulnerability that gives access to an unprivileged user account. One way of identifying vulnerabilities is the use of vulnerability scanners. Scanners like Tenable Nessus and Rapid7 Nexpose help organizations identify and assess vulnerabilities in their systems, networks, and applications.
Threats
Threats are actions by adversaries who try to exploit vulnerabilities to damage assets, impacting the confidentiality, integrity, or availability of information, resources, or functionality within a computer system. These threats can come from various sources, including malicious actors, environmental factors, or unintentional events, and can be categorized by the damage done to the assets. I’ll go into much greater detail regarding threats in future articles. But for now, I’ve included some of the major threats faced by computer systems below.
Malware
This is essentially software that is designed for a malicious purpose mainly to harm or exploit computer systems. Examples include viruses, worms, Trojans, ransomware, spyware, adware.
Spoofing
Simply put, this is a technique used in computer security to deceive or trick systems, networks, or users by falsifying information, and allows an intruder to pretend to be someone else.
Phishing
Phishing is an attack that uses deception to get usernames, passwords, and financial information. It usually entails imitating a trusted entity to trick the victim into helping the attacker. An example is when the attacker sends an email that appears to be from a legitimate source, such as a bank, government agency, or reputable company, and gives the impression of an urgent response. The victim responds with personally sensitive information, unaware they’re sending the response to the attacker.
Denial of Service
DoS attacks disrupt or overwhelm sites and services, making them temporarily unavailable to legitimate users. For more information, see my article on Denial of Service (DoS).
Brute Force Attack
This type of attack is centered around having a strong cryptographic algorithm. The attack occurs by guessing all the keys until the right key is found. Theoretically, there is no real defense against a brute force attack, however, having a large number of keys makes an exhaustive search more difficult.
Insider Threats
These are security risks originating from individuals within an organization who misuse their access or privileges. An example would be tampering with security settings, thus making it easier for an attacker to gain privileges to the system.
The above threats are by no means a complete list, new threats come out all the time, however, these are some of the more prevalent ones. It is important to consider, once the source of the attack has been identified, whether the attack originated from someone within the organization, a third party such as a contractor, or a former employee. Also, consider whether the attack took place directly from one of your compromised systems, or did it occur from a remote location.
It is possible to assign a probability rating to each threat. Depending on the complexity of the attack, the purpose of the attacker, and the number of possible attackers, the chance of the attack occurring is determined.
Risk Analysis
At this point, after the organization has determined the asset values, how critical the vulnerabilities are, and the likelihood of the particular threat occurring, the process of calculating risk has to be done. The risk assessment can be based on a scale that measures the severity of the attack. This scale will include the assets, how critical the vulnerabilities are, and the probability of the threat occurring. The scale can be from probable to improbable and in between, or it can be a bit more precise by using a numerical value from 1 to 10, the choice is subjective.
Risk analysis is based on factors like the size and complexity of an organization. However, I’ve used a very simplified method below for a qualitative risk analysis, just to give a gist of what is involved. In the absence of concrete numerical data, one might do a qualitative risk analysis to evaluate the seriousness and probability of possible dangers. If you want to know what risks your project, investment, or other undertaking faces and how serious they are, this is an excellent place to start.
Assets can be rated on a scale based on the impact of damage or loss of the asset on the organization – high impact – low impact – little or no impact
How critical the vulnerabilities should be scaled on how expeditiously the vulnerability has to be rectified – rectified immediately – rectified soon – should be rectified – rectified if you want to.
Threats can be rated on the probability of it occurring – very probable – probable – improbable – very improbable.
If you want to be a bit more precise, a simple numerical scale can be utilized to measure the impact of a loss of an asset. A popular representation is a risk assessment matrix, an example is shown below.
Risk Minimization and Mitigation
The result of a risk analysis is a prioritized list of threats, together with countermeasures to mitigate risk. Generally speaking, risk analysis tools come packaged with a knowledge base of potential countermeasures for the dangers that they are able to uncover. Due to the fact that new threats come out all the time, many organizations may elect to have a standardized protection plan as an alternative. With this method, the security needs for common scenarios are analyzed, and recommendations for countermeasures that are regarded appropriate are made.
Summary
Identifying and mitigating risk is great and necessary, but the old adage of prevention is better than the cure, also holds for information security. It is always preferable to minimize the risks to any system, and in so doing reduce the overall risk. Here are a few simple considerations to minimize risk.
- Ensure that the system is constructed in the proper manner from the beginning, taking into account your assets, vulnerabilities, and threats.
- Make sure adequate countermeasures are in place in the event of an attack.
- Properly train personnel who use the systems about security issues.
- Ensure physical security measures are taken and maintained
- Ensure only authorized, privileged personnel are allowed to access sensitive data and equipment.
- Maintain a frequent auditing and problem-finding schedule, even if the system appears to be secure.
- Maintain a state of constant awareness, and always be prepared for any potential calamities.
To summarize, a comprehensive risk analysis is an absolute must for businesses that are keen on protecting their digital assets. By doing a proper risk analysis, companies can adopt effective countermeasures and strategically allocate resources when they first detect potential risks. Because of the ever-changing nature of the technological world, it is essential to do ongoing risk monitoring and to update security policies.
The successful execution of a risk analysis not only strengthens the defense against cyberattacks but also helps to develop a security posture that is robust and adaptable. This enables enterprises to handle the ever-changing challenges of the digital era with more confidence and resilience.
