In this lesson, we’ll cover:
-
Definitions of commonly used security terminology
-
Types of security controls
-
Assessing security risks
These terms are fundamental concepts in the field of cybersecurity and risk management. Let's break down each term and how they relate to each other:
- Threat Agent:
A threat agent is an individual, group, organization, or automated system that has the potential to exploit vulnerabilities in a system or network to cause harm or damage. Threat agents can be hackers, malware authors, disgruntled employees, or any entity that poses a risk to information and technology systems.
- Threat:
A threat is a potential event or action that can exploit vulnerabilities in a system and cause harm to an asset. Threats can include actions like hacking, data breaches, denial-of-service attacks, and more. Threats are the "what" in terms of potential harm that can be inflicted on an organization's assets.
- Vulnerability:
A vulnerability is a weakness or flaw in a system's design, implementation, or configuration that can be exploited by a threat agent to compromise the system's security. Vulnerabilities can exist in software, hardware, processes, or human behavior. Identifying and addressing vulnerabilities is essential for minimizing the risk of successful attacks.
- Risk:
Risk is the potential for loss, harm, or damage resulting from the interaction between a threat and a vulnerability. It is the likelihood that a threat agent will exploit a vulnerability to cause a negative impact. Risks are often assessed in terms of their potential impact and the likelihood of occurrence.
- Asset:
An asset is anything of value that an organization seeks to protect. Assets can include physical objects (such as computers and servers), data (customer information, financial records), intellectual property (trade secrets, patents), and even human resources (employees' skills and knowledge). Protecting assets is a key goal of cybersecurity.
- Exposure:
Exposure refers to the state of being vulnerable to potential threats. It occurs when a vulnerability exists that could be exploited by a threat agent. Exposure highlights the risk associated with having vulnerabilities present in a system or network.
- Control:
A control is a measure put in place to reduce the risk associated with vulnerabilities and threats. Controls can be technical, procedural, or administrative in nature. They are designed to prevent, detect, or mitigate potential threats and vulnerabilities. Examples include firewalls, access controls, encryption, security policies, and employee training.
To summarize the relationship between these terms: Threat agents exploit vulnerabilities to carry out threats, which can lead to risks that have the potential to cause harm to valuable assets. Exposure occurs when vulnerabilities are present, and controls are put in place to reduce the risk by preventing or mitigating the impact of threats on assets. This framework forms the basis of cybersecurity risk management, guiding organizations in identifying, assessing, and addressing potential risks to their information systems and assets.
Security controls are measures or safeguards implemented to protect information systems and assets from various threats and vulnerabilities. They can be classified into several categories based on their focus and purpose. Here are some common types of security controls:
- Administrative Controls:
These controls are related to policies, procedures, and guidelines that govern the organization's security practices and user behavior.
-
Security policies and procedures: Documented guidelines that define how security is maintained within an organization.
-
Security awareness and training: Programs to educate employees about security best practices and potential threats.
-
Incident response and management: Plans for responding to and mitigating security incidents.
- Technical Controls:
Technical controls involve the use of technology to enforce security measures and protect systems and data. Examples of technical controls are:
-
Access controls: Measures that restrict users' access to resources based on their roles and permissions.
-
Encryption: Converting data into a secure format to prevent unauthorized access.
-
Firewalls: Network security devices that filter and control incoming and outgoing traffic.
-
Intrusion Detection and Prevention Systems (IDPS): Tools that monitor network traffic for suspicious activity.
-
Antivirus and anti-malware software: Programs that detect and remove malicious software.
-
Authentication mechanisms: Methods for verifying the identity of users, such as passwords, biometrics, and multi-factor authentication.
-
Patch management: Regularly updating software to address known vulnerabilities.
- Physical Controls:
Physical controls are measures to protect physical assets and facilities.
-
Security guards and access control personnel: Personnel who monitor and control access to physical premises.
-
Surveillance cameras: Video monitoring systems to monitor and record activities.
-
Locks and physical barriers: Physical measures to restrict access to sensitive areas.
-
Environmental controls: Measures to regulate temperature, humidity, and other environmental factors that affect equipment and data centers.
- Operational Controls:
These controls relate to day-to-day operations and activities that ensure the ongoing security of systems.
-
Change management: Processes for tracking and approving changes to systems and configurations.
-
Backup and disaster recovery: Plans for data backup and recovery in case of system failures or disasters.
-
Logging and auditing: Monitoring and recording system activities for security and compliance purposes.
-
Secure coding practices: Guidelines for writing software to minimize vulnerabilities.
- Legal and Regulatory Controls:
These controls ensure compliance with relevant laws, regulations, and industry standards. The standards an organization needs to comply with depends on the jurisdiction, industry vertical and other factors.
-
Data protection regulations: Compliance with laws such as GDPR, HIPAA, and CCPA.
-
Industry-specific standards: Adherence to standards like PCI DSS for payment card data security.
These categories of security controls work together to create a comprehensive security posture for organizations, helping to protect their systems, data, and assets from a wide range of threats.
Some security professionals feel that risk management is left to risk professionals, but understanding the process of managing security risk is important for any security professional to help express security risk in language the rest of the organization can understand and act upon.
Organizations must assess security risks constantly and decide what action (or not) to take against risks to the business, below is an overview of how this is typically done. Note that this process is usually carried out across several different teams within an organization, it is rare that one team would be responsible for the end-to-end management of risk.
- Identify Assets and Threats:
The organization identifies the assets that it wants to protect. These can include data, systems, hardware, software, intellectual property, and more. Next, they identify potential threats that could target these assets.
- Assess Vulnerabilities:
Organizations will then identify vulnerabilities or weaknesses in systems or processes that could be exploited by threats. These vulnerabilities can stem from software flaws, misconfigurations, lack of security controls, and human error.
- Likelihood Assessment:
The organization will then evaluate the likelihood of each threat occurring. This involves considering historical data, threat intelligence, industry trends, and internal factors. Likelihood can be categorized as low, medium, or high based on the probability of the threat materializing.
- Impact Assessment:
Next, the organization determines the potential impact of each threat if it were to exploit a vulnerability. Impact can encompass financial losses, operational disruptions, reputational damage, legal consequences, and more. Impact can also be categorized as low, medium, or high based on the potential consequences.
- Risk Calculation:
The likelihood and impact assessments are combined to calculate the overall risk level for each identified threat. This is often done using a risk matrix that assigns numerical values or qualitative descriptors to likelihood and impact levels. The resulting risk level helps prioritize which risks need immediate attention.
- Prioritization and Decision-Making:
The organization will then prioritize risks by focusing on those with the highest combined likelihood and impact values. This allows them to allocate resources and implement controls more effectively. High-risk threats require immediate attention, while lower-risk threats may be addressed over a longer timeframe.
- Risk Treatment:
Based on the risk assessment, the organization determines how to mitigate or manage each risk. This could involve implementing security controls, transferring risk through insurance, or even accepting certain levels of residual risk if they are deemed manageable/too costly to fix/etc.
- Continuous Monitoring and Review:
Risk assessment is not a one-time process. It should be conducted periodically or whenever there are significant changes to the organization's environment. Continuous monitoring ensures that new threats, vulnerabilities, or changes in the business landscape are accounted for.
By assessing security risks in this structured manner, organizations can make informed decisions about resource allocation, security controls, and overall risk management strategies. The goal is to reduce the organization's overall risk exposure while aligning security efforts with the organization's business goals and objectives.