On February 11, 2020, Offensive Security introduced a major overhaul and update to their already fantastic course: Penetration Testing with Kali Linux. Those changes included updates to their lab environment. The study materials were substantially updated, with additional material including entire new sections on Bash Scripting, Active Directory Attacks, and PowerShell Empire. The training videos […]… Read More
Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.
Most concerning of this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s default anti-malware suite — Windows Defender — that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it’s not entirely clear how this is being exploited.
But Kevin Breen, director of research at Immersive Labs, says depending on the vector the flaw could be trivial to exploit.
“It could be as simple as sending a file,” he said. “The user doesn’t need to interact with anything, as Defender will access it as soon as it is placed on the system.”
Fortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.
Breen called attention to another critical vulnerability this month — CVE-2020-1660 — which is a remote code execution flaw in nearly every version of Windows that earned a CVSS score of 8.8 (10 is the most dangerous).
“They classify this vulnerability as ‘low’ in complexity, meaning an attack could be easy to reproduce,” Breen said. “However, they also note that it’s ‘less likely’ to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us.”
CVE-2020-1660 is actually just one of five bugs in a core Microsoft service called Remote Procedure Call (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.
Allan Liska, senior security architect at Recorded Future, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC — CVE-2019-1409 and CVE-2018-8514 — were not widely exploited.
The remaining 70 or so flaws patched this month earned Microsoft’s less-dire “important” ratings, which is not to say they’re much less of a security concern. Case in point: CVE-2021-1709, which is an “elevation of privilege” flaw in Windows 8 through 10 and Windows Server 2008 through 2019.
“Unfortunately, this type of vulnerability is often quickly exploited by attackers,” Liska said. “For example, CVE-2019-1458 was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching.”
Trend Micro’s ZDI Initiative pointed out another flaw marked “important” — CVE-2021-1648, an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.
“It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch,” ZDI’s Dustin Childs said. “The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.”
Separately, Adobe released security updates to tackle at least eight vulnerabilities across a range of products, including Adobe Photoshop and Illustrator. There are no Flash Player updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft’s update cycle from last month removed the program from Microsoft’s browsers.
Windows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see this guide.
Please back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), Acronis and Macrium are two that I’ve used previously and are worth a look.
That said, there don’t appear to be any major issues cropping up yet with this month’s update batch. But before you apply updates consider paying a visit to AskWoody.com, which usually has the skinny on any reports about problematic patches.
As always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.
Today’s VERT Alert addresses Microsoft’s January 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-922 on Wednesday, January 13th. In-The-Wild & Disclosed CVEs CVE-2021-1647 A vulnerability in the Microsoft Malware Protection Engine (MMPE) is currently seeing active exploitation. Since the MMPE is updated regularly with malware definitions, […]… Read More
The post VERT Threat Alert: January 2021 Patch Tuesday Analysis appeared first on The State of Security.
Intel announced the 11th gen intel vPro mobile platform, 11th gen Core H-series mobile processors, new Pentium and Celeron processors, and previewed Rocket Lake-S and Alder Lake desktop processors.
11th Gen Intel vPro platform
Intel’s vPro platform has been updated to 11th generation. With it, commercial and enterprise users can now benefit from the more efficient 10nm SuperFin transistors and Intel’s Xe graphics. The 11th gen Core i5 and i7 vPro processors also natively support Wi-Fi 6/6E, as well as Thunderbolt 4.0. Intel says that the new vPro platform is 23 per cent faster in productivity than the competition in Office 365 and up to 50 per cent faster in video conferencing.
On the heel of its vPro platform, Intel also announced the Intel Evo vPro platform to push the industry towards sexier laptop designs for business. Similar to the consumer Evo verification, Intel has set criteria around responsiveness, wake times, and battery life to ensure user experience.
High-performance Tiger Lake-H (H35) processors
Tiger Lake mobile processors have been around for some time now, but Intel has been mum on the arrival of its H-series chips. Seeing its release at CES 2021 is a sight for sore eyes.
The new H-series lineup consists of the Core i5-11300H, Core i7-11370H, and the Core i7-11375H Special Edition. They retain the 4 cores of the power-effient Tiger Lake U processors but raise the thermal design power (TDP) to 35W. This increased TDP refers to the configurable TDP (cTDP) up, the highest base TDP the processor can run at with adequate cooling.
