Description
Confidentiality ensures that unauthorized individuals are not able to gain access to sensitiveinformation. Cybersecurity professionals develop and implement security controls,including firewalls, access control lists, and encryption, to prevent unauthorized access toinformation. Attackers may seek to undermine confidentiality controls to achieve one oftheir goals: the unauthorized disclosure of sensitive information.Integrity ensures that there are no unauthorized modifications to information or systems,either intentionally or unintentionally. Integrity controls, such as hashing and integritymonitoring solutions, seek to enforce this requirement. Integrity threats may comefrom attackers seeking the alteration of information without authorization or nonmalicioussources, such as a power spike causing the corruption of information. The risk assessment process described here, using categories of “high,”“medium,” and “low,” is an example of a qualitative risk assessmentprocess. Risk assessments also may use quantitative techniques thatnumerically assess the likelihood and impact of risks. Quantitative riskassessments are beyond the scope of the Cybersecurity Analyst+ exambut are found on more advanced security exams, including the CompTIAAdvanced Security Practitioner (CASP) and Certified Information SystemsSecurity Professional (CISSP) exams.After assessing the likelihood and impact of a risk, risk assessors then combine thosetwo evaluations to determine an overall risk rating. This may be as simple as using a matrix8 Chapter 1 ■ Defending Against Cybersecurity Threatssimilar to the one shown in Figure 1.4 that describes how the organization assigns overallratings to risks. For example, an organization might decide that the likelihood of a hackerattack is medium whereas the impact would be high. Looking this combination up inFigure 1.4 reveals that it should be considered a high overall risk. Similarly, if an organizationassesses the likelihood of a flood as medium and the impact as low, a flood scenariowould have an overall risk of low.FIGURE 1.4 Many organizations use a risk matrix to determine an overall risk ratingbased on likelihood and impact assessments.Medium High HighLow Medium HighLow Low MediumMediumImpactLikelihoodLow HighLow Medium HighReviewing ControlsCybersecurity professionals use risk management strategies, such as risk acceptance, riskavoidance, risk mitigation, and risk transference, to reduce the likelihood and impact ofrisks identified during risk assessments. The most common way that organizations managesecurity risks is to develop sets of technical and operational security controls that mitigatethose risks to acceptable levels.Technical controls are systems, devices, software, and settings that work to enforceconfidentiality, integrity, and/or availability requirements. Examples of technical controlsinclude building a secure network and implementing endpoint security, two topics discussedlater in this chapter. Operational controls are practices and procedures that bolstercybersecurity. Examples of operational controls include conducting penetration testing andusing reverse engineering to analyze acquired software. These two topics are also discussedlater in this chapter.Availability ensures that information and systems are ready to meet the needs of legitimateusers at the time those users request them. Availability controls, such as fault tolerance,clustering, and backups, seek to ensure that legitimate users may gain access asneeded. Similar to integrity threats, availability threats may come either from attackersseeking the disruption of access or nonmalicious sources, such as a fire destroying a datacenterthat contains valuable information or services.Cybersecurity analysts often refer to these three goals, known as the CIA Triad, whenperforming their work. They often characterize risks, attacks, and security controls asmeeting one or more of the three CIA Triad goals when describing them.Evaluating Security RisksCybersecurity risk analysis is the cornerstone of any information security program.Analysts must take the time to thoroughly understand their own technology environmentsand the external threats that jeopardize their information security. A well-rounded cybersecurityrisk assessment combines information about internal and external factors to helpanalysts understand the threats facing their organization and then design an appropriate setof controls to meet those threats.Before diving into the world of risk assessment, we must begin with a common vocabulary.You must know three important terms to communicate clearly with other risk analysts:vulnerabilities, threats, and risks.A vulnerability is a weakness in a device, system, application, or process that mightallow an attack to take place. Vulnerabilities are internal factors that may be controlled bycybersecurity professionals. For example, a web server that is running an outdated versionof the