ProCircular Information Security Experts Corner

Risk Rolling: Don’t Let Your Business Roll the Dice with Risk

Posted by Zach Zaffis on May 8, 2020 3:27:04 PM

New to the world of cybersecurity and wondering where to even begin? Ever wonder what it takes to become a professional hacker? Varying levels of IT knowledge and understanding? Everybody must start somewhere, and here is your chance! Reimagine your career as an Information Security Specialist and stop wasting your time with "what ifs." Allow yourself to grow and shine in a field that you are passionate about. Outreach your potential with this fantastic new course!

Now, we've all seen these kinds of tag lines and advertisements that try and get you to buy into the next best certificate or training. Newcomers to the field are often overwhelmed by the sheer number of certifications, college programs, and the vast amount of knowledge you seemingly must 'just know' to get into infosec. At any given time, there seems to be another new certification, or cert change coming down the pipeline, that promises you instant access to the field.

Go ahead and throw that thought line out; it's only detrimental in the long run. I posit that passion for the field and learning are far more valuable than actual certificates, but most importantly is an understanding of risk. Very few people 'can't' be taught the skills needed to understand security, but risk, risk effects everyone.

Everyone.  

Yes, even your grandma. Outside of the field directly, every person is presented with risk in their daily lives. Understanding these risks and making educated decisions based on them is key to our daily survival.  Undoubtedly, we have all made mistakes or miscalculated risks in the past. Past mistakes, however, give us the ability to form our future judgments better when we evaluate risk. Now, it may seem like we are moving into the realm of self-help here rather than cybersecurity, but stick with me.

Effectively identifying risks and the inherent dangers they present to a business is the very basis for any information security professional. Very few companies, if any, operate without any risks. Even the red team, or ethical hackers, need to keep risk front and center when evaluating a system.

Regardless of the type of system they are attacking, the end measurement of a penetration test should be risk. Guiding a client to the most effective order of remediation steps will help to priorities the overall security posture of the business and make the company more defensible on a shorter time frame. Observing the actual risks and understanding the business will allow a penetration tester to better coordinate, understand, and evaluate what aspects of vulnerabilities will cause the most impact to a given company. Neglecting to incorporate risk into your evaluation as a red teamer will seriously impact the results of your reporting in that each vulnerability will be rated simply on the type of access it's given or its CVV Score. Now, yes, a remote code execution that is unauthenticated is a big vulnerability, but what if its only access is to a digital signage system for internal communications and advertising? Are your employees going to be so demoralized that they will stop working altogether? Let's assume not, but apply that same vulnerability to the SQL server that runs your transactional database for inventory and stock.

Everything changes in that scenario, because the risk to the business is much greater when we evaluate the risks present in the systems themselves. This simple mental exercise can help to demonstrate how the same vulnerability across two different systems can impact a business differently.

You may be thinking, "well sure, but we need to close all the vulnerabilities to be secure!".

Outstanding, that is a fantastic mindset to have, however when we add risk to the equation, we see the real threat and bigger picture. Understanding that bringing the SQL system down would cause business operations to be significantly impacted or even stop altogether would help the penetration tester to put that vulnerability higher on the list of remediation steps rather than the internal signage system.

Don't get me wrong; the signage system needs to be patched too. But if as a business you were provided the same vulnerabilities without a prioritized list based on risks, what would happen if you chose to patch the signage systems first? Obviously patching the SQL server is important, but how much more important is it than checking off the signage system? We can easily see how this can be applied across any spectrum of vulnerabilities and impact each business differently.

Nevertheless, an understanding of risk needs to be applied to each individual vulnerability to understand where your soft spot. Now, assuming that each vulnerability is equal will lead to one of two outcomes: either you get popped while fixing things in the 'wrong' order, or you burn out trying to get everything closed up across the board. Each individual vulnerability doesn't affect all businesses equally and keeping this in mind will help you distinguish and prioritize your fixes as a defender too!

Voraciously patching all the easy stuff first as a defender and calling the outcomes great based on the volume or number of vulnerabilities closed won't serve the best interest of the business. Each vulnerability needs to be looked at from the risk perspective for a defender as well. Regardless of if the penetration testers gave you a list of vulnerabilities, or a full-on risk assumed report. Go ahead and make your risk assessment of the findings as well as a defender. Overall, you will have a more intimate relationship and knowledge of the business than the attackers. Notwithstanding, closing an SSL cipher suit vulnerability on an internal file share system is great, but it may not have the same impact as closing it on the external website which needs the uptime metrics to stay high. Now, as a defender, remembering that availability is part of the CIA triad is also important, and understanding the risk behind not patching the externally facing server (because you don't want to sacrifice that availability) can be a grave mistake.

Any business system contains inherent risk, just like in life, and being able to understand it holistically across the business you defend is critical. Remember that the risk profile for any business is just as dynamic as the IT systems that it runs on and can be just as fickle and ever-changing. Understanding this as a defender will help you to be able to grasp the ever-changing aspects of security and prioritize your action plans. Nonetheless, as a defender, you must be prepared. And having a firm grasp on risk will help you immeasurably.

Risk, and understanding risk, can come inherently by time spent within a system. Or it can be gained through investigation of the systems as a whole. Understanding each interconnecting part of a business operation is hands down the most impactful way to understand and grasp what aspects of the system breed risk. Now its easier said than done but branching out of the security department and meeting with other parts of the business is a great way to both raise awareness of the department as well as build those relationships with other parts of this grand moving machine. Don't underestimate how much having a presence and visibility within the business can raise overall security awareness across the entire business. Actions always speak louder than words or policy, and being present and available for other operations teams gives you the ability to have input or more importantly, knowledge of changes coming down the pipeline. Networking internally like this as a defender can save you from scrambling to put a Band-Aid on a project that goes live without your knowledge!

Defenders are always at a disadvantage when compared to actual threat actors, and there's no question about that. Despite limited resources and time, you can use knowledge and understanding of risk to better position yourself even with these limitations. Essentially, by prioritizing your defensive efforts, you can put yourself into an advantageous security position with the same resources you have on hand now.

Spending the time to understand your systems and the risk therein will inevitably give you more resources, in the long run, to best situate you and keep that forward momentum. Every business is different; they are their own ecosystem. Regardless of this, there are some hard and fast rules that will help you identify important risks quickly, even if you are new to defending. Turn an eye toward your external interfaces and ingress points you have present in the system. You should be aware of where your entry points are to best defend from attacks and shrink your overall attack surface for some quick wins.

Overall, the most important factor in any side of information security, red or blue, attack or defense, is risk. Understanding  your risks, you will instantly increase your information security game up to the next level.

Topics: Cybersecurity, Information Security, risk

ProCircular is a Full-Service Information Security Firm

We are passionate about helping businesses navigate the complex world of information security, and our blog is another great source of inforamtion. We can assist you no matter where you are in your security maturity journey:

  • Breached or hit with ransomware?
  • Don't know where to start? 
  • Looking to confirm your security with a third party?

Secure your future with ProCircular.

Recent Posts

Subscribe to Email Updates