Cyber security risk assessment is an essential element of any information security program. As the technology landscape continues to evolve, your company needs to take appropriate steps to make sure your data isn’t vulnerable to potential threats. A great resource for conducting risk assessments is the U.S. Department of Commerce National Institute of Standards and Technology Guide for Conducting Risk Assessments, often referred to by its publication number, NIST 800-30. The guide can be broken down into six steps.
Identify threat sources. The very first thing your organization needs to do is identify and characterize threats. Build a team to assess the various threats facing your company. Examples are divided into “Adversarial Threats” such as organized crime and hostile nation-states, and “Environmental Threats” such as earthquakes and tornadoes.
Identify threat events. This step requires identifying potential threat vectors, the relevance of those vectors, and correlating them with threat sources identified earlier. A good example would be a hostile nation-state running a brute-force dictionary attack on default SSH port 22 on your ISP’s subnet. A course of action could be to weigh whether enforcing good password practices is more or less important than running SSH on another port.
Identify vulnerabilities. It’s important to identify vulnerabilities and conditions affecting the likelihood that threats will result in loss of data, time, and revenue. For example, if your organization has chosen to run SSH on a non standard port, but users choose passwords vulnerable to a dictionary attack, what data can be lost via SSH?
Determine probable impact. Once an attacker is in via SSH, what can be lost? If your website’s users choose poor passwords, what data can be taken and what’s the worst-case scenario?
Calculate risk weighing both likelihood and impact. Will the cost of implementing a strategy to deal with the impact of an earthquake outweigh the additional operational expense during normal day-to-day operations?
Compliance with NIST 800-30 can be daunting, but it doesn’t have to be. For 17 years 4 Corner IT has been a premier IT services company. With over 60 employees, let us help you with your technology needs.
Contact us today or fill out a contact form to speak to a technical adviser.