Risk assessments provide organizations with an important way to identify and evaluate risks. In this video, learn about the risk assessment process, including: the identification of threats, threat vectors, risk, and vulnerabilities. Plus, learn the importance of assessing risk likelihood and impact through qualitative and quantitative risk assessment.
- [Instructor] Risks are everywhere in the world of information security. From hackers and malware to lost devices and missing security patches, there's a lot on the plate of information security professionals. Of course, addressing each one of these risks takes both time and money. Therefore, information security professionals need to prioritize their risk lists in order to spend these precious resources where they will have the greatest security effect. That's where risk assessment comes into play. Risk assessment is the process of identifying and triaging the risks facing an organization based upon the likelihood of their occurrence and the expected impact they will have on the organization's operations.
We need a common language around risk. In everyday life, people often use the terms threat, risk, and vulnerability interchangeably. They're actually three different concepts. A threat is some external force that jeopardizes the security of your information and systems. Threats might be naturally occurring, such as hurricanes and wildfires, or manmade, such as hacking and terrorism. You can't normally control what threats are out there. They exist independently.
There is one related term that you should know for the exam. A threat vector is the method that an attacker uses to get to a target. This might be a hacker toolkit, social engineering, physical intrusion, or any of a number of other hacking techniques. Vulnerabilities are weaknesses in your security controls that a threat might exploit to undermine the confidentiality, integrity, or availability of your information or systems. These might include missing patches, promiscuous firewall rules, or other security misconfigurations.
You do have control over the vulnerabilities in your environment, and security professionals spend much of their time hunting down and remediating vulnerabilities. Risks occur when your environment contains both a vulnerability and a corresponding threat that might exploit that vulnerability. For example, if you haven't updated your antivirus signatures recently and hackers release a new virus on the internet, you face a risk. You are vulnerable because you're missing a security control and there is a threat, the new virus.
There is no risk if either the threat or vulnerability factor is missing. For example, if you live in an area far from the coast, it doesn't matter if your building is vulnerable to hurricanes because there's no threat of a hurricane in your region. Similarly, if you store your backup tapes in a fireproof box, there is no risk from a building fire because your storage container is not vulnerable to fire. Once you've identified the risks facing your organization, you probably still have a somewhat overwhelming list.
The next stage in the risk assessment process ranks those risks by two factors, likelihood and impact. The likelihood of a risk is the probability that it will actually occur. For example, there is a risk of earthquake in both California and Wisconsin. When you look at the data, however, you find that the probability of an earthquake occurring is far higher in California, where almost 5,000 significant earthquakes occurred over the last 25 years. During that same time, Wisconsin didn't experience a single major earthquake.
Therefore, security professionals in California must be hypervigilant about the risk of earthquakes while those in Wisconsin can probably ignore it. The impact of a risk is the amount of damage that will occur if a risk materializes. For example, an earthquake might cause devastating damage to a data center while a rainstorm might not cause any damage at all. When we go about performing risk assessment, we have two different categories of techniques that we can use to assess the likelihood and impact of a risk, qualitative techniques and quantitative techniques.
Qualitative techniques use subjective judgements to assess risks, typically categorizing them as low, medium, or high on both the likelihood and impact scales. Quantitative techniques use objective numeric ratings to assess likelihood and impact, usually in terms of dollars. Here's an example of a qualitative risk assessment chart. When considering a specific risk, the assessor first rates the likelihood as low, medium, or high and then does the same for the impact.
The chart then categorizes the overall risk. For example, a high probability, high impact risk would be categorized as a high risk while a medium probability, low impact risk would be categorized overall as a low risk. The second risk assessment technique, quantitative risk assessment, is covered in the next video.
- Using information classification
- Selecting and implementing security controls
- Conducting ongoing risk management activities
- Comparing adware, spyware, and ransomware
- Dangers posed by advanced persistent threats (APTs)
- Understanding attackers
- Types of attacks, including networking and password attacks
- Social engineering attacks
- Scanning for vulnerabilities
- Business continuity and disaster recovery planning
- Managing vendor relationships