Practical Cyber Security Risk Assessment

Cyber security risks can be categorised by their scale (how much of a business is impacted) and the severity of the impact. Cyber security risks represent the potential for hackers to exploit a weakness in a business’s cyber security framework.

A cyber security risk assessment produces a matrix of classifications that are then used to prioritise identified risks.

The risk matrix addresses risks that can be classified as they are understood. They are risks with an understandable likelihood of occurring and impact they carry with them. For example:

• The chance that a successful phishing attack will impact a business at some point is high. It takes only a single member of staff to be caught by a ‘spear phishing’ exploit (i.e. a targeted email that appears to come from a trusted source but contains malware). However, in a business using a cyber security framework, there is a requirement for anti-malware software on PCs. So, in this case, while the risk is high, the impact is low.
• In a business with automated patch updates being applied to applications, only an error in the patch application and the routine vulnerability scanning would leave a known exploit that allows a hacker to, for example, steal credit card details from the account’s server. The risk is low, but the impact is high.

Depending on a business’s cyber security resources, these risks can be expressed in a risk assessment matrix and prioritised. As risks are identified through a constant process of research and analysis, cyber threats can be assessed and remedies developed based on the prioritising of the risk.

Working across the business, a cyber security manager can gather input from management and teams across the business (such as IT) to then act. A CSRA of any threat identifies the timing and effort to remedy a risk.

All cyber security threats are unknown until researched and assessed. Over the decades that cyber attacks have become prominent, cyber security threats have evolved, presenting new forms of threat. However, the methods of attack are limited. For example, all phishing attacks use email or a website to load malware to allow hackers to further exploit the infected computer/ network. A review of the names of current threats listed the following active malware in Australia in early October 2022:

All of the malware listed are more than a year old, and all of the malware listed can be defeated by:

• appropriate anti-malware software
• user awareness to not visit non-business websites or open suspicious emails or click on attachments
• users being blocked from visiting non-business websites, and emails with attachments from outside the network being quarantined. 

Likewise, applying the latest security patches to digital devices and network/application software will block technical attacks by hackers (a technical attack relies on exploiting a weakness in software rather than relying on user ignorance of cyber security threats).

The application of an effective cyber security framework supported by a detailed CSRA matrix would seem to be sufficient to manage cyber security. However, there are two types of risk that cannot be classified by a CSRA matrix or anticipated in a framework:

• zero-day (sometimes written ‘0day’) exploits
• internal threats. 

These cyber security threats represent the highest potential risk and greatest potential to damage a business. They cannot be analysed in advance or assessed as to the probability they will occur.

Zero-Day Exploits 

A zero-day exploit is an unknown flaw in software or hardware. In effect, hackers develop a method that has yet not been discovered. In this window of opportunity, hackers can access systems and bypass cyber security. While the access may be unnoticed, the hackers may, for example, leave telltale signs in audit logs as they interact with the business’s systems. When these signs are discovered, a business will know cybercrime has taken place, but will not know how the hackers gained access, and the exploit remains open.

‘Zero-day exploit’ refers to hackers being ahead of cyber security, and the term is borrowed from a video piracy term that meant a pirated copy of a film was available before its cinema release.

All zero-day exploits are eventually identified. The attacks grow in numbers, and the circumstantial evidence builds. Then a remedy is developed. In the time it takes to develop a patch, hackers are free to attack at will.

Zero-day threats are unknown until they are known. As such, they cannot be evaluated using a CSRA matrix, and regular patching of software, as called for by security frameworks, cannot close the exploit.

Internal Threats

Insider threats come from authorised people within a business. They are staff who have logons with passwords and access to business systems. The cyber security framework a business deploys cannot stop authorised people gaining access if they remain employees of the business.

There is no cyber security remedy for a malicious attack from an internal threat.

Example

ACE Pty Ltd have some staff that are authorised to access social media. This is because their role requires updating and replying to customers posting on ACE’s social media channels. ACE’s marketing team all have access to social media websites.

ACE policy prohibits the opening of URLs (Uniform Resource Locators) on social media and external webpages. If any of ACE’s marketing team, despite the policy prohibition, want to select a weblink on a social media website, they can. This creates an internal threat to ACE’s digital systems as social media links are sources of malware/cyber attacks.

The motivations for a malicious insider attack may be personal or for financial gain. An employee passed over for a promotion could be motivated to make an attack. While the motivations may be understood, there is no way to stop insider attacks. The attacks are made by users authorised on the system and cannot be predicted.

Managing Insider and Zero-Day Threats

While the severity and probability that zero-day exploits and insider threats will occur are unknown, there are steps a business can take to mitigate both types of threat.

A cyber security manager should always be performing appropriate cyber security framework behaviour, such as creating cyber security awareness, ensuring software is patched, and researching cyber threats. In addition to these activities, there are more specific approaches to managing each type of threat.

