Without any doubt, cybersecurity risks increasingly adding critical impacts on the overall IT risk, and that’s why it’s one of the top concerns of today’s organizations in the cyberspace. At the same time architecting and designing networks, is key to achieve successful IT solutions.
This blog aims to focus on an area that is not commonly covered, which is the mapping between cybersecurity risks and network design, and how the different cybersecurity risks can be translated into design considerations. This will be key to produce a network design that is not only secure, but also helps to minimize cybersecurity risks.
Please note there is a difference between cybersecurity risk and preventing cyberattack, if you are focusing mainly on how to prevent attacks, simply you are designing to fail at some stage. Why? This is what we will find out throughout this blog series.
Part-1 of this blog series focuses on the drivers, concepts and methodologies that pertain to risk and managing the risk in the context of cybersecurity
We all know that if we are connected to the internet, we are exposed to countless risks.
So what does “risk” mean in the context of cybersecurity?
Risk, in cybersecurity refers to the relationship or the interaction between a threat and the likelihood of this threat or a threat agent to exploit a vulnerability.
Cybersecurity risk management on the other hand, is the process of identifying, assessing and minimizing or mitigating risks to an adequate level.
You might be wondering, why minimizing or mitigating the risk and not eliminating it completely?
Simply because, there is no system or environment that is 100% percent risk free or 100% secure, therefore, we always have some risk to deal with.
If you know the enemy, and know yourself, you need not fear the result of 100 battles.
If you know yourself, but not the enemy, for every victory gained, you’ll also suffer defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.
These philosophies are from Chinese General and Philosopher, Sun Tzu’s, The Art of War, a Chinese military treatise going back to 5th century B.C. Incredibly enough, over 2,500 years later, these points are all applicable to the cybersecurity era.
Therefore, even though there is no absolute or a standardized formula to measure risk, it is indispensable that you have a very good awareness of your risk environment “know your enemy”, along with your vulnerabilities and the likelihood that a threat event will occur “know yourself”.
Note: although there are a few commonly accepted risk management frameworks such as; ISO 31000:2009, NIST RMF, ISACA Risk IT, it’s up to an organization or entity to adopt any or none of them.
A threat is typically a danger that can impact/damage your assets, such as fires, floods, hackers accessing a system, malware infecting your systems, your server crashing without backups to go to, or even could be someone accidentally pulling out the plug to an important network node or a server, or even power cables connected in a messy way like the ones shown in the figure below.
On the other hand, threat agents or actors are the ones who carry out the threats.
Yes, hacker is the first thing that come to our mind in today’s cyberspace, but mother nature through earthquakes, tornadoes, fires, and floods is also a form of a threat agent.
A vulnerability is a weakness, a flaw in a program, device, network, and even a person. Weak authentication checks, default user name password combinations, incorrectly configured firewalls, and even a gullible or naive employee are all vulnerabilities.
When threat actors carry out a threat, they typically seeking to exploit a vulnerability. And as mentioned above risk is the likelihood of a threat actor exploiting a vulnerability.
Note: Exploit can be a verb meaning penetrating a system to exploit, or a noun meaning the tool or method used to penetrate a system and exploit.
In order to determining your risk posture, you must have a good awareness of where you are vulnerable and to what and whom, along with the possibility a threat actor exploiting your vulnerabilities. Typically, there are two main risk sources: technical risks and human/process risks.
Note: since this blog is focusing on cybersecurity and not on information security, physical risk will not be discussed.
Estimating the Risk
This section will provide an over simplified converged of how to build a risk estimation matrix.
As we know, the technical and human risks are the two key factors into your risk analysis as well as you may consider your intellectual property and trade secrets in this context.
In order to build an estimated cybersecurity risk analysis, you need to consider the following steps. These steps or process is based on the qualitative risk assessment methodology, where the assessment and its result is more subjective and opinion based, however, it is simpler to use it to build a foundational estimation to support your design decisions later:
Taking the above into considerations you can build risk assessment heat map to identify where you have high, medium and low risk, which you can use it in your design process. For example, you may have built security measures against ransomware attacks to reduce its likelihood to take place, nevertheless, its possibility can be rated as medium because you have not built a strong users’ cybersecurity awareness. As a result, its total risk will be high.
Risk Handling Decision
As an executive, manager, architect or a designer, one of your key responsibilities is to control risk to protect your team, organization or customer in the cybersecurity era. Controlling risk can take different forms, through policies and procedures or following certain architecture and design principles.
following the risk analysis process, you should have a good understanding of the possible and critical threats, threat actors and vulnerabilities along with its impact magnitude based on the likelihood of a threat to exploit a vulnerability, taking into account the value of your assets being assessed.
It’s time to make a decision “countermeasures” with regard to the risk(s). Organizations typically deal with risks in different manners, based on the assets’ value and the possible impact magnitude of the threat(s). The following summarizes the common risk handling options:
Mitigate: mitigation aims to overcome/reduce the deficiency that creates vulnerabilities and/or leveraging some other mechanisms that minimize and control the vulnerabilities risk to an acceptable level that is enough to continue conducting business. As mentioned earlier in this blog, we can eliminate some vulnerabilities and block some threats, but these won’t ever be going to be 100%. For instance, encryption, hashing, firewalls, IPS systems, and others, all can reduce the risk, therefore, we always have some risk to deal with. The remaining risk commonly referred to as “residual risk”
In other words, conceptually not mathematically, total risk – countermeasures = residual risk
The key question is, what level of residual risk an organization may find it acceptable?
Transfer: although you won’t be able to transfer responsibilities of your organizations, in the context of cybersecurity risk, you can transfer the risk. Just like your car insurance, there are a few insurance companies offer insurance for cybersecurity events. This is becoming common when an organization finds that the total risk is too high to gamble with and/or they don’t have the expertise to put in place a robust continuous mitigation systems and strategies, transferring the risk to an insurance company can be a better and safer option. The other possible option here, is the use of a cloud provider services (e.g. SaaS), in which the cloud provider is now responsible for securing your data using their standards and policies.
Avoid: simply avoidance is about stopping doing something that might expose you to a risk. For instance, you may have a legacy Web server that has numerous vulnerabilities, in which an attacker can take advantage of it to enter your network and scan for other systems. instated of spending time and cost trying to identify and fix these vulnerabilities with the possibility that some fixes may not work, you may find it more feasible to disconnect this Web server to avoid the risk (assuming the business functions of this server can be handled by another system)
Accept: in some special cases, where the cost of fixing a vulnerability is overweighing the asset value in terms of cost and its criticality to the company, you may decide to accept the risk. Based on the fact that the costs associated with fixing and mitigating are high, with a low probability of a cybersecurity attack to happen and low potential impact. That being said, accepting a cybersecurity risk is not a simple decision to be made, because it must be a business decision, and typically senior executives need be involved to approve it.
Part -2 of this blog will focus on how to utilize and incorporate all the discussed concepts to architect a secure network design that aims to minimize cybersecurity risks.