Perhaps even more significant is the jump in the minimum configurable TDP. For Tiger Lake-H, the cTDP-down, the lowest TDP the processor can be configured, has been increased to 28W. The new Tiger Lake-H’s cTDP-down matches the cTDP-up of the highest-end Tiger Lake processor in the mobile segment.
Raising the cTDP-down also raises the processor’s base frequency. Whereas the Core i7-1185G7 runs at 1.2GHz at its cTDP-down of 12W, the Core i7-11375H runs at 3GHz at 28W, which is the cTDP-up frequency of the Core i7-1185G7.
Looking at the three SKUs, the only difference between the Core i7-11375H Special Edition and the Core i7-11370H is that the former has a 200MHz higher boost clock. The Core i5-11300H has the same number of cores but lower frequencies, as well as 4MB less cache.
Because Tiger Lake-H’s cTPD-down has more than doubled, it needs more powerful cooling solutions. Since it needs more thermal pampering, Tiger Lake-H will be more at home in gaming systems that have better cooling than ultraportables.
Other than the tweaked power and thermal parameters, Tiger Lake-H looks identical to the high-end Tiger Lake U processors launched last year. In this launch, Intel could be trying to squeeze out more performance from its existing chips by tuning the power profiles until it could release the next product. Intel was not immediately available for comment.
And the next product is coming soon. The company also showcased an 8-core mobile processor that’s still in the works. Not much is known about this chip other than it can hit 5GHz across multiple cores.
Tiger Lake-H will come with DDR4 support, Wi-Fi 6 and 6E, PCIe Gen 4, and a resizable base address register (BAR) feature that will give CPU access to the entire GPU memory. AMD’s Smart Access Memory (SAM) is built on the same concept.
New Celeron and Pentium processors for education
Remote learning has exponentially driven up the demand for affordable mobile PCs. Intel suggests that 10 per cent of all PC purchased were for students. Targeting this sector, Intel launched the Pentium Silver N6000, Celeron N6211, Celeron N5100, and Celeron N4500 series processors built on the 10nm node. Intel claims that these new processors deliver up to 35 per cent overall application performance and 78 per cent better graphics performance gen-on-gen.
Core i9-11900K to lead Rocket Lake-S lineup, Alder Lake-S powered on
Intel also announced that Rocket Lake-S, the 11th generation desktop processors, will arrive in Q1 2021. The lineup will be led by the Core i9-11900K that features 8-cores and 16 threads. Rocket Lake’s Cypress Cove core architecture is a backport of Ice Lake’s 10nm Sunny Cove core architecture onto Intel’s 14nm node. It is not based on Tiger Lake’s Willow Cove core.
With the backport, Intel hopes to at least bring the architectural benefit of Sunny Cove to its 14nm node. According to the company, Rocket Lake-S achieves 19 per cent instruction per cycle (IPC) improvement over Comet Lake-S. Several slides also show that the Core i9-11900K can hit a max single-core frequency of 5.3GHz on a single core and 4.8GHz on all cores.
The Core i9-11900K is expected to carry to 20 CPU PCIe 4.0 lanes, four more than what Comet Lake processors offer and a generation newer. It will support up to DDR4-3200 memory. Intel will release a new 500 series chipset with Rocket Lake-S, but the processor will be backward compatible with motherboards using Intel’s 400 series chipsets.
Looking towards the future, Intel’s 12th gen Alder Lake processors are set to arrive in the second half of 2021. In addition to its enhanced 10nm SuperFin transistor, Alder Lake’s will see a new design by combining performance cores and efficiency cores into a single product. This approach is reminiscent of the long-standing strategy adopted by smartphone processors.
The post CES 2021: Intel’s new vPro platform, Tiger Lake-H, new chips for education, and Rocket Lake-S first appeared on IT World Canada.
New research into the malware that set the stage for the megabreach at IT vendor SolarWinds shows the perpetrators spent months inside the company’s software development labs honing their attack before inserting malicious code into updates that SolarWinds then shipped to thousands of customers. More worrisome, the research suggests the insidious methods used by the intruders to subvert the company’s software development pipeline could be repurposed against many other major software providers.