Managing Zero-Day Threats

Assume that a zero-day threat could attack a business’s system at any time. While the method of attack may be unique/unknown, the exploit will be more successful in businesses that do not adopt cyber safe zero-trust policy. Zero-trust policy is a philosophy that assumes all activity on a business system is suspicious until proven otherwise. If a zero-day exploit infects a zero-trust cyber security environment, there are numerous checks, blocks and compartments to limit the impact. These precautions include:

• Data level change control – Changes in business data require signoff from at least one manager.
• Encryption – Databases are encrypted so that data stolen is unreadable.
• Monitoring requests for large amounts of data – Large amounts of information being requested, rather than small, single requests, are monitored, for example, one client’s financials, as opposed to many clients’.
• Role control – Staff have the least privilege to perform a specific and thin role. User access does not allow staff to perform multiple roles.
• Removal of single sign-on (SSO) – Single sign-on, to improve productivity, is technology that allows a single logon access to all business applications. Removing SSO ensures a single compromised user account is limited in what can be accessed.
• Off-site backups – Once a zero-day exploit is discovered, the amount of time the exploit has allowed access to hackers will be unknown. There will, however, be a time before the exploit. By ensuring that backups are copied off the business’s network to a secured other network, there will be a backup that a business can restore that does not carry the exploit. Smart hackers ensure that backups are infected so that, if a business restores a system from a backup, the new system remains affected.
• Remove the Internet – Before the Internet, business computing was isolated, and the only way to hack a network was to perform a physical attack (such as stealing hardware with data). Many businesses embed web browsers and, in accordance with cyber security frameworks, restrict web browsing. A more effective method is to remove web browsers from all computers and provide web access only in circumstances where an employee specifically needs web browsing. Web browsers are not provided by default. Confidential and business-essential systems are accessed only by digital devices that are unconnected from the internet. In cases where services are required for external data enquiries, access is granted to a limited copy of actual corporate data, which is updated from the actual data only as needed.
• Email – Business emails are typically provided to all employees. To facilitate communications, an employee internal communication system, such as Microsoft Teams, can be used rather than email. Email ports are blocked, and only staff requiring email for communications can send and receive emails. Having an email address is not a default and is provided only as needed.

Ransomware uses this technique:

• Hackers use a zero-day exploit. They ensure that the business’s backups are corrupted/infected, then they lock the business systems so that no access is possible.
• The business is asked to pay a ransom to gain access to its system. If the business attempts to restore its system, the hackers have ensured that all backups are likewise locked. 

While zero-trust policy will improve cyber security, adding zero-trust thinking to cyber security planning will add complexity, costs, time to perform tasks; and remove operational convenience and agility. It is anti-productive and removes web flexibility and web power from a business. Rather than blanket application of zero trust, a cyber security manager should consider what is protected by considering what the business could lose. For example, encrypting databases adds considerable time for legitimate users to access, and read and/or write back to the database. 

Cyber security frameworks look to restrict access (such as blocking Java scripts); however, zero-day exploits may use alternative methods. This includes ‘spear phishing’, where an email simply being opened is enough to run malware that, being undocumented, will not be picked up by anti-malware software.

Analysing the impact of zero-trust policy and advising a business’s management team is a necessary first step in tackling how to address zero-day exploits.

Barriers to Zero-Trust Policy

Zero trust makes work more complex and slower to perform. There are more obstacles to overcome, and workflow efficiency is impacted. Introducing zero trust to a business will remove freedoms as well. Staff that have had email and web browsing may lose this functionality.

A careful, considered approach is needed to engage with management and staff to provide an informed briefing applying a zero-trust policy. Explain to management why removing risks is better than mitigating risks for threats that have catastrophic business impact.

Also, providing alternative tools will help see the process as a positive change rather than a net negative. For example, an internal Microsoft Teams messaging system could replace email in some cases.

The role of a cyber security manager is to provide suggestions based on sound cyber security thinking. It may be that zero-trust policy is not a fit for your business. In this case, the application of strong policy within a robust cybersecurity framework remains the best approach.

Managing Internal Threats

In the case of internal threats, taking a zero-trust approach significantly reduces the impact of an internal malicious threat. Further steps include:

• Manage staff across all levels to have access revoked when they leave a business.
• Train staff to be vigilant to external and internal threats, and report any they witness.
• Audit work of employees to identify whether access is being used for non-work practices.
• Ensure mobile devices cannot be used with business digital devices. This requires restrictions on Bluetooth, USB (Universal Serial Bus) and other connectivity potential.
• Provide physical barriers to sensitive equipment requiring access authorisation.
• Rigorously check staff references before hiring and gradually allow access over time.

It is impossible to remove every internal threat. For example, a database administrator will have data access on a level, even with zero-trust thinking, to delete, modify and create the data spaces within a business’s database.

The most effective counter to internal threats is auditing to check how staff are working. 

