As countless recent press articles have illustrated, vulnerabilities are regularly discovered and exploited by skilled attackers, and the victims are not confined to any one industry sector. Attacks continue to become ever more prevalent and without proper preparation, including a threat and risk assessment, it is almost certain that similar attacks will compromise organisations again, into the foreseeable future.
So, what needs to be done?
It is important that organisations (particularly those who handle personally identifiable information or credit card and payment data) regularly monitor and test the security of their computing environment. A Threat and Risk assessment is conducted in order to achieve a number of outcomes:
- Identify and understand the scope and assets that are to be included within the Target of Evaluation (ToE), otherwise known as Target of Assessment (ToA). For example, a ToE might include all Internet-visible assets associated with a routable address range. Reconnaissance of the ToE in that example would likely identify assets including one or more firewalls, web servers, proxy servers, routers, etc. The first task of any TRA is to confirm with the customer the scope and assets of the proposed assessment.
- Identify and understand threats to the ToE. In general, a threat can be thought of as a potential attack; threats are posed by threat-agents who in turn seek to misuse assets within the ToE. Threats might include, for example, discovery of an unauthorised access to administrative interfaces associated with a CMS within the ToE.
- Identify and potentially exploit any vulnerabilities. Depending upon the agreed scope of the assessment, vulnerabilities could be found not just in technical systems (web applications, operating systems, firewall configurations, etc.) but also in personnel, physical and operational aspects of the ToE. That’s why it’s important to agree in writing upon the scope of the assessment. It’s also important to agree on the extent to which vulnerability exploitation will take place; in a non-production system, vulnerability exploitation is often acceptable, but the associated risk may be unacceptable in a production system.
- Complete the risk assessment. Most TRAs will result in a qualitative (rather than quantitive) measure of risk. The assessor will refer to standards such as AS ISO/IEC 27001:2015, AS ISO/IEC 27002:2015 when analysing the level of risk associated with each threat.
- Provide recommendations based on the assessed level of risk. In summary, risks are either acceptable, manageable or transferred although in some unusual cases, some risks may be treated as a combination of these three. Risks that are acceptable may not be addressed (at least not as a priority) by the stakeholder, while risks that are to be transferred will be addressed by secondary or indirect means such as insurance or acceptance of liability agreements. Most of the risk recommendations in most reports however will focus on risks that can be managed, usually by either reducing the likelihood that the associated threat can be realised, and/or by reducing the consequences associated with the realisation of the threat.
DotSec has nearly 15 years of threat and risk assessment experience, and has provided risk assessment, management and mitigation services for government, finance and banking, legal, investment, online-gaming, education, on-line payments and telco clients:
- PCI (Payment Card Industry) DSS (Data Security Standard) assessments. DotSec is a PCI QSA (Qualified Security Assessor) company. This means that DotSec is qualified to assess entities (including on-line merchants, payment processors and service providers) for compliance with the DSS.
- Independent Threat and Risk Assessments (TRAs). DotSec works with you to understand your business processes, identify your IT business assets, and assess and manage your risks. You can be certain of receiving a complete and concise report, that includes unbiased post-assessment options since our assessments are not clouded by any product-reseller obligations, or software-vendor partnerships.
- DotSec security professionals have conducted a wide range of Threat and Risk Assessments (TRAs) and Security Audits for a range of organisations. TRAs are based on standards including AS/NZS ISO 31000:2009, AS ISO/IEC 27001:2015, the Australian Government’s Information Security Manual (ISM), and the Queensland Government’s IS18.
- DotSec conducts application security assessments for organisations in the government, banking and legal sectors. We have supported our clients as the approach their software vendors to address software vulnerabilities, and improve secure-application development processes.
What’s the difference?
DotSec security professionals have the ability not just to assess secure services, but to design and implement them as well. With these skills, DotSec can produce assessments that include all aspects of an organisation, from its policies and procedures to its core service implementations, and from its network infrastructure to its n-tiered application design and implementation.