In a blog post published Jan. 11, SolarWinds said the attackers first compromised its development environment on Sept. 4, 2019. Soon after, the attackers began testing code designed to surreptitiously inject backdoors into Orion, a suite of tools used by many Fortune 500 firms and a broad swath of the federal government to manage their internal networks.
According to SolarWinds and a technical analysis from CrowdStrike, the intruders were trying to work out whether their “Sunspot” malware — designed specifically for use in undermining SolarWinds’ software development process — could successfully insert their malicious “Sunburst” backdoor into Orion products without tripping any alarms or alerting Orion developers.
In October 2019, SolarWinds pushed an update to their Orion customers that contained the modified test code. By February 2020, the intruders had used Sunspot to inject the Sunburst backdoor into the Orion source code, which was then digitally signed by the company and propagated to customers via SolarWinds’ software update process.
Crowdstrike said Sunspot was written to be able to detect when it was installed on a SolarWinds developer system, and to lie in wait until specific Orion source code files were accessed by developers. This allowed the intruders to “replace source code files during the build process, before compilation,” Crowdstrike wrote.
The attackers also included safeguards to prevent the backdoor code lines from appearing in Orion software build logs, and checks to ensure that such tampering wouldn’t cause build errors.
“The design of SUNSPOT suggests [the malware] developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers,” CrowdStrike wrote.
A third malware strain — dubbed “Teardrop” by FireEye, the company that first disclosed the SolarWinds attack in December — was installed via the backdoored Orion updates on networks that the SolarWinds attackers wanted to plunder more deeply.
So far, the Teardrop malware has been found on several government networks, including the Commerce, Energy and Treasury departments, the Department of Justice and the Administrative Office of the U.S. Courts.
SolarWinds emphasized that while the Sunspot code was specifically designed to compromise the integrity of its software development process, that same process is likely common across the software industry.
“Our concern is that right now similar processes may exist in software development environments at other companies throughout the world,” said SolarWinds CEO Sudhakar Ramakrishna. “The severity and complexity of this attack has taught us that more effectively combatting similar attacks in the future will require an industry-wide approach as well as public-private partnerships that leverage the skills, insight, knowledge, and resources of all constituents.”
A seasoned executive with extensive knowledge in health technology, TELUS Health’s director of business development and healthcare transformation, Kathryn Seeley answered a few of our questions.The post TELUS Health: Accelerating digital health growth and adoption in response to COVID-19 first appeared on IT World Canada.
If you???re looking to start or optimize an AppSec program in 2021, the Forrester WaveTM report is a good place to begin your research. The report not only details essential elements of AppSec solutions, but also ranks 12 static application security testing (SAST) vendors based on their current offering, strategy, and market presence.
Development speeds and methods are changing and the requirements for a SAST solution are evolving as well. Forrester notes that SAST providers need to build their security solutions into the software development lifecycle (SDLC); integrate them into the CI/CD pipeline; protect new architectures like containers; and provide accurate, actionable results.
To help development teams and security and risk professionals identify the industry???s foremost SAST providers, Forrester conducted a 28-criterion evaluation. The research and analysis identified Veracode as a leader among SAST providers. The Forrester report noted, ???For firms looking for an enterprise-grade SAST tool, Veracode remains a top choice.???
The Forrester report specifically mentions, ???Veracode has invested in the developer experience.??? Veracode???s SAST offering is fully cloud-based and offers three different levels of scans that aid developers:
- IDE Scan provides focused, real-time security feedback while the developer codes. It also helps developers remediate faster and learn on the job through positive reinforcement, remediation guidance, code examples, and links to Veracode application security (AppSec) tutorials.
- Pipeline Scan happens in the build phase. It directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. It helps answer the question, ???is the code my team is writing secure????
- Policy Scan reviews code before production to ensure that applications are meeting policy compliance and industry standards. It helps answer the question, ???are my organization's applications secure????
Veracode also offers Security Labs, which trains developers to tackle evolving security threats by exploiting and patching real code. Through hands-on labs that use modern web apps, developers learn the skills and strategies that are directly applicable to their organization's code. Detailed progress reporting, email assignments, and a leaderboard encourage developers to continuously level up their secure coding skills.
