In this video, the concepts of extreme scenario and worst-case scenario planning is covered, including internal and external threats.
- Extreme Scenario and Worst-Case Scenario Planning is used to ensure the organization is thinking about and planning for catastrophic events before they occur. There are five distinct steps to conducting this type of planning. First, you need to analyze all the threats facing the organization. Second, you should determine what the organization wants to protect from those threats. Third, develop a scenario incorporating those threats and assets. Fourth, develop an attack tree for each scenario. And fifth and finally, determine the security controls used to protect the assets from the threats identified.
Now, we're going to dig a little bit deeper into each of those steps in this lesson. The first step is to analyze all of the threats facing the organization. These threats generally come in two categories: Internal Actors and External Actors. Internal Actors include employee threats, such as a disgruntled employee, untrained employees, or uncaring employees. Other Internal Actors are people that are conducting espionage against you, like governmental or corporate spies. Also, your own partners or vendors could become an internal threat to your organization.
External Actors include competitors, hackers, activists, vandals, terrorists, nation-state cyber attackers, and many, many others who exist outside your organization, and want to do you harm. As you can see, these Internal and External Actors can further be classified and categorized into being part of one of two distinct types. They can be hostile or non-hostile. A great example of this was shown in the Internal Actors, when a disgruntled employee was hostile, but, an untrained or inept employee is not hostile, but they're still dangerous to our operations.
When you analyze each of these threat actors, it can be helpful to rank and categorize them, based on different criteria. The most common criteria are skill level, resources, limits, visibility, objectives and outcomes. When we discuss skill level, this refers to the competency of the threat actor. Are they adept, average, minimally skilled or inept? Based on this, you can determine how much of a threat they really are to your organization. Resources refer to whether the threat exists as an individual, team, large team, organization, or even a nation-state or government.
Generally, the more resources a threat has, the more of a threat they are to your organization. Limits is going to refer to how the threat operates. Do they follow a strict code of conduct? Legal guidelines? Or are they more chaotic? Knowing the threat's limits will help you predict what they might do when they're going against your organization. Next, we have visibility. Visibility is going to refer to when the threat actor cares if they get caught or not. Are they acting covertly like a spy? Or are they being more overt like an activist? Do they even care if they're caught by authorities? Sometimes they do, sometimes they don't, and that's where visibility comes into play.
Next, we have objective. An objective refers to what the end state the actor is trying to accomplish. Are they trying to copy and steal your data? Or, do they want to destroy your servers? Maybe, they're trying to injure your personnel. What is the threat the actor is trying to go after? What is their goal? That's what objective is all about. Finally, we have the outcome. This refers to what they're trying to achieve through their attack on your organization. Are they trying to gain a business advantage, if they're your competitor? Or, are they trying to embarrass you by stealing confidential information and posting it on the web? Whichever their outcome is, this is a threat you have to consider.
Now, based on these six criteria, your organization needs to analyze some of these threat actors. Maybe your organization will decide that your only going to consider the worst-case scenario, like a very adept and skilled attacker who works as part of a large organization or government, who doesn't follow legal rules or a code of conduct. This threat actor may be clandestine, and desires to copy your information and give their country a technical advantage by stealing your intellectual property. Now, with this smaller list of threat actors in mind, we're then going to consider exactly what we need to protect inside our organization.
We call these our vital assets. After all, we're never going to have enough time, money, resources, or people to protect everything. So we have to focus on what is most important to our business and our business needs. From here, we're going to start constructing scenarios, and we're going to think about the what ifs that may occur. For each scenario, a risk determination will be made and the organization will develop an attack tree listing for the steps and conditions that will be necessary for the attack to occur.
Finally, we're going to determine the security controls that could be used to mitigate this risk of the worst-case scenario from being realized. Each security control should be mapped back to the steps and conditions of the attack tree, trying to disrupt the attacker's process.
- Risk mitigation strategies and controls
- Data security classification
- Extreme scenario and worst-case scenario planning
- Risk management of new products, technologies, and user behaviors
- Business models and strategies
- Third-party outsourcing and security
- Integrating diverse industries
- Security, privacy policies, and procedures in risk management
- Metrics collection and analysis
- Analyzing security solutions