Cyber Security Risk Assessment
Total Page:16
File Type:pdf, Size:1020Kb
Cyber Security Risk Assessment
Introduction This document functions as a tool to help you complete your credit union’s IT risk assessment. Beyond this introduction, it includes three major sections, each of which includes some guidance on the section, then asks a series of questions to help you complete the risk assessment.
What is a cyber security risk assessment? The FFIEC says it’s an
… identification and valuation of assets and an analysis of those assets in relation to potential threats and vulnerabilities, resulting in a ranking of risks to mitigate. The resulting information should be used to develop strategies to mitigate those risks.
In short, it’s an evaluation of IT assets in relation to threats, and how the credit union prioritizes and manages the risk.
Brace yourself Completing an information systems/technology risk assessment is not something one does before breakfast. It will take more work than anyone probably wants to dedicate to it, and will likely require involvement from several people, even at a small credit union.
There are three broad steps to completing the risk assessment: 1. Gather data 2. Analyze data 3. Prioritize and plan
Each of these steps has a section below, with a description of what you’ll be doing in that section, followed by questions to guide you through the process. You can create a new document to use as your assessment, or you can work right in this document, providing your answers right in line after the questions. There are a few tables built into the appendices, which you may also find useful when completing a few steps.
By way of further explanation, each step can be broken down in the following way: 1. Gather data a. What information do you have? b. What technology assets do you have? What are the systems? c. What are your oversight controls? 2. Analyze data a. Threats b. Vulnerabilities c. Control effectiveness d. Assign risk rating to information and systems 3. Prioritize a. Given the credit union’s data, threats, vulnerabilities, and controls, determine the credit union’s largest risks b. Develop a risk mitigation strategy
So, settle in, put on your thinking cap, and every now and then step away to take a deep breath and remind yourself that it doesn’t have to be completely done right now. Making progress is the important thing.
About the help provided in this document To assist you in conducting this assessment, we’ve gone ahead and completed many sections of the assessment as if we were a small, one-location credit union. This includes several tables in different sections. You might find this sample language useful to either keep or modify. All such sample language is denoted as such. If you modify or keep the sample language, be sure to remove the notes that it’s sample language, and make sure it accurately describes your credit union. Gather data This, our first step, will consist of gathering information. You may be able to pull some of it out of your brain, but some of it will require gathering (or referencing) other documents. In some cases, you (or someone else) may need to create the documents if you want to do a very thorough risk assessment.
Note that it’s entirely plausible that the first time through this risk assessment, you will leave some items incomplete, with the intention of creating the reference documents later on. Which is fine. After all, something is better than nothing. So get done what you can now, and plan to complete the rest later on.
Here are the broad questions we’re going to address: 1. What information do you have? 2. What technology assets do you have? What are the systems? This will include hardware, software, and connections. 3. What are your oversight controls?
What information does your credit union have? Answer this question with a basic narrative about the information you house at your credit union. Here’s an example:
At XYZ FCU, we retain information about our members, such as their personally identifying information, and information about their personal finances—such as account balances and history. We also keep information about their employment, wages, and credit scores and history. We also keep information about how they access their own information, such as with user names and passwords. This is highly sensitive data.
We also keep information about the credit union. This is broad, far-reaching information, and includes every aspect of our operations. It ranges from internal accounting and transaction information to policies and procedures to security details to general operational information. We also have information about our employees, including personal information, and our vendors, including security practices.
In order to provide more details, list all of the information that your credit union keeps. Below is a sample chart you can use to list your member, credit union, and vendor information. Member information What member information does your credit union have? Once you have listed all types of applicable information, use the third column to classify the sensitivity of the data, on a scale of 1-5, with 1 being not sensitive at all, and 5 being of the highest degree of sensitivity.
Member Information Description Sensitivity Account information Balances, history, transactions, numbers, meta information, 5 Nonpublic personal information Birth dates, SSNs, addresses, phone numbers, email addresses, 5 employment data, pay/salary data Credit history Scores, history, details of credit reports 5 Loan Opening dates, opening balances, payment due dates, payment 5 history, Generated information Internal risk score, online or mobile banking history, passwords 4
Credit union information What information about your credit union does your credit union have? Once you have listed all types of applicable information, use the third column to classify the sensitivity of the data, on a scale of 1-5, with 1 being not sensitive at all, and 5 being of the highest degree of sensitivity.