We believe prioritization is another important strength for Veracode. As the Forrester report states, ?????ｦVeracode???s graphical representation of code flaws according to risk and ease of fix [are] unmatched in the market.??? In addition, the report states, ???References complimented Veracode's premium support,??? and Veracode is highly rated by customers for remediation guidance. As one customer stated, ???the relationship [with Veracode] really stands out.???
Download The Forrester WaveTM: Static Application Security Testing, Q1 2021 report to learn more on what to look for in a SAST vendor and for more information on Veracode???s position as a Leader.
Navdeep Bains, Minister of Innovation, Science and Industry says he does not intend to run in the next federal election for family reasons. A cabinet reshuffle was called by Trudeau this morning, who named a new foreign minister and shuffled other top players in his cabinet. Francois-Philippe Champagne will leave the foreign ministry to take…The post Bains exits as Canadian innovation minister first appeared on IT World Canada.
Administrators with network equipment from manufacturer Ubiquiti are being urged to change their passwords and enable two-factor authentication after the company acknowledged a hack at a third-party may endanger access.The post Network equipment maker Ubiquity urges admins to change passwords after third-party hack first appeared on IT World Canada.
The huge theft of data from the controversial — and now almost homeless — social media app Parler was accomplished in part through a common web development mistake, according to one expert.
“Essentially the Parler [software] engineers made a mistake in that they allowed an endpoint [a web address] to exist that people could sequentially query,” says Matt Warner, CTO and co-founder of Blumira, an Ann Arbor, Mich.-based a cloud-based threat detection provider. “And if you can stand up enough people looking at different blocks of numbers you can essentially scrape nearly unlimited amounts of data through that endpoint.”
In short, the URLs Parler developers created included sequential numbers, like “ID=12345.” Knowledgeable people could guess the next numbered page was 12346 and would get a hit if access wasn’t protected.
That’s all right if the page is public. If it’s not — for example, it’s a page only logged in bank customer “Jane” is only allowed to access — then once anyone is logged in they can see other pages/accounts just by changing the page number.
Software developers call this an insecure indirect object reference (IDOR), and for years it was one of the Open Web Application Security Project’s (OWASP) Top 10 vulnerabilities. To be exploited, OWASP says, an IDOR issue must be combined with an access control problem, which gives an attacker access to a web page. Warner suggested the researchers or activists might have gained that access after several providers like Twilio dropped Parler after last week’s mob attack on the U.S. Congress. That may have made it impacted email verification, making it easier for new users to subscribe, opening the door to the IDOR expoit.
The data scraping happened shortly after it was revealed that Parler would be de-listed by providers because people involved in last week’s mob attack on the U.S. Congress used it to communicate. Apple and Google dropped Parler from their app stores, and Amazon stopped allowing Parler to use its hosting facilities. Parler is now suing Amazon.
In what Warner calls “probably the most co-ordinated hactivism we’ve seen in a while,” some 15 people who were told of Parler’s vulnerabilities quickly copied apparently almost every users’ post and attachment. According to the news site Gizmodo, 56 terabytes of data has been captured.
A question of timing
One interesting question is whether the IDOR vulnerability was discovered after the incident in Washington, or if it’s been known for some time, according to Warner.
IDOR is “a really common risk” among developers who build their own websites and application programming interfaces (APIs), Warner said. “It used to be a lot more common five or 10 years ago when people were standing up early database-driven web sites. It’s not that common these days with the prevalence of UUIDs (universally unique identifier, sometimes called a globally unique identifier), which are long and complex [URL] IDs, but for whatever reason on this specific endpoint, which was associated with their mobile app, they weren’t doing that. And because of that it essentially exposed all of Parler’s attachments and metadata.”
It’s one of the reasons why application security and testing is essential, Warner said. Parler more than likely didn’t have their application tested from a web application point of view. And it’s one of those things that can cascade very quickly just because it indicates other areas of risk within the environment — if you’re missing checks in this area you’re probably missing other areas in the application.”
IDOR vulnerabilities can be avoided if website designers make sure authentication and authorization of URLs are included early in development, says Warner. Otherwise, “if you have a lot of complex code you have to figure out where to jam that authentication check.”
