This is the second part of the blog post on risk management as part of your cyber security strategy. In the first part I shared my approach to risk management with you, which is primarily to identify your threats by answering the question “What can possibly go wrong?”.
You have several means at your disposal to help you identify the (real!) threats to your systems. First of all, there are a lot of lists available that provide you with all kinds of threats from various threat actors and environments. You ‘only’ have to choose the right ones. And in my opinion, the right ones are threats that you can handle when they materialize and where your organisation has a good chance of survival. Because there are obvious and less obvious threats that will have such a big impact on your organisation, or society at large, that you cannot even think of implementing controls to counter them.
But please note, I am referring to threats with a huge impact here: not threats that are very unlikely to occur, but those with a chance of occurring that is not 0. These so called black swans are extremely difficult to assess as they may occur once in a lifetime, but when that happens they will almost certainly have a serious impact. An example of this is a case where a customer had a twin datacenter, one close to an airport and the other close to a big chemical plant. What are the chances of a plane crashing and a disaster happening at the plant at the same time? So proposing a third completely off-site data center was an expensive option and senior management was not keen on paying for that. But when asked to sign off on accepting the risk, they were not very keen to do that either! So in the end they agreed to have a cold standby with off-site backups as an economical and manageable solution. This may not work for you, so please assess the risks properly, and maybe ask Mr. Murphy for a second opinion.
But I digress. All sorts or threat lists are available on the Internet, and as part of Risk Assessment Tooling like IRAM(2).
However, as you may know, I am not a fan of checklists, and urge you to use your common sense as well. To assist you in identifying threats to your unique scope and situation,
you should at least apply the STRIDE threat model as well. I have used that on a number of occasions and it turns out to be really helpful. You can find a good definition of
the model in Wikipedia ( LINK: https://en.wikipedia.org/wiki/STRIDE_(security) ).
The short and sweet of the STRIDE model is that it defines six threat categories, and you can brainstorm to your heart’s content on threats for each category. The categories are:
- Spoofing: stealing a digital identity to break confidentiality and authenticity;
- Tampering: manipulating data to break the integrity, with or without breaking confidentiality;
- Repudation: is plausible deniability possible or not? (BTW, this should really be non-repudiation, but then the acronym would not roll of the tongue so easily, STNIDE does not have the same ring to it);
- Information disclosure: this is really any threat related to breaking confidentiality;
- Denial of Service: these are all threats to the availability of your information and system;
- Elevation of privileges: This is related to authorization, and can have impact on all 3 basic security aspects (Confidentiality, Integrity and Availability).
Using this model in one or more workshops with business owners can be a very enlightening experience, as much for you as a cyber security specialist as for the business owners. Because when you do a session like this, with different people, you as a cyber security specialist will quickly learn what the business sees as real risk, and that can be quite different
from what you see often from a purely technical viewpoint. So, applying the STRIDE model not only helps you identify new threats, it is also a means of establishing better
communications with the business (which is, in my humble opinion, the biggest problem in cyber security).
This brings us to the conclusion of this second part. In the next one I will look with you at how to further complete your risk management process.
Until next time, and as always, stay safe!
Arthur Donkers
PS, If you like Wikipedia, or use it on a regular basis, please consider a small donation, they do a great job and can use your financial support!