Credit Union Information Description Sensitivity Accounting information Internal account info, GLs, internal accounting practices, expenses, 3 balance sheet, income statement, ALM, ALCO Investment information Balances, start date, end date, rate of return, 2 Employee information Pay, history, nonpublic personal, disciplinary, direct deposit, 5 Network architecture End-user devices, network devices, port settings, connection setup 5 System access control information User names and passwords, privileges, activity logs, 5 Practices Procedures, policies, combinations, codes, strategy, facilities, 4 training, internal security, robbery procedures, pricing methodology and history for rates and fees, marketing, collections, Vendor What information do you have about vendors? Once you have listed all types of applicable information, use the third column to classify the sensitivity of the data, on a scale of 1-5, with 1 being not sensitive at all, and 5 being of the highest degree of sensitivity.
Vendor Information Description Sensitivity Account information Log-in information, account numbers, contacts on account 5 Security practices Log-in information, event timing, 5 Policies and practices 3
What connections does the credit union have? Describe the network connections inside the credit union, as well as those to outside the credit union.
The credit union has multiple connections to outside the credit union. The primary connection is an Internet connection through Comcast Business Services. This connection is managed through a cable router that connects to a firewall that filters and directs all Internet traffic. Other external connections take place via this Internet connection: connection to our home banking provider, to our service bureau provider, to our credit report provider, to our backup service, and many many more. All of these connections are encrypted. General connection to the Internet is encrypted only when websites (such as our corporate credit union and batch processing provider) or specific services encrypt data.
We also have external connections through phone lines. We have a T1 connection that connects to our PBX system, which directs and manages phone calls. In addition, we have a phone line dedicate to our security system, as well as company cell phones used by a few employees. We have one direct, dial in connection to some archaic third-party provider.
Internally, all of our computers (desktop PCs, servers, etc.) are connected to each other via a local area network managed by a router. Most of the devices on this network are also connected to the Internet through the router and firewall.
List your connections. Connections can include physical connections, such as phone lines or Internet connections, and virtual connections through the Internet to business partners, such as always-on access to an external resource. Include VPNs, Telnet, etc.
In the first and second column, name and describe the connection.
In the third column, assess the importance of the connection based on the function of the connection, the criticality of the data it supports, and the sensitivity of the data it transmits. Rank the importance on a scale of 1-5, with 5 being the most important. More than one connection can be ranked 5.
Connection Description Importance Landline into office Provided by: XXXXXX. This is a T1 with XXXXX lines and we have a 4 PBX system administered by XXXXXX. Internet into branch Provided by Century Link. 5 Cell phone Provided by Verizon. We have X employees with cell phones. 4 WiFi A wireless router 5 Direct-connection to core processor Through the Internet, to our data processor, which houses all of our 5 data and storage. This connection is on constantly. Direct dial connection to home This connection comes IN to our server, through the Internet, from 5 banking our home banking provider. Mobile app connection This comes into our server from our app provider, via the Internet. 5 Alarm system line A phone line directly to the alarm company 5 Internal network connections Each PC, server, and printer is connected to the network via a CAT 5 5 network cable. Also, all router devices are connected via a CAT 5 cable.
In addition, it would be great to provide a network map detailing internal and external connectivity, and their interconnections. This chart should show routers, access points, firewalls, intrusion detection systems, servers, and backup systems.
What hardware does the credit union use? List all of the hardware that comprises your system. Be as specific and comprehensive as possible. In the first and second column, name and describe the hardware. In the third column, assess the importance of the hardware based on the function of the hardware, the criticality of the data it supports, and the sensitivity of the data it transmits. Rank the importance on a scale of 1-5, with 5 being the most important. More than one piece of hardware can be ranked 5.
