"Security is a process, not a product."
Bruce Schneier

Tag: risk management

NEXT DIFI 2021: an overview

The last few weeks I’ve been busy with the various in-person events I attended (first Money20, then DigiPay2021), but I’m not complaining.  It’s energizing to speak in front of a live audience, while also reaching people online. On the 8th of October, I participated in Next Difi 2021, a hybrid event, dedicated to banking and fintech innovation, digital finance, cybersecurity, blockchain, and more.

I had the pleasure to moderate the Banking and fintech innovation, and cyber security and risk management panel. I enjoyed intriguing discussions with members of DSK, Acronis, and Sirma Business Consulting. They shared exciting insights, so make sure you watch the recording (link below 😉 ).

next-difi-2021-moderating
Moderating a panel with DSK, Acronis, and Sirma Business Consulting

I also participated in the Innovative Technologies, New Players, and Transformed Business Models panel, where I gave a presentation on Card Payments Security Standards. In particular, I discussed the PCI DSS, 3DS, and PIN security standards. I shared an overview of what they are, who needs them, and what common misconceptions most people have about them.

A big ‘thank you’ to b2b Media for organizing the event and for inviting me to participate. See you again on the Fifth Edition!

A full recording of Next Difi 2021 can be found here:

Author: Pavel Kaminsky, CEO of 7Security

Where to Start with Your Risk Management?

Understanding and identifying risks is essential to a well-built and sustainable business. Being in touch with the threats and the ways to counter them is essential for a safer working environment.

Risk Management is the most important instrument for Information Security Governance. It provides a framework for the assessment and successful management of risks. Sadly, this is something usually poorly done or even neglected completely by a surprisingly large number of organizations today. Risk management allows companies to devise and implement economically viable risk counter-measures. All activities involve risks, which are in turn a derivative of threats, vulnerabilities, and impact. Properly identifying weaknesses and assessing the associated risks is essential, and pays off in the long run.

What are the methods applied?

There’s a wide spectrum of methods used for Risk Management today. For the most part, these methods consist of the following elements, performed, more or less, in the following order:

  • Identify and list assets;
  • Identify and characterize threats before they appear;
  • Assess the vulnerability of critical assets to specific threats;
  • Determine the possibility of risk and the consequences it may bring;
  • Identify ways to reduce or even remove risks;
  • Prioritize measures based on a strategy.

The general principle

Looking at the ideal Risk Management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order.

In practice, on the other hand, the process of assessing overall risk is complex. On one hand, we have to consider the resources used to mitigate risks with a high probability of occurrence but lower loss. On the other, we have the mitigation resources for risks with high loss but a lower probability of occurrence. Balancing between these resources can often be mishandled.

INFORMATION SECURITY RISK MANAGEMENT

the choices for addressing assessed risks

The first one is acceptance – sometimes it is cheaper to leave an asset unprotected to a specific risk instead of spending the money required to protect it. Acceptance cannot be done without considering the risk itself and all options possible.

The second is mitigation – involves deciding on the implementation of countermeasures aimed at lowering the risk to an acceptable level (as illustrated with the algorithm below). One should keep in mind, it is not possible to mitigate the risk entirely.

Next is transference – this is usually referred to as the “insurance scenario.” A conscious decision to hire an external company to assume the risk in return for remuneration. Transference of risk is also achieved through outsourcing, with its own risks.

Finally, avoidance – when risks discovered are high or extreme and cannot be easily mitigated, avoiding the risk (and the project altogether) may be the best option. The math here is simple: if you stand more to lose from mitigating the risk than what you will earn from this project, then avoidance is the way to go.

WHY DO IT?

Risk Management is at the heart of Information Security, because it provides an important instrument to balance and rationalize countermeasure expense with business success and expected Return On Investment (ROI).

When opting for one of the choices for dealing with risks, one has to take into account something called the  Annualized Loss Expectancy (ALE), which is the expected monetary loss that can be expected for an asset due to risk over a one year period. ALE is derived from Single Loss Expectancy (SLE) multiplied by the Annualized Rate of Occurrence (ARO) and can be used to directly analyze cost vs. benefit.