Watch

Watch the video below to learn more about insider threats:

Activity 1

Removing any chance that a cyber threat can become a cyber attack is the best practice. Threats such as malware infections from USB devices can be stopped by disabling USB ports on business devices. If staff bring USB sticks from outside the business into the workplace, it is entirely possible that malware is on the USB stick and will try to infect a business device when inserted into a USB port. If the USB ports are disabled, there is no way that the malware can infect the device.

Some gaps can only be mitigated. Mitigation reduces the chance of a cyber security attack occurring. For example, a zero-day attack using an exploit in business software cannot be blocked. However, the impact of such an attack can be mitigated.

Note, many businesses do not take a zero-trust approach to their cyber security. This may be out of ignorance of the approach or because the business is taking a pragmatic approach to its cyber security. A pragmatic approach considers the loss of functionality and productivity in the workplace from a zero-trust policy does not outweigh the need for the business to deliver work efficiently. In this case, it may be that a business allows USB sticks to make the transfer of data simple. Where this is the case, rather than stopping the threat, the business relies on reducing the risk by mitigating the chance of an attack. Often, this means using anti-malware software on devices. The risk that remains is that a USB stick is used with malware that cannot be identified by the anti-malware software as the software has not been updated, or the USB stick contains a zero-day exploit.

A CSRA matrix coupled with an effective cyber security framework stops some threats and mitigates others. The addition of zero-trust policy and internal threat awareness stops additional threats and leaves fewer threats to mitigate.

Example

Consider the following table, which describes examples of using zero trust to remove threats versus mitigating using a cyber security framework.

Cyber Security Threat	Manage With Framework	Zero Trust
Phishing cyber attack	Manage using a cyber security framework with CSRA matrix. Restrict access to approved websites, block attachments in emails being opened, and provide policy that restricts user to cyber safe behaviours.	Remove the threat through the addition of zero-trust policy (e.g. browsers, USB sticks and email access are removed).
Passwords to user accounts easily guessed or compromised by unsafe workplace behaviour	Manage using a cyber security framework with CSRA matrix, such as creating admin rules that ensure users use passwords that have cyber safe formats, making compliance checks and having continued programs to raise cyber security awareness.	Segment access to systems and require users to have multiple access identifications to perform different functions. The changes made by a user require checking and approval by another user before changes are committed.
Security gaps in external partners' digital system	Discuss security concerns with the other business. Quarantine files and ensure they are free of malware.	Remove the access the third party has to local systems and block emails until security is zero trust as well.

Cyber security managers are constantly looking to improve cyber security and responding to new cyber threats. In doing so, they will likely devise enhancements. Any enhancement will require change in the business to adopt the new process, policy or technology. The change required may be significant or minor in scope. Minor changes do not cause significant operational impact on a business, such as changing the frequency of patching software from monthly to every two weeks.

When significant cyber security change/initiative is required, a process to advise the business on the impact of the change needs to be followed. This process will likely be documented in the cyber security manager’s job description.

Significant changes are cyber security enhancements beyond the typical and regular tasks described in a cyber security framework. Significant cyber security initiatives noticeably change the way a business operates and affect staff and productivity. For example, compare routine patching of software with changing staff authentication methods for accessing the core business system. Software patching frequency is invisible to users, whereas changing logon procedures affects the entire business.

The following example workflow describes a model for working with a business’s executive to seek approval for cyber security initiatives.

Example - Providing an Advisory on an Initiative

1. Perform detailed research to identify the threat or enhancement. In the case of threats, document how the threat migrates and attacks, and what the best-case remedy for the threat is. For improvements (such as changing data storage policy), identify the cyber security benefits and how operationally the business needs to change. For example, what is the impact of moving from local storage to a secure cloud data storage?
2. In the case of newly identified threats, review the threat against the business’s current cyber security framework. It may be that existing policies, workplace behaviours and technical practices have already removed the threat or are managing the threat in an optimal way. In which case, documenting the threat and providing an advisory to the business is required. Responses to threats and suggested improvements should be documented to clearly note how the course of action suggested benefits the business.
3. Establish the cyber security threat level – such as high, medium or low impact.
4. Where the threat/improvement requires significant change, or it impacts the business beyond normal cyber security operations:
   • Seek approval from the business executive.
   • Ensure that feedback is gathered to onboard management’s thoughts on the suggested remedy. Take a practical approach and provide alternative remedies/directions when business sentiment finds the enhancement is unviable for any reason. Cyber security management advises the business rather than dictates operations.
5. Once an enhancement is approved by the business, ensure that teams and individuals affected by the cyber security modification are informed before and after the remedy is applied. Communicating clearly and concisely what the threat is and what the expected behaviours are is required.
6. Lastly, document the enhancement to build a library of knowledge that can be relied on to guide responses to future threats or act to improve cyber security.

Activity 2