Hardware Description Importance Core processing system Houses our core system, which has all of the member and credit 5 union account information Desktop PCs (7 of them) One sitting at each employee’s desk, and several shared PCs in the 5 teller line. Receipt printers One connected to each computer on the teller line, and each 3 frontline employee’s computer Check printer One connected to all of the teller computers, another to the 4 accounting office, and a third to the loan officers’ computers General purpose printers One connected to the teller line, another to the loan staff, and a third 3 in the back-office. Copier/scanner Connected to the network directly. Not directly accessible by any 3 single user from any computer. Mobile phone One for the president of the CU. 3 Laptop PC The president’s primary PC and workstation. This is taken offsite 5 every day. PBX system server The phone system that directs and manages calls. 3 Desk phones/landline phones Connects to a switch 4 Phone switch/router Logically, this sits between the PBX system server, and the phones. 5 Network switch/router Logically, this sits right inside the firewall. It assigns IP addresses to 5 all network devices, including servers, PCs, printers, etc. Firewall Receives the Internet connection from the Century Link router, and 5 manages traffic in and out of the CU’s internal network. Mail server Manages email 5 File server Manages files and network drives 5 Backup drive Functions 5 Signage PC Manages the outdoor signage. 3 Lobby display PC Manages the images and video that splash across the display in the 3 lobby. ATM 5 Alarm system Connects 5 Internet Router This connects directly to the Internet, and feeds the Internet into the 5 firewall device. Wireless router A connects to the Network switch/router and provides wireless 5 access to the Network Video surveillance PC A computer running the surveillance system 5 Surveillance cameras Cameras recording activity around the credit union 5
What software does the credit union use? Make a list of all the software in use at your credit union, including operating systems and firmware of devices that don’t have operating systems. Include: Operating systems Core data processor Other mission critical software Office software Web browsers Databases and files that contain critical and/or confidential information Software inventories
In the first and second column, name and describe the software.
In the third column, assess the importance of the software based on its function, the criticality of the data it supports, and the sensitivity of the data it transmits. Rank the importance on a scale of 1-5, with 5 being the most important. More than one connection can be ranked 5.
Software Description Classification Core processing system The primary database that manages member account information, 5 accounting information, etc. Core processing system OS: UNIX, The operating system of the server that runs our core processor 5 Windows XX, or something like that Desktop PC OS Windows XX 5 Laptop PC OS Windows XX 5 Web browser: Firefox, Internet Sits on each PC, including desktops, Laptop, servers, signage and 5 Explorer, Safari, or Chrome lobby display PCs Microsoft Office Suite Spreadsheet, word processing, and presentation software. Sits on 3 each PC, including desktops, laptop, signage and lobby display PCs Adobe Acrobat Reader Used for viewing documents. Sits on each PC, including desktops, 3 laptop, signage and lobby display PCs Java Runtime Environment A plug-in used for many programs and web applications. Sits on 3 each PC, including desktops, laptop, signage and lobby display PCs Flash A plug-in used for a lot of web sites. Sits on each PC, including 3 desktops, laptop, signage and lobby display PCs Webex Client For viewing webinars online. Sits on each PC, including desktops, 2 laptop, signage and lobby display PCs Image-editing software 2 Network switch/router firmware Used to run and configure the network switch/router 5 Firewall firmware Software running and configuring the firewall. 5 Mail server OS: Windows XX OS running the mail server 5 File server OS: Windows XX OS running the file server 5 Backup software Automatically runs a backup each day to a backup media/device 5 Signage PC OS: Windows XX Runs the signage PC 2 Signage PC software Software that runs the signage 2 Lobby display software Runs the images and videos splashing across the lobby marketing 2 display Lobby display PC OS: Windows XX Runs the lobby display PC 2 ATM software Used to run and configure the ATM 5 Alarm system software Used to configure the alarm system 5 Internet Router Software The software that runs and configures the internet router. 5 Video surveillance software Used to record and review video surveillance 5
Where is the information kept? Here is an example:
At XYZ FCU, we keep information in both physical and electronic formats. Our physical information is kept on papers, files, and books. These are stored in secured rooms, drawers, and cabinets.
We keep member transaction information in our core processing system’s database. Much of the credit union information is kept on a system of shared network drives, with access given to employees based on their job function and security clearance level. This electronic information is generally kept on network servers, but some job-specific information is kept on desktop PCs and backed-up to a cloud storage service. Each night, information is also backed up to servers at a remote, secure location.
How is access to information controlled? Describe how information is accessed, stored, transmitted, protected, and eventually disposed of. Here is a basic example: Information kept in a physical form (on paper) is always stored behind a locked door or drawer. Accessing it requires having the key to open the lock. Within the credit union, it is always hand-delivered, so that it is never out in the open, or placed in a sealed envelope. It is always shredded when we are done with the information.
