Organizations invest a lot of time and energy conducting risk assessments to ensure they’re adequately protecting their assets from attack. And while risk assessments are helpful for identifying how “at risk” an organization might be—it can be difficult for IT professionals to identify and address specific threats and vulnerabilities.

The Risk Assessment Framework is a Starting Point

Risk assessment frameworks have been developed in almost every industry to ensure organizations are adequately protecting the information of their customers, clients, patients, business partners, etc. These frameworks all follow the same basic process:

  • Step 1: Identify and document the scope and assets for the assessment.
  • Step 2: Consider the threats that could impact your assets.
  • Step 3: Identify potential vulnerabilities by defining what you are doing or not doing to mitigate the threats.
  • Step 4: Determine the likelihood that a threat (or threats) might exploit an identified vulnerability.
  • Step 5: Determine the impact of a successful threat event on the organization.
  • Step 6: Calculate the risk and potential impact of each threat.
  • Step 7: Document the results.

However, many organizations perform their risk assessments using a binary approach based on adherence to a best practices controls framework. Common frameworks include HIPAA, NIST, ISO, CobIT, PCI, etc. and help to identify whether the organization is meeting best practice guidelines.

The problem is that this checklist-based approach often leaves practitioners searching for information on how to address specific threats and vulnerabilities unique to their environment.

A Deeper Dive into Sources for Threat Data

Simply put, threats represent things that can go wrong. The thought of being able to anticipate everything that can go wrong is pretty daunting if you are starting from a blank sheet of paper. Thankfully, a number of authoritative sources have developed fairly comprehensive lists (taxonomies) of threats to get us started. Although a number of these lists are maintained, as a starting point, these two threat taxonomies are incredibly helpful:

  • The NIST SP 800-30 (Appendix E)—This special publication series represents a risk assessment methodology from the U.S. federal government and provides a detailed description of every potential threat an organization should consider.
  • ENISA’s Threat Taxonomy—This report summarizes the threat landscape seen in Europe in 2017, but it has global relevance and gives some clear insights into potential threats.

A Deeper Dive into Vulnerabilities

When it comes to identifying and addressing specific vulnerabilities, there are two things for organizations to keep in mind:

  • Evaluate your security program against a framework of best practices. To make sure you’re identifying all your potential vulnerabilities, it’s imperative that you tie the best practice controls back to the threat(s) that your framework is designed to mitigate. For example, if you are evaluating your risk for phishing attacks, you should examine your controls around user education, system hardening (i.e. configuration management), access control, and incident response among others.
  • Implement a vulnerability management program. Through regular technical scanning and penetration testing, a vulnerability management program allows you to identify the technical flaws in networks, operating systems, applications, and databases that may enable a threat. This is important, as these flaws often represent points of weakness (i.e. vulnerabilities) exploited by attackers.

Take a Comprehensive Approach with BALLAST

If you’ve struggled to get the information you need for specific threats and vulnerabilities, you’re not alone. It’s a challenge we’ve heard from dozens of IT managers and cybersecurity practitioners. That’s why we designed BALLAST to help you go beyond the traditional risk assessment best practices. With BALLAST, you will be able to consider threats, vulnerabilities, likelihood, and impact. More importantly, you’ll know what action is needed to mitigate them.

To learn more about how BALLAST can help eliminate the confusion around threat and vulnerability sources, connect with our team today.

Mark Fulford

Mark Fulford

Mark Fulford, CISSP, CISA, ABCP, CRISC, is a Shareholder in the risk services division of LBMC, PC. With nearly 25 years of experience in information security audit and compliance, Mark understands how to translate technical jargon into actionable intelligence. With significant experience in healthcare, his expertise includes assisting companies with Sarbanes-Oxley, HIPAA & PCI, HITRUST compliance, as well as providing assurance to clients and their stakeholders through SOC 1 and 2 reporting engagements. More recently, his focus has been on helping organizations identify and manage information security risks through both guided and automated risk assessment techniques.