Understanding Cybersecurity: Risks, Threats, and Assessments
What is Cybersecurity?
Cybersecurity is a set of strategies, techniques, and controls to reduce risk and ensure that your data assets are protected.
In general, security should be looked at as striking the balance between access and control. Too much access may disclose too much information; too much control could be a burden. Security should be a regular part of your best practices to ensure the success of your business.
Implementing cybersecurity measures is like knowing you need to lock your door in case something bad happens – like someone getting into your things. If you don’t, it’s possible that no one will break into your house, but if it happens, you may lose your things. It’s assurance that you will find everything in place when you come back home after work.
Know Where Your Assets Are and What Their Value Is
Assets are what you own and want to keep safe. Assets have value to you. Information is an asset too. For example, this can be customers’ credit card numbers, patient data, or employee files.
In the infographic, assets are represented by diamonds: paintings, car, TV, money in a safe etc.
You have a multitude of assets. The first step to protecting your assets is to know where they are. If you don’t know, you will not know what to protect, where to begin, or where to invest. You need to locate them by preparing an asset inventory and sorting out assets in an order that is meaningful. This can be done using various tools or doing an asset classification exercise.
It is impossible to protect all assets equally. Knowing what they’re worth, or knowing the impact a breach can have on your business if your assets are lost or exploited, is critical to establishing your cybersecurity strategy. Over-protecting low-value assets the same way as critical assets might be a waste of money! Under-protecting assets could make those assets vulnerable.
You also need to understand their value. According to the value you assign to them, you will be able to understand the adequate budget to allocate in order to protect them and also the amount of risk you are willing to take when defining the controls to put in place.
What Are Controls and How Do You Choose Them?
Controls help ensure that what is valuable to you and/or your customers is protected and safe. They are set up to reduce and mitigate risks that your organization might be facing, but can’t eliminate them.
For example, going back to the infographic, you might want to secure valuables in a safe, located in a closed room, in a locked house that is monitored by a security camera, protected by a dog and surrounded by a fence.
These elements represent directive, preventive, detective, and corrective controls:
- Directive controls tell what should happen, or control actions (i.e., guard dog);
- Preventive controls stop something from happening (i.e., access controls: safe, locks, fence, the presence of the security camera);
- Detective controls find out what happened (i.e., monitoring and review of the security camera);
- Corrective controls follow detective controls, it’s the recovery from consequences of an error or unexpected event (i.e., communication and reporting. The alarm could be a corrective or preventative control).
However, you need to understand that you can’t implement the same controls everywhere. Your assets don’t have the same value or exposure, so should be protected accordingly.
Although you may consider your car to be valuable, would you store it in a safe like your other valuables? Maybe not but you can use different controls and transfer the risk to an insurance company.
Let’s imagine you want the same controls in place for all your assets. First of all, it might not even be feasible. It might be costly for no reason or the risks and threats for a particular asset might be different from another one. That is why you must have different controls in place.
Also, it’s possible that having no control in place for a certain asset will not be that risky; however, it might deter hackers from trying too hard if you add a directive, preventative or detective control.
Back to our infographic – the security camera might be installed but also not working. The thief seeing it might just abandon his attempt. Obviously, you don’t want any defective control but this shows how important it is to have it in place.
How to Define Risks
Risks represent the potential for loss, damage or destruction of an asset following a threat. It is analyzing the scenarios that could lead to a breach or a loss. Having controls in place could reduce the risk, however, it cannot ensure its total eradication, which is why it is important to consider the worst-case scenario in order to plan for how to prevent them, be prepared when the breach occurs, and know what to do next.
Controls can reduce or mitigate risks but you need to be aware of all potential risks first.
The house has the risk to be broken into, hence the need to make sure the door is locked, that your money or valuables are in a safe place, and that you need to build a strong structure in case of a natural disaster.
What About Threats?
Threats represent what could damage, destroy or compromise your assets. Assessing the risks and threats of your environment will define which types of controls to put in place in order to protect these assets from threats.
The assets in your house are exposed to several threats. External threats like the mailman who could enter your property, the thief who could break in your house and steal critical assets, or a storm that could hit your house and damage it along with your assets. Internal threats could reside in the form of your cleaning lady who could scratch your TV or make your computer fall.
In your environment, threats can be external or internal: hacker groups, employees, individuals with access to your devices/amenities, third parties. Knowing your threats will help you choose the right controls and build the most adequate defenses.
Compliance and Cybersecurity
To be compliant, you need to follow best practices, meet requirements, and perform or follow specific steps.