Regarding Risk Management, if spending on threat countermeasures is considerably higher than that risk’s ALE, then it may not be worth the investment. Or, in other words, one must evaluate the positive impact countermeasures will have on ROI by making sure the expense is not larger than the ALE.

Risk Management is meaningful only when decisions are made based on meaningful risk analysis, which in turn involves preliminary processes such as penetration testing, vulnerability assessment, and objective audit.

The stages in the risk management process:

Preparation:

  • Obtain necessary data access to business process and operations structure;
  • Identify and notify participants and decision-makers;
  • Identify and distribute scope, objectives, and requirements;

Identifying risks:

  • Ensure participation of appropriate staff and management in risk assessment;
  • Review scope, objectives, and process;
  • Conduct risk identification, consolidate related risks;

Assessing & prioritizing risks:

  • Identify and obtain consensus on impact, severity, probability;
  • Identify time window when risk could occur;
  • Assess and prioritize all existing risks;

Deciding on control options:

  • Identify mitigation options for each risk;
  • Identify risks to be accepted, avoided, transferred, or mitigated;
  • Assign plan operative instructions for avoided, transferred, or mitigated risks;
  • Establish/update risk database;

Establishing mitigation plans

  • Develop draft mitigation plans and resources;
  • Obtain manager review and approval of mitigation plans;
  • Ensure mitigation plan is funded, directed, and integrated;

Implementing mitigation plans

  • Finalize Risk Management plan;
  • Devise mechanisms to monitor triggers, cues, and mitigation;
  • Implement mitigation as authorized, funded, and scheduled;
  • Provide reporting on mitigation results and progress;

Monitoring mitigation plans

  • Periodically review mitigation plan results;
  • Stop or modify mitigation plans and resources;
  • Retire risks when appropriate;
  • Update risk database for mitigation process and retirement.

Business Continuity & Disaster Recovery 101

Even when all else fails, there is still hope! Business Continuity Planning and Disaster Recovery Planning are here as the last resort to protect your business.

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are an organization’s last corrective control when all other controls have failed! BCP/DRP may prevent or provide a remedy for force majeure circumstances such as injury, loss of life, or failure of an entire organization.

Furthermore, BCP/DRP provide the advantage of being able to view the organization’s critical processes and assets in a different, often clarifying light. Risk analysis conducted during a BCP/DRP plan stage often leads to immediate mitigating actions.

An eventual potentially crippling disaster may have no impact due to prudent risk management steps taken as a result of thorough BCP/DRP plans.

HOW DO you BEGIN?

Developing a Business Continuity Planning and Disaster Recovery Planning are essential for a company’s responsiveness and ability to recover from an interruption in normal business functions or catastrophic events. In order to ensure that all planning has been considered, the BCP/DRP have a specific set of requirements to review and implement. Below are listed the high-level steps to achieving a sound, logical BCP/DRP:

  • Define Project Scope;
  • Business Impact Analysis;
  • Identify Preventive Controls;
  • Recovery Strategy;
  • Plan Design and Development;
  • Implementation, Training, and Testing;
  • BCP/DRP Maintenance.

what is the difference between BUSINESS CONTINUITY and DISASTER RECOVERY?

Business Continuity Planning will ensure the business will continue to operate prior to, during, and after a disaster happens.

The focus is on the business in its entirety and making sure critical services and functions provided by the business will still be performed, both if threatened by disruption as well as after the threat has subsided.

Organizations need to consider common threats to their critical functions as well as any associated vulnerabilities that might facilitate a significant disruption. Business Continuity Planning is a long-term strategy for continued successful operation despite inevitable threats and disasters.

Disaster Recovery Planning– while Business Continuity Planning is responsible for the strategic, long-term, business-oriented plan for uninterrupted operation when faced with a threat or disruption, the Disaster Recovery Planning will provide the tactics. In essence, DRP is a short-term plan for dealing with specific IT-oriented outages.

Mitigating a virus infection with a risk of spreading is an example of a specific IT-oriented disruption that a DRP must address. The focus is on efficiently mitigating the outage impact and the immediate response and recovery of critical IT systems. Disaster Recovery Planning provides a means for immediate response to disasters.