Electronic information is accessed on computers. To access a computer, a user must authenticate using a username and password. Access to information is given as needed based on the access level assigned to the user. Within our internal network, data is not encrypted in transit, but when sent outside the network, data is encrypted. It is stored in an encrypted format. When storage devices have reached the end of their lives. Items such as flash drives and removable drives are only allowed to be used in rare circumstances by select employees. Only brand new devices can be connected to a computer; devices that have been previously connected to their computers cannot be connected to any credit union computers.
In addition, describe the oversight controls in place. For example, what policies and procedures do you have in place to manage your IT system? There’s no need to provide great detail here, but at least mention what policies and procedures you have, and describe them a little. Also include information about training and other cultural controls.
Control Description Computer security and Outlines the general guidelines for running the IT program. control User access agreement An agreement that each user must sign, outlining duties and responsibilities in relation to system access. Security training Mandatory annual training about social engineering, and computer, email, Internet, and other security Patch Management Outlines proper ways to manage software patches Policy Firewall policy Outlines proper way to configure the firewall Computer software and Outlines the process for adding additional software or hardware to the system hardware acquisition policy Remote access policy Outlines requirements for remotely accessing system resources Cloud computing policy Outlines requirements for utilizing cloud services Security policy Outlines general physical facility and physical information practices Information security The primary IT policy, outlining general practices and guidelines for maintaining a secure policy environment Incident response policy Practices for responding to an IT security incident Intrusion detection Monitors for intrusion throughout the system continuously system IT Audit Completed annually to ensure our IT program is working the way it should work Personnel security Policy outlining background checks and behavior monitoring policy Vendor contracts Specify security, service levels, and other requirements for partners Cyber security Provides a benefit in the case of an incident, provided we are following our policies and insurance procedures
The credit union utilizes policies to set general practices in place. These policies control everything from firewall configuration to destruction of unneeded storage devices to user access and to password requirements to configuration of the network. The policies require controls such as training and evaluation of employees, an annual IT audit, vendor contract management, and more.
In addition, it would be great to provide detailed hardware and software configurations. For example, how are desktop PCs and servers configured? How are their user accounts set up, and their access to network drives?
Another useful document is a system architecture diagram. It should provide: service provider relationships, where and how data is passed between systems, and the relevant controls in place. This may be part of the network map provided under the “Connections” section, above. Analysis In this section of the risk assessment, we will analyze the information we have gathered. The goal is to determine what risk we have, where, and the adequacy of our controls it mitigating that risk. We will complete this in several steps: 1. Analyze the sensitivity of data and systems 2. Analyze threats, threat agents, and vulnerabilities 3. Analyze control effectiveness
Analyze the sensitivity of data and systems Using the tables in the section above, you should have already evaluated the sensitivity and importance of data, connections, hardware, and software.
About threats and vulnerabilities It’s time to analyze threats and vulnerabilities. The point is to determine which threats or vulnerabilities deserve priority attention relative to the value of the information or information systems being protected. Although threats and vulnerabilities need to be considered simultaneously, it is important to distinguish threats from vulnerabilities.
Threats are events that could cause harm to the confidentiality, integrity, or availability of information or information systems. They can be characterized as the potential for agents exploiting a vulnerability to cause harm through the unauthorized disclosure, misuse, alteration, or destruction of information or information systems. Threats can arise from a wide variety of sources, called threat agents.
Identify threats In this section, we want to identify threats. In other sections, we will identify threats’ potential impact, and evaluate their probability of happening.
Below, a series of specific questions is designed to help you eat this elephant one bite at a time. Examples of how you might answer these questions are provided after each question, indented.
What are the threats to your data? As you answer this question, do not think in terms of threat agents. We’ll get there. For now, simply think of “what could happen to our data?” If necessary, provide an explanation of the threat. Our data could be: Copied without permission Disclosed to people who have no right to know it Deleted Corrupted en masse Held hostage Modified selectively: for example, small amounts—hardly noticeable—changed on many accounts. Or, one account modified. Or contact information on an account modified.
What are the threats to your connections? Think in general terms about your connections. If necessary, provide an explanation of the threat.
Our connections could be: Shut down: for example, completely turned off. Perhaps physical wires could be cut. Overloaded. Perhaps too much traffic could be sent through a connection, so that nothing of importance could get through. “Eavesdropped” on. Someone might access, monitor, copy, or selectively modify traffic on a connection. Used for inappropriate purposes: authorized persons use the connection for inappropriate purposes. Piggybacked on: unauthorized persons use our connection for their own purposes.
