Ruslan Rakhmetov, Security Vision
We continue our Cybersecurity Body of Knowledge (CyBOK) series. Chapter 2 of this body of knowledge explains the principles of cyber risk assessment and management, describes a number of risk assessment methodologies and shows how and why effective cyber risk management allows for cyber security, and discusses the importance of responding correctly to cyber incidents if the risk cannot be prevented. Today is the second part of CyBOK's Chapter 2 review, which describes the principles of risk assessment and management.
2.6. Principles of risk assessment and management.
2.6.1. Component and systems views on risk management.
Risk management can be considered from the point of view of technical components of information systems (bottom-up approach) and from the point of view of information systems as a whole (top-down approach). The main difference between these positions is that the component approach focuses on specific risks for individual system components (threats and vulnerabilities of software and hardware, data, personnel), and the system approach focuses more on the goals of the entire system as a whole - this requires a high-level designation of the purpose of the system and subsequent understanding of the operation of all subsystems and their relationships and interactions.
The hierarchy of abstraction levels allows you to understand how component and system approaches to risk assessment complement each other. The goals and purpose of the system, data flows within the system, principles of system management, processes and interaction of components are at a higher system level. At a lower component level are the technical capabilities, functionality, equipment, system components and its physical characteristics (size, location, environment) - all of them can be objects of malicious actions or events. A systems approach provides a better understanding of the complex relationships between systems, subsystems, components, and subcomponents, including technologies, personnel, and processes whose relationships can be quite complex. A systems approach, which is more resource intensive than a component approach due to the identification of relationships and interactions, is only necessary if risks are assessed in truly complex systems. Where interconnections and interdependencies are less complex (for example, in typical office IT infrastructures), the use of a component approach may be more appropriate.
The component approach relies on working with individual assets, for which the functionality and requirements for their safety are clear. Component-level risk assessment is more important for ordinary employees who are interested in the reliable operation of all system components in their area of responsibility. Risk assessment at the system level is more important for managers who are interested in achieving the set business goals of the system as a whole and do not go into the details of the work of all its components. The task of risk management is to work with all stakeholders at both the component and system levels.
The main features and differences of component and systemic views on risk management are as follows:
· The component approach is more suitable for analyzing the risks of individual system components, when decomposing small systems with understandable relationships between their components, when working at lower levels of abstraction, when high-level goals and purpose of the system have already been agreed by managers.
· The system approach is suitable when assessing the risks of unauthorized access as a consequence of complex interactions between many parts of a large system, when forming high-level requirements for system cybersecurity, when determining the goals and objectives of the system from the point of view of various groups of stakeholders (business, lawyers, security personnel, etc.).
2.6.2. Components of cyber risk.
For constructive discussion of issues of risk assessment and management, it is important to determine the basic concepts:
· The vulnerability is used to attack the system or misuse the system, which can lead to undesirable consequences. Exploitation of the vulnerability can lead to a negative impact on the process or system. Vulnerabilities can be of various types: technical (for example, a software interface vulnerable to incorrect input data), personnel (lack of personnel leads to business downtime), organizational (incorrectly organized internal processes lead to data leaks), legal (fines for non-compliance with legal requirements), etc.
· A threat is a subject, event, or action that has the ability to exploit a vulnerability. Threats can also have a different sociotechnical nature and causes of occurrence - these can be hackers, disloyal or negligent workers, poorly designed software, immature and ill-conceived operational process in the company, etc.
· Probability expresses the degree of confidence that the threat will be able to exploit the vulnerability, resulting in an undesirable outcome that negatively affects the system and the business values it creates. Probability can be expressed in qualitative and quantitative quantities.
· Impact is the result of exploitation of vulnerabilities by a threat, which negatively affects the achievement of goals. In the system approach, the negative effect will be, for example, the impossibility of timely production of goods, and in the component approach, the failure of a certain production element.
2.6.3 Methods of risk assessment and management.
There are a number of methods, including those described in international standards and recommendations, which allow to form a list of risks for prioritisation and processing. Most risk management techniques have some common steps:
- Preparation - formation of risk assessment boundaries, identification of stakeholders, collection of information;
- Assessment - analysing the causes and consequences of the risk, developing a knowledge base of risks and how to process them;
- Characterisation - decision making process, assessing the hazard and risk tolerance;
- Management - selecting and agreeing a risk treatment plan and how to implement it;
- Communication, engagement, and contextualisation are concomitant elements of all of the above steps.