Another way is to make sure sequential IDs are not part of page numbering so people can’t guess brute force access to pages.The post Common development error likely led to huge Parler data theft, says expert first appeared on IT World Canada.
The Radicati Group has named Cisco a Top Player in the Endpoint Security – Market Quadrant 2020. Radicati recognizes endpoint security top players as “current market leaders with products that offer, both breadth and depth of functionality, as well as possess a solid vision for the future. Top Players shape the market with their technology and strategic vision.” We believe our leadership position in this report is validation of our robust, comprehensive and integrated approach and execution towards being our customers’ trusted endpoint security provider.
Cisco Secure Endpoint (formerly AMP for Endpoints) stands out from the competition for many reasons, and it all starts with our world-class threat intelligence organization, Talos. Talos constantly analyzes threat data and creates protections that Secure Endpoint uses to automatically protect organizations against known, unknown and emerging threats.
“That ability to push information automatically into Talos and then update the system automatically, saves us an enormous amount of time.”– Technical Director, read full review
We offer multifaceted prevention techniques as part of our Endpoint Platform Protection (EPP) capabilities, including machine learning, behavioral analysis, heuristics, sandboxing, and more, to prevent threats from entering the endpoint. We also offer unified user access and endpoint protection, allowing you to enforce multi-factor authentication and block the access of infected endpoints to sensitive information.
“It has decreased time to detection by 95%. A lot of the time, prior to having AMP…we weren’t aware of any type of malicious activity until it had an impact on the organization.” – Systems Architect, read full review
But we know that you can’t stop threats that you can’t see. So, Cisco Secure Endpoint goes beyond prevention by providing advanced Endpoint Detection and Response (EDR) capabilities to give you deep visibility into telemetry and potentially malicious file activity across your endpoint environment. This enables you to detect malicious activity fast and eliminate it before damage can be done.
“We had a 97% reduction in time to remediation, because it’s almost instantaneous. In the 18 months that we’ve had AMP, there has not been malicious activity on an endpoint that we weren’t able to resolve immediately.” – Systems Architect, read full review
Finally, we help you save time by enabling automation using our integrated architecture. Built-in to Cisco Secure Endpoint, the Cisco SecureX platform delivers threat response with automatic threat context enrichment and unified threat response capabilities across the entire security ecosystem, including Endpoints, Network, Email, DNS, and more to provide thorough network edge to endpoint visibility. Cisco Secure Endpoint works together with the rest of our integrated security portfolio so you can see more, detect faster and automatically block and respond to advanced threats.
“This solution interfaces with Talos Intelligence, Threat Grid, Threat Response, and SecureX. All of these things are integrating together, and a lot of stuff is now starting to happen automatically. So, I went from about 100 or so odd alerts a week to around five because everything is now happening on its own.” – Security Officer, read full review
Cisco Secure Endpoint has gained incredible momentum, including the introduction of our built-in SecureX platform, advanced EDR capabilities like live queries, cloud secure malware analytics, and human-driven threat hunting, continued enhancements to our prevention engines, and enhanced integration with third-party tools and our own growing security portfolio.
No other vendor can deliver both the strength of EPP and EDR and the breadth of integrated XDR capabilities from the edge to the endpoint that Cisco offers. We’re committed to continuing our momentum and helping our customers grow their businesses by protecting their environments from today’s threats.
CES 2021 is in session, Parler’s controversy continues as it goes from number 1 to where’d it go, and a new retail policy where you can just keep your return items.The post Hashtag Trending – CES 2021 news drops already; Parler woes; New return policy turns heads first appeared on IT World Canada.
COVID-19 is a stark reminder of longstanding inequities in our societies, and how policies need to pay specific...
The post You might get hacked before getting vaccinated appeared first on Quick Heal Blog | Latest computer security news, tips, and advice.
This is a clever side-channel attack:
The cloning works by using a hot air gun and a scalpel to remove the plastic key casing and expose the NXP A700X chip, which acts as a secure element that stores the cryptographic secrets. Next, an attacker connects the chip to hardware and software that take measurements as the key is being used to authenticate on an existing account. Once the measurement-taking is finished, the attacker seals the chip in a new casing and returns it to the victim.