What are the threats to your hardware? Think in general terms about your hardware. If necessary, provide an explanation of the threat.
Failure: hard drives, power supplies, system boards, memory, etc. could fail, thereby rendering the hardware useless. Theft: hardware might be stolen Modification: for example, a key-logger added to a device. Damage or destruction: someone might purposefully destroy or damage hardware. What are the threats to your software? Think in general terms about your software. If necessary, provide an explanation of the threat.
Reconfiguration: software may be reconfigured in unauthorized ways so that it does things not meant to do, or so that it allows access in ways it should not Modification: Modification changes what software does or how it works Deletion/uninstallation Installation: unauthorized software may be installed on hardware
Identify threat impact Here, we want to identify what the impact could be if a threat were realized. This will likely be tedious. Hang in there. This table will be large.
To do this, take each of the threats identified in the previous section, and plug them into the table below. The table asks you to evaluate the potential impact in the following aspects: Data integrity, confidentiality, and availability of information; Costs associated with finding, fixing, repairing, and restoring a system; Lost productivity; Financial losses; and Other issues affecting the institution's operations, and reputation.
If you wanted to get crazy, you could consider each type of data, connection, hardware, and software in conjunction with each of the threats. That’s really, probably what would happen in an ideal world. Maybe the second or third or fourth time you do this risk assessment, you should do that. However, to simplify this effort, the first time you do this risk assessment, consider all of your data, connections, hardware, and software as a whole, as if all of them were of the utmost sensitivity and importance.
In each square of the grid, assign a number value for the potential impact, with 1 being low and 5 being high. Then, provide an explanation where it makes sense. Threat Impact on data Costs associated Impact on Financial losses Other issues integrity, with finding, productivity affecting confidentiality, and fixing, repairing, operations and availability of and restoring a reputation information system
Data: copied 1 1 3 4 5 without This would cost, This could impact The copying of If our data were permission just not for the management’s data, itself, is not copied by an reasons listed in productivity as it the problem. The unauthorized the column copes with the problem is what is party, they could header. potential then done with that use that data for problems that data, and any number of arise from correcting it. purposes that someone getting There would be would damage our our data. significant costs operations and both in staff time cause us to spend and financial significant resources in resources correcting correcting the problems. problem. Of particular concern: the reputation hit that our credit union would take. Data: disclosed to 5 1 3 4 5 people who have By definition, if the This would cost, This could impact The copying of If our data were no right to know data were disclosed but not for the management’s data, itself, is not copied by an it to unauthorized reasons listed productivity as it the problem. The unauthorized persons, it is no above copes with the problem is what is party, they could longer confidential. potential then done with that use that data for problems that data, and any number of arise from correcting it. purposes that someone getting There would be would damage our our data. significant costs operations and both in staff time cause us to spend and financial significant resources in resources correcting correcting the problems. problem. Of particular concern: the reputation hit that our credit union would take. Data: deleted 5 3 5 3 5 If our data were Under normal Significant hits in With a backup Again, depending deleted, it would not circumstances, productivity working properly, on the data be accessible. We with a backup across the credit financial losses will deleted, some would need to working properly, union. Some mostly take the areas will be restore it. If the costs should be activities would shape of lost drastically backup were also minimal to restore grind to a opportunities and affected, while deleted, this could be data. Until it is complete halt. staff time. others not so crippling, and restored, Depending on the much. Some perhaps destroy the however, our type of data operations could credit union. operations would deletion, some continue in a Imagine: all of our be interrupted, activities might manual mode, but members’ history, which would continue others would be balances, etc.—gone. mean lost relatively completely shut opportunities, and unharmed. But if down. Either way, potential it is member our reputation increases in staff data, impact is would take big time to manually very high. hits. do some things. Data: corrupted 5 4 5 3 5 en masse This is the epitome Under normal Significant hits in With a backup Again, depending of data not having circumstances, productivity working properly, on the data integrity. At this with a backup across the credit financial losses will corrupted, some point, we cannot rely working properly, union. Some mostly take the areas will be on any of the data, costs should be activities would shape of lost drastically and will need to minimal to restore grind to a opportunities and affected, while restore a backup. data. Until it is complete halt. staff time. others not so restored, Depending on the much. Some however, our type of data operations could operations would corruption, some continue in a be interrupted, activities might manual mode, but which would continue others would be mean