Week 7 Notes on Cyber Risk Assessment PDF
Document Details
Uploaded by PatientSanAntonio
Tags
Summary
These notes provide a detailed framework for conducting cyber risk assessments, covering context establishment, risk identification, analysis, and continual risk treatment. The framework outlines the importance of establishing a clear context and includes steps for identifying potential threats, vulnerabilities, and the impact of security incidents. The document emphasizes the need for regular assessments, detailed analysis, and evidence-based risk treatment strategies.
Full Transcript
# Stages of Cyber Risk Assessment ## Context Establishment * **Importance of Context Establishment:** Establishing context is vital to the success of a cyber risk assessment. Incorrect or insufficient context can impact the entire assessment process. * **Goals and Objectives:** * Define aims s...
# Stages of Cyber Risk Assessment ## Context Establishment * **Importance of Context Establishment:** Establishing context is vital to the success of a cyber risk assessment. Incorrect or insufficient context can impact the entire assessment process. * **Goals and Objectives:** * Define aims such as identifying and managing risks to reduce cyber attack likelihood. * Include objectives like ensuring stakeholder confidence in security and legal compliance. * **Scope and Focus:** * Determine boundaries of assessment (e.g., focusing only on certain parts of a system). * Identify assumptions about threats, such as insider motivations. * **Internal and External Context:** * **External Factors:** Regulations, laws, customer and stakeholder expectations. * **Internal Factors:** Assets, processes, constraints that impact risk management. * **Asset Identification:** * Identify assets to protect (e.g., data), considering properties like integrity, availability, and confidentiality. * **Scales for Risk Evaluation:** * Define likelihood and impact scales for assessing risks, using grids to visualize the impact-likelihood relationship. * Classify risks into categories (e.g., minor, major) to decide on mitigation actions. * **Potential Consequences:** * Define consequences for each asset, supported by evidence where possible, to understand the impact of specific risks. * **Attack Surface Identification:** * Map points where systems interface with networks (e.g., internet or mobile), defining potential entry points for attackers. ## Risk Identification * **Purpose of Risk Identification:** * Identify potential attacks on the system, divided into malicious and non-malicious threats. * **Malicious vs. Non-Malicious:** * **Malicious:** Starts with identifying sources, then threats, vulnerabilities, and incidents. * **Non-Malicious:** Works in reverse, beginning with incidents, followed by vulnerabilities, threats, and sources. * **Identification Techniques:** * Use technical data (e.g., logs, penetration testing) and input from developers, operators, and external experts. * Interviews and brainstorming sessions can gather diverse perspectives on potential risks. * **Steps for Identifying Malicious Threats:** 1. **Identify Adversaries and Threat Sources:** * Document potential attackers, motives, and resources (e.g., insiders, disgruntled employees, malware). 2. **Threat Identification:** * Define specific threats posed by each source and identify potential attack points within the system. 3. **Vulnerability Identification:** * Assess weaknesses in defenses or areas with no defenses; vulnerability scanners may be used for this. 4. **Incident Identification:** * Document specific incidents (exploits) resulting from vulnerabilities and threats, noting impacted assets. * **Non-Malicious Threat Identification:** * Follows the reverse order, starting from incidents and moving backwards to identify vulnerabilities, threats, and sources ## Analysis | How likely are threats to materialize? | How severe are the vulnerabilities? | How likely are the incidents to occur? | What is the impact of the incidents on assets? | |---|---|---|---| | Answered in terms of the defined frequency scale | Answered in terms of high/medium/low | Answered in terms of the defined frequency scale | Answered in terms of the defined consequences scales | * **Purpose of Risk Analysis:** * Evaluate the level of risk by analysing threats, vulnerabilities, likelihoods, and consequences of incidents on assets. * **Likelihood and Severity Assessment:** * Use frequency (e.g., rare or once every 10 years) to assess threat likelihood. * Rate vulnerability severity as high, medium, or low and document the reasoning. * Incident likelihood can also be rated on a frequency scale, tailored to context. * **Sources for Estimation:** * Logs, industry data, security data, and expert judgement are valuable in estimating likelihoods and severity. * Document the basis for each assessment, ensuring clarity and reliability of information. * **Threat Analysis:** * Assess each identified threat for likelihood and document the basis for estimates, distinguishing between malicious and non-malicious threats. * **Vulnerability Analysis:** * Use tools like vulnerability scans, security tests, and code reviews to evaluate vulnerability likelihood and severity. * Rate vulnerabilities and explain severity, using accessible scales. * **Incident and Consequence Analysis:** * Determine the impact of incidents on each affected asset, referencing scales defined in context establishment. * Document assessments with full context for future stages. ## Continual Risk Treatment * Applying treatment affects the risks * New teams and regulators inspect, regularly * Evidence and reasoning are critical
