In our first article on risk-based IT security, we briefly discussed why this security strategy is very effective in the current cyber threat landscape.
Now we outline a 5-step process to develop this security strategy, so your enterprise can:
Identify, prioritize and contextualize IT risks
Strengthen security controls
Build a resilient IT infrastructure
a) What are the business-critical assets you must protect?
Customer data (e.g. PII)
Financial data
Intellectual property
Systems, networks, devices, software
Business plans, blueprints and other sensitive information
Processes
Websites
b) Where are they?
c) Who has access to them?
d) How could it affect your organization’s compliance posture?
e) Could it impact your reputation? Cause costly downtime? Lead to lost customers?
f) What is the potential for lost revenue?
Perform a threat assessment to identify the possible threat actors who may try to steal or compromise these assets like competitors, disgruntled current or ex-employees or vendors, terrorists, rogue nations, hacktivists, etc.
Some threat actors may not be hostile or malicious. These include untrained – or careless –employees, partners or vendors who may be the target of phishing attacks, social engineering or malware. Vendors who have access to your organization’s data are also a risk since malicious actors can exploit them to launch supply chain attacks (think SolarWinds).
Also, consider other threats like natural disasters (floods, earthquakes, pandemics, etc.) or man-made events (riots, terror attacks, etc.) in your security strategy.
For each of these threats, assign a threat level based on the likelihood of it happening. For this, you can leverage threat modelling.
A vulnerability is a weakness or gap in an asset that a threat can take advantage of.
Gaps in your network
Insecure software code
Physical vulnerabilities like insecure perimeters, missing backup generators, etc.
Penetration testing is a very effective security strategy to find vulnerabilities in your IT infrastructure. During a pen test, experts like Packetlabs simulate cyberattacks against an enterprise network to find exploitable vulnerabilities. The insights generated by a comprehensive pen test will help you patch detected vulnerabilities, fine-tune your security policies, and strengthen your security strategy.
Application security testing finds security gaps in software applications and measures the effectiveness of your current controls.
Now you can start taking action to address your IT risks. Risk relates to the likelihood that a threat will exploit a vulnerability to make an impact.
a) Prioritize the identified threats and vulnerabilities based on potential impact, likelihood, threat level, and persistence
b) Quantify each risk by assigning point values for each based on the above measures
c) Add the points to get a risk score
d) Prioritize the greatest risks
Leverage existing tools and frameworks like Factor Analysis of Information Risk TM (FAIR) and NIST Risk Management Framework to quantify and prioritize risks in your security strategy.
a) Vulnerability management program to identify and patch vulnerabilities
b) Threat intelligence program to proactively identify and remediate threats
c) Training program to close knowledge gaps among high-risk users, e.g. employees who deal with sensitive information systems, or vendors with access to sensitive data
d) How will you respond to a security event (e.g. a data breach)?
e) Who will be involved?
f) How will you keep stakeholders informed?
g) Security team resources and responsibilities
h) Security strategy with policies and protocols, and if they are aligned with industry standards
i) Protection for sensitive data
j) Technical controls for data encryption, network segregation, and application security
k) Security integrated into enterprise-wide governance
Finally, remember that not all risks need to be treated or terminated. Some can be tolerated with minimal business impact, while others can be transferred by purchasing cyber insurance.
To sum up, risk-based security analysis and decision-making will empower your organization to develop realistic cybersecurity goals, utilize resources more effectively, and strengthen its defence posture. Unlike the maturity-based approach, this security strategy is more targeted, and therefore more likely to yield better results.
Need support with penetration testing, application security testing or managed security QA to strengthen your organization’s risk-based security strategy? Contact Packetlabs for a free quote.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.