lost relatively completely shut opportunities, and unharmed. But if down. Either way, potential it is member our reputation increases in staff data, impact is would take big time to manually very high. hits, especially if do some things. information about the threat went public. Data: held 5 4 5 5 5 hostage Data being held has Under normal Significant hits in Financial loss could Again, depending many potential circumstances, productivity be very high if we on the data held problems. Suddenly with a backup across the credit pay a ransom for hostage, some its integrity, working properly, union. Some our data, and areas will be confidentiality, and costs should be activities would especially if we pay drastically availability are all minimal to restore grind to a and then lose our affected, while called into question. data. Until it is complete halt. data. The cost to others not so Even if data restored, Depending what regain it could be much. Some remained available, however, our is held for drastic, especially if operations could what is the operations would ransom, some our backup is not continue in a guarantee that it’s be interrupted, activities might working. manual mode, but confidential and which would continue others would be accurate? mean lost relatively completely shut opportunities, and unharmed. But if down. Either way, potential it is member our reputation increases in staff data, impact is would take big time to manually very high. hits, especially if do some things. information about the threat went public. Data: modified 5 5 selectively This is a particularly This would insidious threat, require significant because it may go resources and unnoticed for a long effort. time, and would compromise integrity and confidentiality of all data. Connections: shut down Connections: Overloaded Connections: eavesdropped on Connections: inappropriate use Connections: piggybacked on Hardware: failure Hardware: theft Hardware: modification Hardware: damage or destruction Software: reconfigured Software: modified Software: deleted/uninstall ed Software: installation
Threat agents Threats can arise from a wide variety of sources, called threat agents. Traditionally, the agents have been categorized as internal or external. You’ll need to identify threat agents. Each one identified may have different capabilities and motivations, which may require the use of different risk mitigation and control techniques and the focus on different information elements or systems. Natural and man-made disasters should also be considered as agents.
List your threat agents and describe the threats they pose. Internal threat agents: all of our internal threat agents could cause security incidents on purpose or accident. All internal threat agents have varying degrees of access to our data, systems, connections, and software. Internal threat agents are a common weak link across all industries. Any of the following internal threat agents may cause incidents due to malicious intent, incompetence, carelessness, or any number of reasons. o Employees o Volunteers o Third-party service providers: Our providers have different access than our employees—they may not (but some may) have access to our member data, but may have access to how our systems are set up, and some would even have the ability to change system settings. They may even make recommendations for changes to our settings, and due to a lack of expertise in technical matters, we may agree with the need for the change. o Former insiders: these people leave our organization with knowledge of our systems, practices, and policies. They may have information about how to access systems, or how to get around controls. If their user accounts are not removed, they may retain access into our systems. As with other internal threat agents, they may cause security incidents on purpose, or on accident. External threat agents: motives of external threat agents vary, as do capabilities. Their goals may also vary, from stealing information to modifying data, to just having fun. Some may want to cause destruction or disruption. All of these agents, however, could potentially realize any of the threats listed above. External threat agents include: o Criminals o Recreational hackers o Competitors o Terrorists Natural and man-made disasters: these agents include things like earthquakes, floods, terrorist attacks, man-made accidents (vehicle or airplane crashes), and more. Basically, anything that could cause widespread or local destruction. These threat agents have significant potential to disrupt operations. They may destroy hardware and connections. They may cause significant distraction that would allow for more social engineering.
Identifying vulnerabilities Vulnerabilities can be characterized as weaknesses in a system, or control gaps that, if exploited by a threat agent, could result in the realization of a threat. In other words, threat agents exploit the vulnerability. The vulnerability is the means by which the threat agent accomplishes something.
The challenge in identifying vulnerabilities is that many of them are technical in nature, and very specific. There’s a super good chance that you, the person doing this assessment, aren’t a technical person and that you can’t identify the specific (and maybe even general) technical vulnerabilities. The good news is that you’ve just identified a vulnerability. It should be part of the risk assessment. The bad news is that this particular vulnerability often translates into intimidation and confusion, and could lead to a lack of action.
Don’t let that vulnerability stop you from proceeding. Do what you can. Seek input from others. And improve your assessment as you go along. In the end, as you complete this risk assessment multiple times, as your institution becomes more aware in more specific ways, you will be able to add more detail into the vulnerabilities.
