TOPIC: Cybersecurity

Back to Basics: Understanding Risk Concepts

People often make judgements and decisions about risk. Modern technology environments are complex and pervasive – nearly everything we do at work relies on at least some piece of technology. Making sense of it all can seem daunting, especially from a risk management perspective. It can be beneficial to review some of the core concepts and terminology of risk management to maintain clarity. 
So, let’s review some terminology:
Asset: An asset is anything used in an environment that should be protected. This can really be anything of enough value that warrants at least some level of protection. Hardware, software, networking equipment, customer data, internal data, facilities, personnel, business processes, vendor relationships – the list can be endless, and each organization is unique in at least some aspects. Which assets in your organization have the most value to the organization? Identifying the highest-value assets need to be focused on first. This can lead to a broader asset management conversation – for now, asset management is basically knowing and understanding what assets you have, and documentation supporting that knowledge and understanding.
Vulnerability: No asset is 100% perfect. Those imperfections are vulnerabilities. All assets can have vulnerabilities. Again, the range of vulnerabilities is extensive and broad. Vulnerabilities range from software issues that need to be patched, to broken business processes that need to be amended, to team members using unsafe security practices. 
Threat: A threat exploits a vulnerability in an asset. Threats can be intentional or accidental, and they can be man-made or natural. A malicious actor writing malware to exploit a software vulnerability is an example of an intentional threat. Hard drive failure in a PC is an example of an accidental threat. A hurricane that would knock out power to an organization is an example of a natural threat.
Risk: The concept of risk ties the above factors together. Risk is the likelihood of harm to an organization due to a threat exploiting a vulnerability of an asset. Risk to an asset can be expressed like this: Risk = Threat x Vulnerability
OK – so, how does this overall risk concept work in practice? How is this used to reduce risk? The answer is controls
Controls: Controls are anything used to reduce vulnerabilities and/or protect against threats. Controls can include technical actions, policies and procedures, additional training – you name it. Applying firmware updates to a firewall is an example of reducing vulnerabilities of that firewall. Restricting admin access to that firewall provides protection against the threat of unauthorized people accessing the firewall and making changes to it. Providing security training to staff members reduces the vulnerability of untrained users being susceptible to phishing attacks. Using strong email filtering services prevents (at least some) phishing emails from reaching user mailboxes. 
There are many models of risk assessments, ranging from simple qualitative analysis processes to highly detailed quantitative risk analysis tools. We are not going to delve deep into the various models here. Regardless of your current method of risk assessment, keep the following takeaways in mind:
  1. Know (and document) your assets. Whether you are using simple spreadsheets or automated systems management platforms, you need to know what assets you have first. You can’t assess vulnerabilities on an asset you don’t know about.
  2. Work to stay abreast of applicable vulnerabilities and threats. Regular internal and external vulnerability scans of your environment help clarify vulnerabilities specific to your environment. Many organizations, such as US-CERT and InfraGard (and potentially others specific to your industry), can provide alerts to ongoing vulnerabilities and threats. Vendors that support critical assets for you may also have similar services. Again, knowledge is power.
  3. Understand the controls you have in place, and also try to understand the “gaps” in your controls. In a perfect world, all risks are known and effectively controlled down to zero impact. Since that’s never the case, it is important that you understand the controls you have in place, and just as importantly, the controls that you don’t (or “can’t”) have in place. Regular monitoring and analysis of the effectiveness of the various controls helps you understand and reduce your risks.



Risk management is an ongoing process. To date, there’s no panacea that will take care of everything when it comes to risk – only continuous vigilance and dedication to your processes will be effective in reducing risk. The work is worth it. It’s like the adage says: an ounce of prevention is worth a pound of cure.

    SolarWinds and the Big Hack

    Well, hacking is certainly in the news this week! We initially resisted adding to the cacophony of news stories and email alerts flooding your inbox, primarily because with big stories like these the initial information is generally incomplete and often wrong. Now a few days have passed, and more is known, but we’d wager lots more is to be discovered. The CliffsNotes version (or TL; DR for the younger set) is that there appears to have been a nation state intrusion into several governmental agencies, as well as an industry leading cyber incident response company, FireEye. It is now believed that these intrusions were accomplished through a widely used network monitoring and management system, SolarWinds Orion, which had been tampered with in a “supply chain attack.”What does this mean for you? If your institution uses SolarWinds Orion, please visit the SolarWinds site (https://www.solarwindsmsp.com/solarwinds-orion-security-advisory) for the latest. Additionally, the DHS released an Emergency Directive (https://cyber.dhs.gov/ed/21-01/) for government agencies that packs quite a punch.If you don’t specifically use SolarWinds Orion, based on current information you are probably in the clear…but if you do use this product (or did at any point this year), start by assuming you may have a problem. Since Orion has deep access into your network and was likely configured with privileged accounts to monitor everything, any potential breach of this software could have serious consequences in your environment. We recommend that you engage a qualified technical Incident Response resource to help you determine whether your systems are affected, and what if any remediation is needed.If you do not know who to contact for this type of expertise, consider starting with your cybersecurity insurance provider. They have required steps to follow in this type of potential issue, or at a minimum, often can provide a list of recommended vendors.