by Dr. Greg White, Executive Director, CIAS-ISAO

Risk Management

When it comes to cybersecurity, it is common to hear statements that you can’t protect against all attacks and be absolutely secure. This is true if for no other reason than the occasional zero-day vulnerability that may arise, which had previously been unknown. A zero-day vulnerability will at least, briefly, result in the potential to exploit the new vulnerability until a patch is developed or a method to mitigate its impact is implemented.

Another reason cybersecurity professionals will state it is not feasible to attain total security is related to the cost of trying to do so and the potential operational impact on the organization. Because of these two reasons, the goal of organizations should not be to try and make their computer systems and networks absolutely secure but rather they should concentrate on managing the risk to the organization.

A free resource where you can learn more about risk management is the NIST Risk Management Framework (NIST RMF), which can be accessed at nist.gov/rmf. The framework consists of seven steps, which are:

• Prepare: Essential activities to prepare the organization to manage security and privacy risks.
• Categorize: Categorize the system and information processed, stored and transmitted based on an impact analysis.
• Select: Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s).
• Implement: Implement the controls and document how controls are deployed.
• Assess: Assess to determine if the controls are in place, operating as intended and producing the desired results.
• Authorize: Senior official makes a risk-based decision to authorize the system (to operate).
• Monitor: Continuously monitor control implementation and risks to the system.
                                                        

NIST SP 800-53 mentioned in the list above is titled Assessing Security and Privacy Controls in Information Systems and Organizations (a draft revision was released in August 2021). This document is free and available to download on their website.

It should be mentioned that, while it may not apply to everyone, the goal of the NIST RMF is to prepare organizations so that they meet the requirements of the Federal Information Security Modernization Act (FISMA). While not all items in the NIST RMF will apply to non-federal organizations, the steps are still a valuable guide to managing your risks no matter what sector you may be in.

A more complete description of the NIST RMF can be found in NIST SP 800-37 Risk Management Framework for Information Systems and Organizations. This document is available for download at nvlpubs.nist.gov/nistpubs/.

Another useful publication for consideration is NISTSP 800-39 Managing Information Security Risk, which can be downloaded at nvlpubs.nist.gov/nistpubs/Legacy. A section from this document that neatly summarizes risk management is as follows:

“Managing risk is a complex, multifaceted activity that requires the involvement of the entire organization—from senior leaders/executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines operating the information systems supporting the organization’s missions/business functions. Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.”  (NIST 800-39)

Managing risk, as stated above, is a complex process and all of these documents might make the process seem overwhelming. If you want an easier way to get started, try the following steps:

1. What potential risks do you face? What cyber threats are there for your organization and what might be the target of those threats? What events might your organization reasonably expect could happen?
2. What is the potential impact of each event identified in step one? Examine these impacts and rank them based on their severity and what affect they will have on your organization. You should also consider the likelihood of their occurrence, but this is sometimes hard to predict.
3. What is the cause of the risks that were identified? What makes it possible for the events to occur?
4. Determine what steps you can take to eliminate the risks (in order of their severity) or to mitigate their impact. You may not be able to prevent any individual event but are there things you can do to minimize the impact of the event on your organization?

These are very simple steps, and as can be construed from the NIST documents mentioned, there is a lot more to risk management than these simple steps but following these can help to get you started.

Identification

One necessary factor in risk management is an understanding of your IT environment including what systems and software you utilize. The reason for this is easy to explain – if you are not using a specific operating system, application or type of hardware, vulnerabilities that may be discovered in any of them will not apply to your organization.

Even if you do use some resource for which a new vulnerability has been discovered, knowing which part of your organization is using it will be essential to quickly addressing the vulnerability. What you don’t want to have happen is for your management and IT personnel to learn about a new vulnerability and have somebody ask the questions “Do we use this? Does it apply to us?” and not be able to answer those questions.

Your organization should have a list (e.g., database or spreadsheet) of all hardware and software that is used by your organization. The list needs to also include where in your organization the resource can be found and the version in use as different versions of software may not be vulnerable to the same security issues. As you can imagine, maintaining this list for a large organization can be challenging. This is why it is important to know when a new system or application is acquired or updated so that it can be entered into the list. Conversely, when equipment or software is removed, it is equally important to remove it from the list. It is for both of these reasons that IT personnel should be in the loop when either of these occur. They should be the ones to load approved software on a system and should help with removal of software and equipment when it occurs. If you maintain a process such as this it will be easier to maintain the accuracy of your list.

What about getting started? What if I haven’t maintained such a list but I now want to create one? If this is your situation, you should get started immediately – first by establishing the approved process to obtain new software or hardware and then by finding out what is currently in use. One way of doing this is to have IT personnel examine all systems – but this may not be possible for any but the smallest of organizations. Another way might be to send all users a questionnaire to have them tell you what they are using. You may have to provide instructions on how to determine versions of software and the likelihood that this process will yield a totally accurate list is slim – but it is better than not having a list at all. Over time, as systems are removed and new systems acquired, if you have established the appropriate processes your list will become increasingly accurate.

Are there any tools that can help you with this effort? You can use a standard network scanning tool, and there are a number of both free and commercial versions that are available. Performing such a scan is also useful as these tools will let you know about any existing, known vulnerabilities you may not have patched. Performing a scan will not provide a complete list of what is in use in your organization, but like the questionnaire it is a place to start.

As a final comment, it should be stated that we are not claiming that identification is an easy process to start or maintain. It will take a level of commitment by your organization. However, if steps are taken to introduce the suggested processes, the maintenance of such a list will become easier over time.