Robert Ackerman Jr. posted an excellent blog article on 22 Aug 2019 here.

I wholeheartedly endorse every aspect of his positioning. To contribute in another dimension on this month’s topic of Risk Management and Governance, I would like to pick up on one element of Robert’s article and explore that in more detail—determining your current security posture value through technical test-oriented risk assessments.

Excerpt from Robert’s post:

“… an organization’s security responses must continually adapt as cyber-risks evolve. In particular, boards should increasingly urge management to drop a traditional, prevention-driven approach and begin operating under the assumption that the organization has already been breached. This requires leveraging threat intelligence and threat modeling, testing defenses and reaction, and practicing what-if scenarios to determine what to do if these fail.”

Traditionally, risk assessments have been largely paper based. The Assessor will determine a scope relevant to the objective, and then undertake the assessment using a methodology described in one of the various international standards on risk management.

There are, however, many different approaches to risk assessment, and the standards are not prescriptive on exactly what or how to undertake such an assessment. For example, an Assessor may request various documents, review the previous risk assessments and the controls that were nominated, and then determine if the controls are in place and working. The Assessor also needs to ensure that the risk appetite of the organisation is current and accounted for. A business cannot mitigate all risks. The business needs to make a call on what level of risk is accepted and where controls are required to bring higher levels of risk down to acceptable levels. This is risk appetite.

The problem here is that the scope of the assessment is integral to the overall outcome. Choose a narrow scope and you will only assess part of your business, and the possibility exists that there are risks you have not adequately accounted for. This problem is exacerbated when the organisation is tasked to determine its Cyber Risk Profile—that is the extent to which it may be subject to incurring losses as the result of a range of cyber-oriented attacks. These could include, but not be limited to, Denial of Service (DoS), hacking, data loss, malware, operational downtime (unavailability of systems), regulatory or legal compliance matters, etc.

The reason the problem is exacerbated, is there are so many vectors through which an organisation is exposed to cyber-risk, and the threat landscape changes at a high frequency. Using a traditional approach that includes documentation reviews, interviews, analysis of previous assessments, etc., while remaining consistent with the standards does not mean the Assessor is reviewing the ability of the organisation to defend against current and future threats. Take the organisation’s exposure to social-media-borne attacks as a good example. Social media exists on the periphery of most organisations. The business does not operate its own social media platforms; rather, it consumes these as a service (e.g., LinkedIn). Further complicating the issue is overlap in cyberspace between personal and business. A targeted attack on an employee (through their personal social media activity) could have a negative influence on the overall corporate security exposure. Simply put, the result of a single employee’s breached social media account, such as Twitter or Facebook, could lead to an overall compromise of a corporate network. This is not far-fetched. There are many examples of such a domino-effect attack. Ironically, Twitter themselves succumbed to such an attack as far back as 2009[1].

Another good example of risks not commonly assessed through paper-based reviews is Supply Chain Risks. An organisation may be at risk through their relationships with other entities in their supply chain. Consider a business that has outsourced its IT Management to a third-party company. They require remote access and administrative accounts in order to deliver their services (backup, server and workstation management, help desk functions, etc). Now, if the third-party company is breached, the attacker could use the established privileged access channels, and the associated established privileged access credentials, to ultimately compromise the targeted end company. The Wipro breach of 2019 is likely to be a landmark case for this attack vector[2]. There are also many other forms of supply chain risks (services, software development, hardware development, all forms of outsourcing, etc).

As highlighted above, to effectively perform cyber-risk assessment, you must think about the complex web of overlapping systems and supply chains that are now essentially part of the footprint of your business.

Why does all of this matter?

If the Risk Assessor is not familiar with the techniques that attackers are actively using today, then it is unlikely that the Assessor will be covering the full scope of risks to which the organisation is exposed. While this alone does not make the traditional risk assessment irrelevant, it certainly negates the relevance of relying on it for your business’ overall risk identification method. If you do not identify the risks, then you will not be able to apply controls to mitigate them. These traditional risk assessments are still important as part of an overall risk management program, and they are still required under many of the standards. However, given the changing nature of cyber-risk, assessments must now be augmented with other methodologies.

Welcome Dynamic Risk Assessments

We need to adopt assessment methods that are going to give a higher degree of assurance that we are identifying realistic vectors through which the business may be subjected to attack. We call this discipline Dynamic Risk Assessments (DRA). This type of assessment is based on the premise that the Assessor is not stifled by prescriptive rules, a spreadsheet listing the methods to use, or having meetings with any number of stakeholders who may not disclose the true state of affairs for fear of losing credibility or possibly their job! The approach is systematic. It includes profiling the target, identifying all the relevant information about its suppliers, staff and executives, facilities, email, websites, remote access and financial systems. All of this can be profiled through publicly available information. An approach is then crafted to assess all these vectors to determine those most susceptible to attack—that is, the methods an attacker will most likely adopt if targeting that business.

The reason it is called a Dynamic Risk Assessment, is because the process uses constant feedback loops. This means the assessment is tailored to the business as the Assessor learns more about the strength of controls, enabling the Assessors to hone in on weaknesses that may yield wider value to an attacker.

The Goal

The goals are defined by the business that is being assessed. The objective is testing the business’ resilience to protect their systems. The DRA is intended to validate the effectiveness of the current controls.

Sample goals could be:

1. Gain access to the network
2. Compromise the domain
3. Locate, access and exfiltrate the primary datasets
4. Maintain persistence for future attacks

September’s theme is on Analytics, Intelligence and Response.

Watch this space, my contribution for the September blog post will be a simplified case study of the above, describing how an attacker may profile a target and use that information to pursue and ultimately compromise them. We will also explore what response mechanisms are required to defeat such attacks.