Extracting and later resealing the chip takes about four hours. It takes another six hours to take measurements for each account the attacker wants to hack. In other words, the process would take 10 hours to clone the key for a single account, 16 hours to clone a key for two accounts, and 22 hours for three accounts.
By observing the local electromagnetic radiations as the chip generates the digital signatures, the researchers exploit a side channel vulnerability in the NXP chip. The exploit allows an attacker to obtain the long-term elliptic curve digital signal algorithm private key designated for a given account. With the crypto key in hand, the attacker can then create her own key, which will work for each account she targeted.
The attack isn’t free, but it’s not expensive either:
A hacker would first have to steal a target’s account password and also gain covert possession of the physical key for as many as 10 hours. The cloning also requires up to $12,000 worth of equipment and custom software, plus an advanced background in electrical engineering and cryptography. That means the key cloning — were it ever to happen in the wild — would likely be done only by a nation-state pursuing its highest-value targets.
That last line about “nation-state pursuing its highest-value targets” is just not true. There are many other situations where this attack is feasible.
Note that the attack isn’t against the Google system specifically. It exploits a side-channel attack in the NXP chip. Which means that other systems are probably vulnerable:
While the researchers performed their attack on the Google Titan, they believe that other hardware that uses the A700X, or chips based on the A700X, may also be vulnerable. If true, that would include Yubico’s YubiKey NEO and several 2FA keys made by Feitian.
This is the second is a series of three articles sponsored by Ricoh looking at how real companies facing transformation evaluated their MSP options. The variety of services MSPs provide can range from the monitoring of IT networks to being responsible or all repairs, updates, and patches, as well as providing new software, hardware, infrastructure,…The post Security incident forces firm to consider its MSP options first appeared on IT World Canada.
ESET researchers uncover attacks targeting Colombian government institutions and private companies, especially from the energy and metallurgical industries
The post Operation Spalax: Targeted malware attacks in Colombia appeared first on WeLiveSecurity
Thanks to the tumultuous events of the past year, in 2021 IT professionals will face challenges in the workplace they’ve never seen before. There was no roadmap for taking much of the American workforce remote overnight, and none exists for a large-scale, staggered return to the hybrid environment of in-person and remote work that most organizations expect to make work in the months to come.
Cyber security risk assessments are essential for organisations to protect themselves from malicious attacks and data breaches.
After all, it’s only once you’re aware of the ways you’re vulnerable that you can put appropriate defences in place.
But what exactly does a risk assessment do? Essentially, it helps you answer these three questions:
- Under what scenarios is your organisation under threat?
- How damaging would each of these scenarios be?
- How likely is it that these scenarios will occur?
To complete a risk assessment, you must give each scenario that you identify a ‘risk score’ based on its potential damage and probability of occurring.
This can be calculated by assigning a number to progressively damaging/probable incidents. You should end up with a system for scoring risks that looks like this:
Very few organisations have the means to address every risk, so this system helps them dedicate appropriate time and money to the biggest priorities.
In the example above, organisations would almost certainly address any risk that scored 12 or more but accept risks that scored 3 or less.
Their decision-making for risks in between would be influenced by the nature and size of the organisation and their resources.
Risk appetites should be reviewed regularly and whenever there are changes to the organisation’s cyber security budget or resources.
If you have the means to address a risk, there is no reason to continue considering it ‘acceptable’.
However, if you find yourself struggling to resolve problems that are in your risk appetite, you should consider raising your threshold (or budget) to make sure the highest priorities are dealt with sufficiently.
Advice on how to conduct a risk assessment
Our ISO22301 BCMS Documentation Toolkit features a risk assessment template to help you evaluate your organisation’s level of security and measure your risk appetite. It also includes a Risk Register/Treatment Plan to help you manage risks after you’ve identified them.
The toolkit is designed to help you comply with ISO 22301, which sets out the requirements for a BCMS (business continuity management system).
You can learn more about ISO 22301 on our website or by reading our free green paper: Business Continuity Management – The nine-step approach.
You might also be interested in our risk assessment software vsRisk, which provides a simple and fast way to identify relevant threats, and deliver repeatable, consistent assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Additionally, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of potential risks, and the built-in control sets help you comply with multiple frameworks.
A version of this blog was originally published on 21 April 2018.