Apache service may contain a vulnerability that would allow an attacker to conducta denial-of-service (DoS) attack against the websites hosted on that server, jeopardizingtheir availability. Cybersecurity professionals within the organization have the ability toremediate this vulnerability by upgrading the Apache service to the most recent version thatis not susceptible to the DoS attack.4 Chapter 1 ■ Defending Against Cybersecurity ThreatsA threat in the world of cybersecurity is an outside force that may exploit a vulnerability.For example, a hacker who would like to conduct a DoS attack against a website andknows about an Apache vulnerability poses a clear cybersecurity threat. Although manythreats are malicious in nature, this is not necessarily the case. For example, an earthquakemay also disrupt the availability of a website by damaging the datacenter containing theweb servers. Earthquakes clearly do not have malicious intent. In most cases, cybersecurityprofessionals cannot do much to eliminate a threat. Hackers will hack and earthquakes willstrike whether we like it or not.A risk is the combination of a threat and a corresponding vulnerability. Both of thesefactors must be present before a situation poses a risk to the security of an organization.For example, if a hacker targets an organization’s web server with a DoS attack but theserver was patched so that it is not vulnerable to that attack, there is no risk because eventhough a threat is present (the hacker), there is no vulnerability. Similarly, a datacentermay be vulnerable to earthquakes because the walls are not built to withstand the extrememovements present during an earthquake, but it may be located in a region of the worldwhere earthquakes do not occur. The datacenter may be vulnerable to earthquakes butthere is little to no threat of earthquake in its location, so there is no risk.The relationship between risks, threats, and vulnerabilities is an important one, and it isoften represented by this equation:Risk = Threat × VulnerabilityThis is not meant to be a literal equation where you would actually plug in values.Instead, it is meant to demonstrate the fact that risks exist only when there is both a threatand a corresponding vulnerability that the threat might exploit. If either the threat or vulnerabilityis zero, the risk is also zero. Figure 1.2 shows this in another way: risks are theintersection of threats and vulnerabilities.FIGURE 1.2 Risks exist at the intersection of threats and vulnerabilities. If either thethreat or vulnerability is missing, there is no risk.RisksThreatsVulnerabilitiesOrganizations should routinely conduct risk assessments to take stock of theirexisting risk landscape. The National Institute of Standards and Technology (NIST)publishes a guide for conducting risk assessments that is widely used throughout thecybersecurity field as a foundation for risk assessments. The document, designatedNIST Special Publication (SP) 800-30, suggests the risk assessment process shown inFigure 1.3.Evaluating Security Risks 5FIGURE 1.3 The NIST SP 800-30 risk assessment process suggests that anorganization should identify threats and vulnerabilities and then use that information todetermine the level of risk posed by the combination of those threats and vulnerabilities.Step 1: Prepare for AssessmentDerived from Organizational Risk FrameStep 2: Conduct AssessmentStep 3: Communicate ResultsStep 4: Maintain AssessmentIdentify Threat Sources and EventsDetermine Likelihood of OccurrenceDetermine Magnitude of ImpactDetermine RiskIdentify Vulnerabilities andPredisposing ConditionsExpanded Task ViewSource: NIST SP 800-30Identify ThreatsOrganizations begin the risk assessment process by identifying the types of threats thatexist in their threat environment. Although some threats, such as malware and spam, affectall organizations, other threats are targeted against specific types of organizations. Forexample, government-sponsored advanced persistent threat (APT) attackers typically targetgovernment agencies, military organizations, and companies that operate in related fields.It is unlikely that an APT attacker would target an elementary school.NIST identifies four different categories of threats that an organization might face andshould consider in its threat identification process:■■ Adversarial threats are individuals, groups, and organizations that are attempting todeliberately undermine the security of an organization. Adversaries may include trustedinsiders, competitors, suppliers, customers, business partners, or even nation-states.When evaluating an adversarial threat, cybersecurity analysts should consider the6 Chapter 1 ■ Defending Against Cybersecurity Threatscapability of the threat actor to engage in attacks, the intent of the threat actor, and thelikelihood that the threat will target the organization.