Identify the vulnerabilities in your IT system? What parts of your system could be exploited? How might they be weak? Be as specific or general as you feel appropriate. Address all aspects of the system: hardware, software, controls, connections.
We have connections to the outside world that could be exploited. Our data that needs to be accessed by a wide range of people, and could be intercepted at any point. We have people involved in the system; they may not follow established procedures and processes for any number of reasons: deception, dishonesty, laziness, forgetfulness, incompetence, etc. We have hardware that exists in physical space. This hardware could be destroyed or compromised. We must have some ports on our firewall open so traffic can get through. We have very little technical knowledge on staff. This is a vulnerability because we rely on one person (or one outside group) for technical expertise. The work of that one person is not checked or verified by anyone inside our institution. We have no idea if they are doing what they’re supposed to be doing. We have not catalogued or established requirements for all of our controls. We have policies and controls specified in place, but do not audit to make sure the policies are followed. Our policies tend to focus on controls for employee procedures, rather than technical configuration of equipment and software. So, our technical controls may not be as strong as they need to be. We do not audit our employees for compliance with security procedures, and we do not formally review their performance. We do not filter web content; employees can access any website and click on any link. We do not have virus protection on all our machines. Our email program does not scan attachments for malware. Any of our employees can install software on the workstations computers. We do not run continuous penetration detection. We do not monitor and log all activity on the servers and through connections. We have no way to audit our third-party service providers’ security practices. Some of our contracts with third-party providers do not specify security service levels. We do not have redundancy built into our security devices (firewall). Our penetration testing is done only once a year, leaving us open to potential issues for long periods of time.
In addition, we have many of the usual expected vulnerabilities, which can reasonably be anticipated to arise in the future: Unpatched software, New and unique attack methodologies that bypass current controls, Employee and contractor failures to perform security duties satisfactorily, Personnel turnover resulting in less experienced and knowledgeable staff, New technology introduced with security flaws, and Failure to comply with policies and procedures. Control effectiveness It’s time to identify controls that mitigate the impact or likelihood of each identified threat agent exploiting a specific vulnerability. Controls are generally categorized by timing (preventive, detective, or corrective) or nature (administrative, technical, or physical). We also need to measure their effectiveness and compliance with controls, which may be done via self- assessments, metrics, independent tests, etc.
What preventative controls are in place? Preventive controls act to limit the likelihood of a threat agent succeeding. Control Control description How effectiveness of Effectiveness level (high, control is measured moderate, low) Firewall Restricts and directs all Periodic penetration testing High traffic into the network from is completed. outside the network. Denies all unauthorized traffic. Network intrusion Monitors the system for prevention systems unauthorized access. Logs all activity Antivirus software Ensures that malicious software is not installed on computers User access controls Specifies which resources each user has the rights to access, during what hours Removal of default Default admin and guest accounts accounts are removed Password controls Specifies the length and complexity of passwords
What detective controls are in place? Detective controls identify harmful actions as they occur. Control Control description How effectiveness of Effectiveness level (high, control is measured moderate, low) Intrusion detection system Monitors all network traffic to determine if it is normal or not. Non-normal activity is halted and reported immediately. Access monitoring Monitors all folders and logs all activity into folders, and notifies administrators of unusual activity Honeypot Functions as a relatively target for hackers to hit, but serves no business purpose. This is the trap to catch hackers.
What corrective controls are in place? Corrective controls facilitate the termination of harmful actions, and reduce damage. Control Control description How effectiveness of Effectiveness level (high, control is measured moderate, low) Fail safe policies Requires that if resources fail, they fail to a safe and protected mode Workstation An image is made of each images/restoration workstation once it is properly configured, so that if something goes wrong with the workstation, it can easily be restored to a clean state. Backups Backups of all critical data allow for restoration of key data.
What administrative controls are in place? Control Control description How effectiveness of Effectiveness level (high, control is measured moderate, low) Contracts with providers Contracts with providers specify duties of providers related to security, and allow for auditing and reporting of their security measures Training on security Employees are trained annually on security practices. End-user agreements Employees are required to sign agreements to how they are allowed and will use credit union resources.
