Posts

Security Risk Assessment in The Internet of Things

Image
Internet of Things henceforth referred to as IoT in the article refers to all the devices connected to the internet which “talk” to each other. This means if your washing machine is connected to the Internet and it talks to a cloud server giving its health information to the company’s server, it would qualify as IoT device.So, Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together. . The IoT is one of the most talked about technologies nowadays. Every company is working on its implementation and introduction into our daily lives. Given the increasing number of cyber-attacks, it makes sense to identify the risks faced by the deployment of this technology. The traditional method of doing a risk assessment involves identifying assets, their weaknesses, threats which they may face and potential danger in case of exploitation. On identification of these risk, they are prioritized and countermeasures are adopte

Risk Analysis Approaches

Image
Which color do you like? Choose one – Red, Amber or Green. Let’s try another one – How much would you like your company’s risk to cost – 10,000 $, 20,000 $ or 50,000? Choose one again. Confused? Don’t be. After all, risk analysis is about analyzing risk either in terms of color or a heat map or numbers. The two approaches to risk analysis are Quantitative & Qualitative. Let’s understand them. Quanti – tative Approach This break will help you remember that this approach is related to numbers . Quanti refers to numbers here. We assign monetary and numeric values to all aspects of risk analysis. If you revisit the topic of Risk Assessment , we identified that there are multiple parameters to be taken care of while calculating risk. Hence, in this approach, we assign monetary values to each aspect so that at the end we can quantify or measure what is the value of the risk in dollar terms.  Let’s understand this through a simple example –  There is a buildi

Risk Assessment Methodology

Image
Having understood Risk Management & Risk Assessment in earlier blog posts, it is time for us to understand the various methodologies of risk assessment. The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional, it is important for us to know the best approach for our organization and its needs. The first one is a considered a U.S. federal government standard called as the NIST, SP 800-30.   It lays out the following steps: • System characterization • Threat identification • Vulnerability identification     • Control analysis • Likelihood determination • Impact analysis • Risk determination • Control recommendations • Results documentation The NIST risk management methodology is mainly focused on:  a)

SSCP Video Course Domain : Risk Identification, Monitoring, and Analysis (Part 4)

Image

SSCP Video Course Domain : Risk Identification, Monitoring, and Analysis (Part 3)

Image

SSCP Video Course Domain : Risk Identification, Monitoring, and Analysis (Part 2)

Image

SSCP Video Course - Risk Identification, Monitoring, and Analysis (Part 1)

Image

Understanding Risk Assessment

Image
Risk Assessment is a part of the Risk Management process. It is a method of identifying the vulnerabilities and threats and the impact in case the threat agent exploits the vulnerability to suggest security controls. There are a lot of Risk Assessment methodologies which are available such as NIST SP 800, FRAP, OCTAVE, Delphi etc. to assess the level of risk.  In simple terms, risk assessment involves identifying weaknesses , threats and potential danger in case of exploitation and basis this you will recommend certain countermeasures. Sounds Simple? It’s practically the most challenging, time consuming and difficult work in the entire risk management process. Let’s understand what makes this simple straightforward process so difficult to execute. You are a security professional and the CEO calls you to do the security assessment of the site at New Delhi. If you start doing the risk assessment in this case, I assure you that you will end up pulling your hair in the end.

Demystifying Risk Management

Image
When you speak to security professionals or the management in many organizations, most of them are of the opinion that security risk management is all about deploying the latest security tools available in the market with a focus on applications, hacking and malware and nowadays data breach. Although these items are important to be considered, yet they are an extremely small part of the overall information security puzzle. Consider an organization dealing with nuclear reactor designing and another organization dealing with providing cloud backup solutions. Would the risk management be the same for both the organizations? The answer is NO which most of you would agree upon. Both the organizations would be vulnerable to certain threats which may threaten its business models. Every business exists to make money and security become only an issue when this bottom line is affected. Risk Management should always be done with the objective that threats which are identified do not a

Understanding Control Types & Functionality

Image
A safeguard or a control or a countermeasure is implemented to reduce risk an organization faces.  Let’s understand it through some examples. 1. A company puts in antivirus solutions to reduce the potential danger from malware. 2. Citizens put in steel gates at the entry of the streets in their areas. 3. A leading e-commerce company deploys a backup solution. 4. Person deploys a CCTV at his home. 5. Since the organization could build a perimeter wall, it deploys security guards to man the area around the building. What do all of these examples have in common? In all of the above examples, we can sense that there is a mechanism which has been deployed to reduce the potential danger which an organization or an individual face. This mechanism reduces the level of risk and is called as a control. There are 3 types of control which can be deployed: 1. Administrative Controls (Managerial) – Controls that are deployed from a management perspective. Also, know