 

The relation between BCP & DRP – the BCP is an all-inclusive plan that includes, amongst multiple specific plans, the DRP – the importance stems from the fact that the focus and process of these overlap critically.

Continual provision of business-critical services facing threats is achieved with the aid of the tactical DRP. The plans, with their different scopes, are organically intertwined.

In order to distinguish between a BCP and a DRP one needs to realize that the BCP is concerned with the business-critical function or service provided by the company, whereas the DRP focuses on the actual systems and their interoperability so the business function is performed.

SOME RELATED PLANS

As mentioned before, the Business Continuity Plan is an umbrella plan that contains other plans, in addition to the Disaster Recovery Plan:

Continuity of Operations Plan (COOP) – describes the procedures required to maintain operations during a disaster. This includes the transfer of personnel to an alternative disaster recovery site and operations of that site.

Continuity of Support Plan – focuses narrowly on the support of specific IT systems and applications. It is also called the IT contingency plan, emphasizing IT over general business support.

Cyber Incident Response Plan (CIRP) – designed to respond to disruptive cyber events, including network-based attacks, worms, computer viruses, Trojan horses, etc.

Business Recovery Plan (BRP) – also known as the business resumption plan, details the steps required to restore normal business operations.

Crisis Communications Plan – used for communicating to staff and the public in the event of a disruptive event. Instructions for notifying the affected members of the organization are an integral part of any BCP/DRP.

Occupant Emergency Plan (OEP) – provides the response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property.

how does the testing work?

IT STARTS WITH THE DISASTER RECOVERY PLAN

The Disaster Recovery Plan must be an actionable prescription for recovery. Writing the plan is not enough, thorough testing is needed. Information systems are in a constant state of flux, with infrastructure, hardware, software, and configuration changes altering the way the DRP needs to be carried out. Testing the details of the DRP will ensure both the initial and continued efficacy of the plan. The tests must be performed on an annual basis as an absolute minimum.

Review – the most basic form of initial DRP testing. It involves simply reading the DRP in its entirety.

Checklist – also referred to as consistency testing, lists all necessary components required for a successful recovery and ensures that they are, or will be, readily available should a disaster occur.

Walkthrough/Tabletop – the goal is to talk through the proposed recovery procedures in a structured manner to determine whether there are any noticeable omissions, gaps, erroneous assumptions, or simply technical missteps that would hinder the recovery process from successfully being carried out.

Simulation (aka Walkthrough Drill) – goes beyond talking about the process and actually has teams carry out the recovery process. The team must respond to a simulated disaster as directed by the DRP.

Parallel Processing – involves the recovery of critical processing components at an alternative computing facility, and then restore data from a previous backup. Regular production systems are not interrupted.

Partial & Complete Interruption – extreme caution should be exercised before attempting an actual interruption test. This test causes the organization to actually stop processing normal business at the primary location and use an alternative computing facility.

Vulnerability Assessment – Know Your Weaknesses

Relax, we’ll not be talking about personal and psychological vulnerabilities here. Instead, let’s talk about IT, its inherent vulnerabilities and their assessment.

IT Vulnerability assessment, also known as vulnerability analysis, is a conscious action aiming to define, identify, and classify the security vulnerabilities in a computer, network, or an entire communications infrastructure. Furthermore, the vulnerability assessment can be used to forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.

WHY IS VULNERABILITY ASSESSMENT NECESSARY?

Vulnerability assessment is usually the first step taken in the direction of strengthening an organization’s Information Security. Inasmuch, as it provides a picture of open doors or holes in the security landscape, the vulnerability assessment can be a starting point in rationalizing one’s security strategy, policies, etc. Ultimately, data collected and rationalized fuels the entire Risk Management process.

STEPS

Regardless of the methodology, scope, and timing that can differ, Vulnerability Assessment has to follow certain steps:

  • Determine the scope of assessment;
  • Scan entire network with all devices;
  • Identify and confirm found vulnerabilities;
  • Classify and determine vulnerability levels;
  • Prepare vulnerability report.