For example, NIST Special Publication SP 800-30, Guide for Conducting Risk Assessments, describes the following stages of risk assessment:
1. Preparing for the risk assessment:
1.1. Identification of the purpose of the risk assessment;
1.2 Identification of the risk assessment area;
1.3 Identification of specific assumptions and constraints;
1.4. Identification of sources of prior information, sources of threats and vulnerabilities;
1.5. Identification of the risk model, risk assessment method and analysis approach.
2. Conducting a risk assessment:
2.1. Identification and characterization of actual sources of threats;
2.2. Identification of potential threat events, relevance of these events, as well as sources of threats;
2.3. Identification of vulnerabilities;
2.4. Determining the likelihood that current threat events will lead to negative impact;
2.5. Determination of negative impact generated by threat sources;
2.6. Determining the risk from the implementation of current threat events.
3. Communication of evaluation results and transfer of information within the organization:
3.1. Communicating risk assessment results to decision makers to respond to risks;
3.2. Communicate the risks identified by the assessment to stakeholders.
4. Maintaining the achieved results:
4.1. Continuous monitoring of risk factors;
4.2. Update the risk assessment using the results of the continuous risk monitoring process.
In the international standard ISO/IEC 27005 "Guidelines for information security risk management. Requirements and Guidelines "lists the following risk management steps:
1. Defining context.
2. Risk assessment:
2.1 Identification of risks (inventory of assets, threats and existing protection measures, identification of vulnerabilities, identification of the consequences of threats);
2.2 Risk analysis (using qualitative or quantitative analysis methods);
2.3 Risk hazard assessment (comparison of obtained risk levels with risk comparison criteria and risk acceptance criteria).
3. Selection of IS risk processing option:
3.1. Risk modification (minimization);
3.2. Risk preservation (acceptance);
3.3. Risk avoidance;
3.4. Risk transfer.
4. Risk alignment (comparison of residual risk with previously defined acceptable risk level).
5. Implement a developed risk management plan.
6. Continuous monitoring and risk review.
7. Support and improvement of information security risk management process.
In addition to the described standard ISO/IEC 27005 and the NIST SP 800-39/37/30/137 series of publications, the authors of the book also provide a number of other methodologies for risk management using a component approach:
· The IRAM2 methodology from the Information Security Forum (ISF) is provided to ISF members for a fee and requires a trained team of risk managers. It includes an assessment of the impact of risks on the business, taking into account threats, vulnerabilities, negative impact.
· FAIR (and Open FAIR) methodology offers a taxonomy of risk factors and an appropriate framework for combining them. The set of threats under consideration can be very wide, and the methodology implies an assessment of the frequency of incidents and the capabilities of the sources of threats, taking into account the measures of protection and damage from incidents. The methodology supports a scenario model for the formation of damage profiles and financial assessment of incidents.
· Octave Allegro methodology is focused on operational risks and information security practices, uses a qualitative assessment method with a focus on achieving business goals, uses scenario analysis to identify risks and analyze threats and negative impacts. This technique covers personnel, technologies and elements of physical security, it can be applied within the corporate risk team without the involvement of external consultants.
· The STRIDE-LM methodology was developed at Microsoft and divides threats into 6 categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), Lateral Movement. This methodology can be applied even by small internal risk assessment teams.
· Attack Trees methodology allows you to build a chain between the attacker's final target and intermediate links. This method is focused on the methods of implementing attacks, it implies the iterative work of an internal risk team with good technical expertise.
The authors of the publication also provide a list of methodologies for risk management using a systematic approach:
· The STAMP (Systems-Theoretical Accident Model and Process) methodology is a group of methods used to model the causes of various accidents and hazardous situations. Its advantage is the ability to identify risks arising from the interaction of subsystems.
· The TOGAF (The Open Group Architectural Framework) methodology is a standard for developing enterprise architectures with support for component and system approaches for risk management. The methodology covers all business activities and opportunities, information, technologies, ways of managing the company, with the possibility of expanding to partners, suppliers, buyers. It uses a qualitative risk assessment method and takes into account the structured architectural model of the company.
· Open Dependency Modeling is a top-down risk modeling method that focuses on the goals and dependencies of the system and company. The advantage of this methodology is the assessment of the interdependencies between abstract top-level goals and the business processes that achieve them.
