Solving the InfoSec Risk Equation

Daniel Deter is the Manager of Information Security at Green House Data. Follow him on LinkedIn.

With all the talk about cloud security threats, it’s important to remember that no matter where your data and applications reside, you should consider your data insecure.

Fundamentally, security isn’t a hyper-complex enterprise; It’s not, as they say, rocket science. It often feels that way, because the discipline is so broad in scope; encompassing both disparate technologies and governance frameworks. But, the vast majority of risk can be mitigated through adhering to basic foundational security.

More to know: A review of breaches outlined within the Verizon 2017 Data Breach Investigations Report (DBIR) against the Center for Internet Security (CIS) top 20 critical security controls found that:

• Adopting the first 5 controls could mitigate 85% of attacks, and
• Adopting all 20 controls could mitigate 97% of attacks.

That basic foundational security can be expressed in one essential formula, which boils down what is under your control as an IT security professional and what is outside your purview. That equation is as follows.

Assets + Threats + Vulnerabilities = Risk

If you have a data center, plus a hurricane, plus your data center is built below sea level, you have the risk of flood.

If you have protected health information (PHI/ePHI), plus hackers, plus immature security implementations, you have a risk of data spill or compromise.

Risk management is analogous to a big balloon that is being slowly filled up by three hoses. Once the balloon gets big enough, it will hit a thumbtack on the ceiling and *POP* — you’ve been breached. Your job, regardless of whether you’re C-level, or call center representative, is to try and manage the three hoses (i.e., assets, threats, and vulnerabilities) as much as you can.

What Can You Remove from the Risk Equation?

We can’t manage away the assets. You need your assets. They’re not only a part of your business, they are your business. We can’t get rid of the threats; they exist outside of our direct control (i.e., we can’t get rid of the hurricane, we can’t get rid of attackers). What we can manage is the vulnerability to threats faced by our assets. When we talk about threats, we should segue that into dialog about vulnerabilities and how we can manage them.

How do you manage vulnerabilities? The top ones represent basic attack vectors. When we look at where major data breaches are occurring, it’s not with complicated Mission Impossible types of attacks. They stem from failures to adhere to basic security principles: prompt updating and patching in response to zero-day vulnerabilities; routine updates and patching; lack of adequate identity and access management or password protocols; and, of critical importance, security awareness training.

More to know: Your personnel are your most vulnerable asset. According to the Verizon 2018 BDIR, on average, 4% of the targets in any given phishing campaign will click it. And incredibly, the more phishing emails someone has clicked, the more likely they are to do so again.

Remote hosted IT systems (e.g., the cloud) do come with their own set of risks. You should know which aspects of security you are responsible for vs. the cloud provider. Though, the essential basics of information security risk management remain the same.

You can manage some aspects of risk from the rest of the equation. For example, asset management comes down to inventory of what’s in your environment, knowing the software and hardware in use and where it is physically. Identity and access management comes down to knowing who has access to what and making sure that you adhere to the least privilege principle. As well as things like security awareness training, to make sure your personnel are aware of risks and how they should respond to them.

But you can never shut off the hoses filling the risk balloon entirely. The easiest and most important category to focus on is vulnerabilities. Layering security throughout your environment by using monitoring, antivirus/antimalware tools, and patch compliance will help minimize vulnerabilities and the risk of data exposure.