What technical controls are in place? Control Control description How effectiveness of Effectiveness level (high, control is measured moderate, low) User permissions Port filtering DNS placement User account authentication Data encryption
What physical controls are in place? Control Control description How effectiveness of Effectiveness level (high, control is measured moderate, low) Locks on doors Doors with servers and networking equipment behind them are always locked. Offices not being used are have doors closed and locked. Cabinets for computers All desktop computers are kept in locked cabinets at desks.
Probability of threat agents exploiting vulnerabilities to realize a threat, given controls in place Using scenarios, analyze the probability of different threat agents causing damage. These scenarios should consider your credit union’s: Business strategy, Quality of its control environment, and Its own experience, or the experience of other institutions and entities, with respect to information security failures.
You cannot possibly review all possible scenarios. Instead, select general scenarios, or those most likely to happen, and review them in the chart below. Start with 10 the first time. Edit them next time, and add others. In the probability, simply assign a value of probable, highly possible, possible, and unlikely, and then explain why that probability is assigned, especially considering all of the controls in place.
Threat agent Vulnerability Description Probability Employee Falls victim to social This could happen online, in Probable. Even given all of engineering (spear phishing email, over the phone, or in the controls in place, our attack) person. In this case, a person employees are generally tricks an employee into trusting and well-intentioned, disclosing information or and want to help people. Plus, otherwise bypassing controls. training is not a guarantee of compliance with policies. Neither is evaluating people on following the policies and practices. Employee Exploits trust and An employee purposefully Highly possible. Despite all purposefully ignores or ignores or bypasses controls our controls, training, and violates procedures for whatever reason. hiring practices, someone may decide to be dishonest. This is common across all industries, no matter what controls are in place. Intimate knowledge of controls makes it possible to manipulate or circumvent them. Third-party service Fails to properly configure The “computer guy” fails no Possible. We don’t actually provider systems follow some procedure, and know how good the abilities leaves our system vulnerable. of our network people are, because we don’t evaluate and measure that. We also don’t have anyone checking their work, to make sure it’s accurate and according to procedures. This leaves us vulnerable. We basically rely on his competence, but have no way of verifying or checking that. Third-party service Exploits trust The “computer guy” Possible. We do not have provider purposefully does something controls in place to double to allow himself or someone check that all the systems are else access to sensitive configured and monitored information. and logged properly. This means that someone who knows what they’re doing could conceivable set up the system for his benefit. External malicious party Holds our data hostage An outside party hacks into Possible. While we do (hacker) our system, accesses our data, penetration testing, and our and holds it hostage in system is fairly secure and exchange for ransom. They doesn’t change often (change may or may not restore data could lead to holes), there are once ransom is paid. new exploits discovered all the time. We could fall victim to one of those. Outside malicious party Penetrate our system via the While our system is relatively Probable. If someone is (hacker) Internet and accesses secure and tested annually, determined to get into our member information it’s still possible that there system, they will probably could be an exploit or new find a way, even if it includes hack that would penetrate a combination of social our system. Or, during a engineering and technical system modification, penetration. something could be left open, thus giving access to a bad actor. Outside malicious party Penetrates our system and While our system is relatively Highly possible. If someone is (hacker) modifies critical data secure and tested annually, determined to get into our it’s still possible that there system, they will probably could be an exploit or new find a way, even if it includes hack that would penetrate a combination of social our system. Or, during a engineering and technical system modification, penetration. something could be left open, thus giving access to a bad actor. Hacker Takes advantage of Highly possible unpatched software Terrorist attack Disrupts communication lines Possible Earthquake Damage to connection or Highly Possible hardware
Prioritize and plan Here is the culmination of all our effort. Here we identify where are our largest risks, and how we will take steps to mitigate those risks. Most of the hard work is done. So go get a drink and relax while you finish this bad boy up.
In the table below, list your risks and assign them a risk rating of "High," "Medium," or "Low". In the third column, indicate steps to take to mitigate those risks.
Risk Risk Rating Mitigation plans Third party vendor makes a mistake High We will plan for an audit of our IT security system, which we will or purposefully causes harm not inform our network guy about beforehand. We will hold this each year. Employee falls victim to social High Add quarterly security training for all employees, as well as testing engineering to ensure they comply with appropriate rules, then incorporate training and testing into performance evaluations. Our system is hacked and someone High Implement intrusion detection systems with failsafe controls; gets inside our secure perimeter implement a honeypot to catch bad actors.