■ Accidental threats occur when individuals doing their routine work mistakenly performan action that undermines security. For example, a system administrator mightaccidentally delete a critical disk volume, causing a loss of availability. When evaluatingan accidental threat, cybersecurity analysts should consider the possible range ofeffects that the threat might have on the organization.■ Structural threats occur when equipment, software, or environmental controls fail dueto the exhaustion of resources (such as running out of gas), exceeding their operationalcapability (such as operating in extreme heat), or simply failing due to age. Structuralthreats may come from IT components (such as storage, servers, and network devices),environmental controls (such as power and cooling infrastructure), and software (suchas operating systems and applications). When evaluating a structural threat, cybersecurityanalysts should consider the possible range of effects that the threat might have onthe organization.■ Environmental threats occur when natural or man-made disasters occur that are outsidethe control of the organization. These might include fires, flooding, severe storms,power failures, or widespread telecommunications disruptions. When evaluating environmentalthreats, cybersecurity analysts should consider common natural environmentalthreats to their geographic region, as well as how to appropriately prevent orcounter man-made environmental threats.The nature and scope of the threats in each of these categories will vary depending onthe nature of the organization, the composition of its technology infrastructure, and manyother situation-specifi c circumstances. That said, it may be helpful to obtain copies of therisk assessments performed by other, similar, organizations as a starting point for an organization’sown risk assessment or to use as a quality assessment check during various stagesof the organization’s assessment.The Insider ThreatWhen performing a threat analysis, cybersecurity professionals must remember thatthreats come from both external and internal sources. In addition to the hackers, naturaldisasters, and other threats that begin outside the organization, rouge employees, disgruntledteam members, and incompetent administrators also pose a signifi cant threatto enterprise cybersecurity. As an organization designs controls, it must consider bothinternal and external threats.NIST SP 800-30 provides a great deal of additional information to helporganizations conduct risk assessments, including detailed tasks associatedwith each of these steps. This information is outside the scope of theCybersecurity Analyst+ exam, but organizations preparing to conduct riskassessments should download and read the entire publication.Evaluating Security Risks 7Identify VulnerabilitiesDuring the threat identification phase of a risk assessment, cybersecurity analysts focus onthe external factors likely to impact an organization’s security efforts. After completingthreat identification, the focus of the assessment turns inward, identifying the vulnerabilitiesthat those threats might exploit to compromise an organization’s confidentiality, integrity,or availability.Chapters 3 and 4 of this book focus extensively on the identification and management ofvulnerabilities.Determine Likelihood, Impact, and RiskAfter identifying the threats and vulnerabilities facing an organization, risk assessors nextseek out combinations of threat and vulnerability that pose a risk to the confidentiality,integrity, or availability of enterprise information and systems. This requires assessing boththe likelihood that a risk will materialize and the impact that the risk will have on the organizationif it does occur.When determining the likelihood of a risk occurring, analysts should consider twofactors. First, they should assess the likelihood that the threat source will initiate the risk.In the case of an adversarial threat source, this is the likelihood that the adversary willexecute an attack against the organization. In the case of accidental, structural, or environmentalthreats, it is the likelihood that the threat will occur. The second factor that contributesis the likelihood that, if a risk occurs, it will actually have an adverse impact on theorganization, given the state of the organization’s security controls. After considering eachof these criteria, risk assessors assign an overall likelihood rating. This may use categories,such as “low,” “medium,” and “high,” to describe the likelihood qualitatively.Risk assessors evaluate the impact of a risk using a similar rating scale. This evaluationshould assume that a threat actually does take place and cause a risk to the organizationand then attempt to identify the magnitude of the adverse impact that the risk will haveon the organization. When evaluating this risk, it is helpful to refer to the three objectivesof cybersecurity shown in Figure 1.1, confidentiality, integrity, and availability, and thenassess the impact that the risk would have on each of these objectives.