THE RELATION TO PENETRATION TESTING

An important part or extension (depending on the underlying philosophy) to vulnerability assessment –Penetration Testing – is usually performed by a white hat using ethical hacking techniques. Using this method to assess vulnerabilities, security experts deliberately probe a network or system to discover its weaknesses. This process can provide guidelines for the development of countermeasures to prevent a genuine attack.

Imagine you’re in a room with many doors and you want to know which ones of all these are locked and which not. Vulnerability Assessment does just that – it provides a “list” of unlocked doors. These doors could be used to break into an organization’s communication system, inflicting damage and disrupting operations.

The scope of Vulnerability Assessment is usually all-encompassing, spreading over an entire organization or, at least over an entire critical system the organization uses.

Penetration Testing, on the other hand, may follow a narrower scope. Instead of just listing doors, it goes through each unlocked door to see how far can one reach into the system.

Also, what impact such entry can have, thus exposing possible vulnerabilities that were not seen in the Vulnerability Assessment of the first “batch” of doors.

PLAN FOR ASSESSMENT WITHOUT THESE COMMONPLACE MISTAKES:

Lack of Vision: Creating a plan for vulnerability assessment is not an easy task. As such, you need to look it over from as many sides as possible and explore every aspect of vulnerabilities found. Being narrow-minded when talking about such an assessment, is one of the biggest mistakes you can make. To adequately examine weaknesses in your infrastructure, you need to put yourself in the shoes of the attacker. What better way to do that, than to try even the most outrageous ideas for testing and to simulate even the rarest situations. Don’t exclude any idea before seriously considering it. You should also have in mind that having a member of the senior management in the room, while thinking of ways to assess vulnerabilities, is a bad idea because suddenly ideas stop flowing and people become afraid to explore different possibilities.

Inadequate Compliance: Complying with laws and regulations is not always enough to secure the information infrastructure of your business. Furthermore, in every country, there are examples of government legislation, enforced to increase business security that can, sometimes, interfere with the business environment in an incomplete fashion. The wise and legal thing to do is to address inadequacies with additional measures in order to enhance productive legislation requirements with legally permitted actions.

Bad Reporting: A problem that is often encountered is lacking a technique of reporting. It is nothing new, for an external consulting company, just to drop off a report full of vulnerabilities and problems, leaving the rest to the client. On other occasions, people focus too much on the problem itself, without providing any answers for the weak points in the infrastructure. Another example of bad reporting is concentrating only on categorizing and enumerating the problems found, again with no perspective of finding a solution. Creating a report with the detailed categorization of all problems is vital, but is only half of the work. The other half involves a detailed analysis of the report and the effort to solve problems found in it.

Knowledge Gained Does Not Enter Corporate Culture: Although there is security-sensitive information in a vulnerability assessment report, that cannot be shared lightly with employees, this is no reason to keep staff members in the dark. Security is part of the corporate culture and as such must be embraced by everyone in the company, not as a mandatory requirement, but as something they are involved in. Security staff meetings and debating of security incidents, both in the company and in other companies, will greatly affect the understanding of security as a group effort.

FROM ASSESSMENT TO MANAGEMENT

Determining the Information Security risks in a company is a complex and involving task. In a dynamic and integrated environment, locating and assessing threats and vulnerabilities is simply not enough. Therefore, what you need is not only a simple vulnerability assessment but an integrated process of vulnerability management.

What is vulnerability management and how is it different from vulnerability assessment?

Vulnerability assessment will tell you where and what the vulnerabilities are, while vulnerability management will make sure these vulnerabilities are addressed by actionable measures, such as but not limited to the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), educating users about social engineering, etc.

 

Vulnerability management is the ongoing, cyclical practice to identify, classify, remedy, and mitigate vulnerabilities. The process is especially important when treating issues related to software and firmware. Vulnerability management is integral to computer security and network security and is accompanied by vulnerability assessment, which provides the initial “food for thought”.

Although vulnerabilities are classified by their severity, they are not directly translated to risks in an organization. A high severity vulnerability may or may not be regarded as a critical risk. The risk definitions are handled in the risk assessment process, part of Risk Management activities.