Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

How Threat Risk Assessments May Prevent Data Leaks
You are here: Home \ Threat Risk Assessments \ How Threat Risk Assessments May Prevent Data Leaks
How Threat Risk Assessments May Prevent Data Leaks
Posted on Monday, August 15th, 2016 by

Recent cases of health data breaches have been reported by the news, such as the Arizona-based Banner Health that experienced a cybersecurity attack potentially affecting 3.7 million patients. The data might have been compromised after an organization’s employee accessed corporate data outside of normal job duties, without following existing regulations.

Such examples show how attacks targeting companies’ assets and critical information, often resulting in major data breaches, are increasing and becoming a dominant a source of concern. Although it is impossible to remove all risks to organizations, it is possible to reevaluate a company’s strategy towards risk and decide which risks it is going to accept in order to reduce its risk exposure.

One of the first steps your company should be considering is a threat risk assessment, or better yet, a cybersecurity posture assessment that would give you an overview of your current security posture and give you recommendations on where to go next.

 

Why Perform a Threat Risk Assessment?

 

One of the main purposes of performing a Threat Risk Assessment (TRA) is to ensure that policy and appliance settings are at an acceptable risk level within the organizational infrastructure. The organization might ask to review its policies on confined areas or issues.

 

Goals of a TRA

  • Define the industry norms for security settings/use in scope and determine if the organization meets the current industry norms;
  • Provide an estimate of risk according to the current state of the organization’s security posture;
  • Assess the residual risk, and analyze what controls could be used to reduce that residual risk.

 

In order to achieve these goals, a Security Consultant analyzes the initial risks and looks for controls that could be used to reduce the risks, all while keeping the quality and the functionality of the organization services unchanged. In order to elaborate mitigation strategies, ‘industry norms’ are analyzed as much as the specific standards that the organization might be following. Assuming the recommendations are discussed and applied within the organization, a new set of risks is generated. This results in a virtual elimination within the ‘very high’ risks, and all the high risks that can be removed in the immediate. Some ‘high’ risks might be caused by a number of vulnerabilities that are more difficult to modify in the short term.

 

Adopting TRA-1 Methodology

Consultants usually follow the TRA-1 ‘Harmonized Threat and Risk Assessment Methodology’. TRAs provide a systematic way of understanding risks and exploring them from an enterprise interest perspective and how a particular project will affect these interests. The methodology also attempts to quantify the risks so that enterprise resources may be best deployed to reduce the most serious risks to an acceptable level. While no risk can ever be removed completely, this systematic procedure helps organizations minimize the risks to an appropriate level while using the fewest resources necessary.

 

A TRA process follows the following steps:

  • Identifying the assets, threats, and controls implementation relevant to the project scope.
  • Assigning asset values which rank their importance in respect of confidentiality, integrity and availability. The list of assets provides the scope of the TRA.
  • Assigning a ‘threat score’ to threats by multiplying (1) their probability of occurrence with (2) their severity if they do occur.
  • Assigning a score to controls implementation: this score is high for a missing control that is equivalent to a vulnerability which is easy to exploit, and low for good control implementation.

 

All numerical scores are numbered from 1 to 5. The exact assignment of numerical values to the assets, threats and control implementation is part of the ‘art’ of the threat and risk assessment. Once this list of assets, threats and vulnerabilities is generated and values are assigned to each of these elements, the TRA continues by linking threats, controls and assets together in a plausible risk scenario:

A threat (i), exploits a vulnerability/missing controls (j), which affects an asset (k).

The values assigned from the initial procedure are then multiplied to obtain a ‘risk score’ for the given scenario identified by (i,j,k).

Risk scores can vary from a score of 1-4 (very low risk), 5-12 (low risk), 15-32 (medium risk), 36-75 (high risk) and 80-125 (very high risk).

Threat-Risk-Assessment-Risk-Scores

Healthcare Industry Examples

The Healthcare Industry is a great example because it suffers from constant attacks due to its sensitive patient information. Let’s consider the scenario in which a motivated attacker robs an iPad in order to steal health information related to a politician for malicious purposes (Asset: Patient data (confidentiality is impacted) score = 3).

Given the threat probability being low (2) and the severity being mid-to-high (4), the threat score = 3. Knowing that the Patient data is stored on an unencrypted device with no passcode protection on the tablet, the control score = 5 (very poor safeguards).

Following the TRA calculations, the risk score would be 3*5*3 = 45. This falls into the ‘high risk’ category and is probably worth mitigating. In this case, the security practitioner will suggest a possible mitigation strategy that results in introducing controls in such a way that data is not stored locally on the device, and enforce a passcode to access the patient information.

In this case, by assigning the updated control (j) a value of 2, the risk score will be equal to 18 (medium risk), which may be acceptable for the scope of the project.

Threat-Risk-Assessment-Scenarios

How long does a Threat Risk Assessment take? 

The necessary effort to perform a TRA can be estimated but it is strictly dependent on the scope of the project. The total amount of hours being estimated is within the range of 160-250 hours.

 

In most cases, the first and the last phases of the engagement have a standard duration: one (1) day is required for the engagement initiation phase, and one (1) week for the final report definition and the presentation summary. The middle part of the project depends entirely on the scope and can be divided into two parts:

  1. The System Description Development (SDD) phase, in which all variables are defined (asset, threats, controls). This phase requires 1-2 full weeks of work.
  2. The TRA Analysis phase, in which all the combination between the variables are defined, scenarios are built and calculation is performed. In general, this phase requires 2 weeks of work.

 

Final Note: As mentioned earlier, every Threat Risk Assessment’s scope is different. This information is for indication purposes only.

Nicandro Scarabeo
About author:
In his position as Senior Product Manager at Hitachi Systems Security, Nicandro Scarabeo has initiated and consolidated collaborations with universities from Italy, France and Canada. Having joined Above Security in 2010, he currently leads the company’s research unit with the goal of applying methods to correlate primary sensor security data, extracting knowledge from high volumes of security-related-data, introducing new sources of information for security analysis purposes and identifying methods to evaluate the performance of the system. Nicandro Scarabeo completed his Ph.D. at the University of Cassino and Southern Lazio, Italy, in the Department of Electrical and Information Engineering in March 2016. He obtained his Master’s degree from the Mobile Communication Engineering Department at Aalborg University, Denmark.

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now