In your house, to be compliant with basic standards, you need to:
- Have your points of entry locked
- Check the roof every 5 years
- Make sure you don’t leave your keys in accessible places
- Paint your fence when it fades out
It is the same in terms of security. You might need to:
- Perform a pentest every year
- Monitor your logs
- Map your data and assets
- Scan your environment for vulnerabilities
- Update privacy policies, etc.
Meeting compliance requirements is important as it guides you to make sure that your data is secure. However, it doesn’t ensure its security nor the security of your organization.
This is when technical testing come into play. A wide array of security assessments exist and it can be difficult to know which one you need. It all depends on your current security posture and your overall strategy.
What Types of Security Assessments Exist?
Conducting a security assessment without a security program in place can be a dangerous and costly decision if not aligned with your overall cybersecurity strategy.
It is critical to have a solid cybersecurity strategy first to understand what needs to be done and avoid wasting time, money and resources.
1. Vulnerability Assessments
Related post: Benefits of a Vulnerability Assessment
Not to be confused with a vulnerability scan, a vulnerability assessment (VA) evaluates the potential vulnerabilities of your environment. During a VA, an Information Security Consultant will scan your environment and provide an overview of all the detected vulnerabilities, along with concrete recommendations for improvement:
- The fence is weak / Firewall is failing
- The dog is not barking when he sees a threat / Antivirus didn’t produce any alerts
- The door is unlocked / Anyone can access the root folder
- The window can be broken / Password is too weak
- The roof is too old / Software is not up-to-date
2. Application Assessments
An application assessment focuses on a specific item in your environment (an application, this case) that you use to perform activities and reach your goals. It can be an internal application, a public one, a CRM etc.
The goal is to spot vulnerabilities and their criticality in order to fix them or reduce risks.
For your house, this could mean checking the microwave. The assessment can reveal a vulnerability that could short-circuit the microwave and the whole house leaving no electricity for the alarm to go off and ultimately detect a potential breach.
3. Penetration Testing
Related post: What to know before conducting a pentest
A pentest goes one step further and will exploit the vulnerabilities found in the scan to prove your exposure and how easy it is to penetrate your network:
- Step over the fence / Found vulnerability and accessed your network
- Pass by the dog and pet it / Managed to get in undetected
- Try to open the door / Tested SQL injection
- Break the window to get in / Ran Metasploit to find exploits
- Open safe / Retrieved confidential data
In the end, the penetration tester will drive back to you in your car with your paintings, computer, money from your safe and show you how he did.
4. Risk Assessments
A risk assessment can help you understand what kind of risk you may be exposed to while making sure you comply with relevant compliance regulations. The goal is for you to evaluate which risks are more critical than others and you will put controls in place according to this level of risk.
The assessment will list all the potential ways to access or damage your assets: entering your house via the door, the window, the garage, destroy your couch, break mirrors in the bathroom, open your car, leak damage etc.
You will then define the types of controls needed for the assets you primarily want to protect. You can then perform additional risk assessments to make sure you are up to date with potential risks, threats and compliance requirements.
A threat risk assessment essentially follows a similar approach but will focus on the threats to consider and how they could be exploited and damage your assets: the mailman could befriend the dog and step over the fence, the thief could break the car window and steal the car, the storm could damage your roof and start a fire that would destroy the house…
5. Cybersecurity Posture Assessment
Related post: What is a Cybersecurity Posture Assessment?
A cybersecurity posture assessment gives an overview of your current situation and what you could be doing by assessing everything you have in place and giving you a thorough report with concrete recommendations.
It will list the types of controls you have and which assets you are protecting. It lets you know if the right controls are in place, the risks you are facing, and your level of exposure.
From that, you are then able to understand your weaknesses, what is missing to have a solid security posture and what you need to do to go in the right direction.
This assessment regroups all aforementioned security assessments and provide a clear understanding of your current security posture and recommendations on how to improve it.
Managed Security Services vs. Security Assessments
If you want to take your security maturity even further, you may want to consider benefitting from managed security services.
This service monitors all activities performed in your environment. All these activities generate logs that are translated into events. These events are correlated by a security platform and analyzed by a security team 24/7.
If abnormal or suspicious activities occur, alerts are generated and reviewed. If they are critical, incidents will be created by analysts for your review in order to act upon them.
An incident is something that will draw your attention toward a problem you might not be aware of and need to address: your dog barked, there was a noise in the door keyhole, the alarm went off, several objects disappeared in the living room, a lightning bolt has been heard etc.
Using security assessments or managed security services can help you oversee what is going on in your environment, prevent and mitigate security incidents. However, it is essential to know where your critical assets are, to have the right controls in place, to prioritize your risks and to know which threats to defend against to make sure you are monitoring the right logs – otherwise all your efforts might be in vain.