· The methodology of SABSA (Sherwood Applied Business Security Architecture) is to work with risks when decomposing business processes at various architectural levels - from high-level capabilities to logical and physical aspects and components of the applied technologies.
2.6.4. Vulnerability management.
One of the key results of the risk assessment will be the identification of vulnerabilities in the software. It is known that many successful cyber attacks occur due to out-of-date installation of security updates (patches), so it is important to minimize the time gap between the release of patches and their application in the infrastructure. To manage vulnerabilities, you should use automation tools, such as Vulnerability Management (VM) systems, which scan the infrastructure, inventory assets, detect vulnerabilities, and provide tools to fix them. Work with vulnerabilities should be built according to the principles of risk management - with an informed decision on how to handle each vulnerability (patch installation, reconfiguration), with priority and timing. If security updates cannot be applied, then this must be justified, documented and agreed upon by the risk owner of the system on which this vulnerability was identified. When prioritizing vulnerabilities, it is important to take into account their properties - the impact on systems and business processes, the ease of exploitation of the vulnerability, the location of the system in the infrastructure (whether it is available from the Internet).
2.6.5. Risk assessment and management in cyber-physical systems and OT infrastructures.
In standard office IT infrastructures, risk management focuses on ensuring integrity, confidentiality and accessibility, but in cyber-physical systems and in OT infrastructures (Operational Technology) it is more important to ensure their reliability and safety of people and the environment. To assess risks in such systems, it is preferable to use a systematic approach that allows you to abstract from individual components of the system and focus on the main goals (avoiding deaths or harm to health, compliance with the law). The risks of merging (convergence) of IT and OT networks should also be assessed, which is increasingly common due to the growing level of digitalization in the industry and the convenience of remote control of the APCS. In addition, it is important to protect IIoT/IoT devices, which can also serve as an entry point for external attackers into the OT environment. In the context of vulnerability management, it is important to assess the risks of automated scanning of the OT infrastructure and the likelihood of a subsequent shutdown of the equipment and the entire technological process.
2.6.6. Cybersecurity metrics.
When assessing the degree of security and the level of cyber risks, some quantitative or qualitative characterizing value is often required. The authors of the book indicate that good metrics should be:
· Objectively measurable, without subjective criteria;
· Light assembled, preferably automated;
· Expressed in absolute values or in percent, and not in qualitative values (in this case, you can correlate qualitative values with quantitative ones by agreeing on threshold values);
· Expressed in clear units of measurement (in hours/minutes, in the number of units, in rubles/currency);
· Specific, relevant and understandable to managers who will read them.
2.7. Business Continuity - Incident Response and Recovery Planning
Despite the protection measures taken, any company can be hacked, so it is important to prepare in advance for the response to cyber incidents and the subsequent restoration of infrastructure and processes. The tendency to hide the facts of hacking in order to avoid reputational damage is characteristic of many companies, however, the exchange of experience can help other companies avoid similar attacks in the future.
The international standard ISO/IEC 27035-1 "Information Security Incident Management" defines the principles of cyber incident management. It extends the approach of ISO/IEC 27005 and includes the following steps for responding to information security incidents:
1. Planning and preparation, including cyber incident management policy formation and response team training;
2. Detection and recording: surveillance, monitoring, detection and recording of cyber incidents;
3. Assessment and decision-making: determining the presence of an incident and its danger, taking steps to process it;
4. Response, including forensic analysis, installation of updates, containment and elimination of an active threat;
5. Study: gaining experience and using it to improve system protection in order to reduce the likelihood of information security incidents in the future.
The UK National Computer Security Center (NCSC) offers the following 10 steps to build a cyber incident management process:
1. Create incident response capabilities, including financial and resource support;
2. Training, experience in incident response;
3. Assignment of roles and responsible persons;
4. Recovery with control that important data is physically isolated from the system and can actually be restored from the backup;
5. Testing: testing response and recovery scenarios;
6. Reporting: information on information security incidents should be transferred to interested internal (to improve the risk management process and improve protection measures) and external (to comply with legal requirements) persons;
7. Collection of evidence: the collection and preservation of digital evidence of the incident may be necessary for further actions in the legal field or for in-depth forensic analysis of the incident;
8. Improvement: logging of response actions will help identify deficiencies in the response process or in response scenarios;
9. Personnel training: vigilance of employees is very important to identify an incident or suspicious events;
10. Interaction with law enforcement agencies to combat cybercriminals..jpg)
.jpg)
.jpg)
 2 - копия.jpg)
