Why understanding your risk is fundamental to your security conversations and solutions
Some key terms are regularly used in a conversation about security: threat, vulnerability, and risk. Do you know the difference between them? They are not interchangeable. To have better security conversations, let’s start with the basics—learning the security vocabulary. Understanding the difference between the three terms will later provide valuable insight into how to address security issues as they arise. So, let’s dive into some definitions:
What is a threat?
According to the National Institute of Standards and Technology (NIST), a threat is any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.
Threat events are caused by threat sources.
A threat source is characterized as:
The intent and method targeted at the exploitation of a vulnerability
A situation and method that may accidentally exploit a vulnerability
In general, types of threat sources include:
Hostile cyber or physical attacks
Human errors of omission or commission
Structural failures of organization-controlled resources (e.g., hardware, software, environmental controls)
Natural and man-made disasters, accidents, and failures beyond the control of the organization
A threat is what we’re trying to protect against.
So, what's a vulnerability?
According to NIST, a vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Most information system vulnerabilities can be associated with security controls that either haven’t been applied (either intentionally or unintentionally), or have been applied, but retain some weakness. However, it’s also important to allow for the possibility of emergent vulnerabilities that can arise naturally over time as organizational missions/business functions evolve, environments of operation change, new technologies proliferate, and new threats emerge.
In the context of such change, existing security controls may become inadequate and may need to be reassessed for effectiveness. The tendency for security controls to potentially degrade in effectiveness over time reinforces the need to maintain risk assessments during the entire system development life cycle and also the importance of continuous monitoring programs to obtain ongoing situational awareness of the organizational security posture.
A vulnerability is a weakness or gap in our protection efforts
What is risk?
According to NIST, risk is a measure of the extent to which an entity is threatened by a potential circumstance or event and is typically a function of the adverse impacts that would arise if the circumstance or event occurs; and the likelihood of occurrence. Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
There are three accepted ways to handle risk:
Acknowledge the risk and choose not to transfer or mitigate
Assign or move the risk to another party
Reduce the likelihood of risk impact
It is best practice to never share the risk. In these cases, no one owns the risk and leaves room for blame.
The Threat Analysis Group defines risk as the potential for loss, damage, or destruction of an asset as a result of a threat exploiting a vulnerability.
Risk is the intersection of assets, threats, and vulnerabilities.
What is a risk assessment?
Risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.
Risk assessment is a key component of a holistic, organization-wide risk management process as defined in NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View.
Risk assessments are not simply one-time activities that provide permanent and definitive information for decision makers to guide and inform responses to information security risks. Rather, organizations employ risk assessments on an ongoing basis throughout the system development life cycle and across all of the tiers in the risk management hierarchy—with the frequency of the risk assessments and the resources applied during the assessments, commensurate with the expressly defined purpose and scope of the assessments.
Risk assessments address the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the economic and national security interests of the United States, arising from the operation and use of information systems and the information processed, stored, and transmitted by those systems.
Organizations conduct risk assessments to determine risks that are common to the organization’s core missions/business functions, processes, segments, common infrastructure/support services, or information systems.
Risk assessments can support a wide variety of risk-based decisions and activities by organizational officials across all three tiers in the risk management hierarchy, including, but not limited to, the following:
Development of an information security architecture
Definition of interconnection requirements for information systems (including systems supporting mission/business processes and common infrastructure/support services)
Design of security solutions for information systems and environments of operation including the selection of security controls, information technology products, suppliers/supply chain, and contractors
Authorization (or denial of authorization) to operate information systems or to use security controls inherited by those systems (i.e., common controls)
Modification of missions/business functions and/or processes permanently, or for a specific time frame (e.g., until a newly discovered threat or vulnerability is addressed, until a compensating control is replaced)
Implementation of security solutions (e.g., whether specific information technology products or configurations for those products meet established requirements)
Operation and maintenance of security solutions (e.g., continuous monitoring strategies and programs, ongoing authorizations)
Why vulnerability scanners aren't enough
Relying solely on a vulnerability scanner is only part of the solution, looking for gaps specifically on the network level. However, we know that today’s greatest risks to sensitive data happen on the human element. To get a full sense of security risk, you need to assess the whole business, especially areas of process, procedures, and policies that leave SMBs most vulnerable.
That’s why a risk assessment should always be step one. The broad assessment of a risk assessment helps you narrow in on critical issues across the entire business. Knowing the critical risks on the network gives vulnerability scanning more purpose as the next step in a security assessment.
According to SecureWorks, “You can’t adequately defend your network until you have conducted a security assessment to identify your most critical assets and know where in your network they lie.”
It’s also important to consider who your audience is. Results from a vulnerability scan are better suited for an IT professional to digest. Whereas the results from a risk assessment are easier for a C-level to understand and provide a clearer understanding of the impact on the business.
ConnectWise Identify: Risk assessments
ConnectWise Identify is a risk assessment platform based on the NIST Cybersecurity Framework (CSF) that provides a baseline of risk posture to discuss and plan for remediation. The platform is SaaS-based and easy to engage with your clients to risk assessments complete together. The assessment allows you to re-frame the security conversation with your customers or stakeholders, using it as an ongoing method to identify critical risks and create a roadmap for addressing them together. Each assessment includes an outline of top risks, the impact it has on the business, and remediation recommendations from veteran CISOs. Should your customer not accept recommended remediation steps, an attestation letter template is included that you can share with your customers. Once authorized, the risk is transferred back to them if they choose not to implement the recommended remediation plan.
We recommend assessing your entire customer base against the NIST CSF, as it’s the most comprehensive approach to security worldwide. You can send the assessment to each of your customers to monitor and track their progress towards completion, then share the results. The report can lay the foundation for a security-based conversation, complete with remediation recommendations—creating additional revenue opportunities. The dashboard gives you visibility into all your customers from a single application. The dashboard can track all the assessments and provide a historical view reflecting on how your customers are maturing their security posture. There are several out-of-the-box reports which allow you to compare how your customers measure up to other customers in the same industry, size, and geography.
Perch: Threat detection and response
In a poll of 500 ITSP, 90% agreed their customers think they’re already monitoring for active cyberthreats (even though they’re not). That gap in expectation is dangerous to your relationship.
Perch was created to help companies of any size automate and share cyberthreat intelligence. Perch does not sell proprietary threat intel; instead, it connects users to any and all threat intel sources. This approach allows users to automate participation with their community and encourages a healthy open-market competition between sharing communities and vendors.
Perch Security detects threats on your network and provides alert analysis for you. It includes multi-tenant threat detection, threat intelligence management, event logging with next-gen SIEM capability, and a managed SOC. It all fits neatly into your existing security stack, and integrates with ConnectWise Manage®.