risk management

All posts tagged risk management

Now that you’ve identified what you have to protect, the next step is to figure out who you are protecting it from. This concept is much easier to understand. Almost all actors fall into two broad categories: internal and external actors.

Internal actors are employees, contractors, and third parties with access to your assets. Third parties could be employees of your cloud provider or the company that processes benefits and payroll.

Internal threats can result from actors inadvertently using their privilege improperly, such as creating a misconfiguration or clicking a link in a phishing email. Internal actors can also purposefully act malicious  and knowingly create threats in the environment such as stealing data or installing malicious software.

  • Internal Actors
    • Employees
    • Contractors
    • Third Parties with access to assets
  • Internal Malicious Actors
    • Disgruntled Employees
    • Internal System Controlled by External Actor

Due to the inherent trust given to internal actors, the potential impact from these actors is higher than from external actors. While external actors make for better news stories and TV shows, it is imperative to review and mitigate threats from internal actors.

There are a number of different types of external actors, each with different motivations and goals.

  • External Malicious Actors
    • Hackers
    • Crackers
    • Hacktivists
    • Criminal Elements
    • Nation-States
    • Industrial Espionage

While the term Hacker has become synonymous with any individual with nefarious motives, the term is usually used for a curious, technically savvy individual who gains unauthorized privileges to a system without malicious intent.

On the other hand, Crackers are individuals with malicious intent who intentionally try to bypass security controls.

With the movement of activities online, normal protesters morphed into Hacktivists. Hacktivists target an organization with a political or social motive. While hackers or crackers choose targets of opportunity or with a financial motive, Hacktivists target a sector or organization for ideological reasons. Due to that ideological focus, it is possible that hacktivists will expend more time and effort on a target.

Criminal elements are attempting to monetize the assets of an organization. This is a fancy way of saying they will sell credit card numbers, personal information, or run bitcoin miners on computers. Ransomware, which encrypts user data and requires a ransom to access the encrypted files, is a common way to extort organizations for money.

Nation-States are highly funded and operate on extended time frames, usually in the terms of years. Nation-states are incredibly difficult to defend against due to the additional levels expertise they can bring to bear. If you are in an industry commonly targeted by a nation-state (such as Defense or Aerospace), focusing on breach detection and having a close relationship with law enforcement is paramount.

Industrial espionage is a catch-all term for any of the above individuals focusing on stealing trade secrets or sensitive organization data. Nation-states may engage in industrial espionage to give their companies a competitive edge. Criminal elements may target an organization to sell any information obtained during a breach or sell information found during an untargeted breach. Hacktivists will expose data found to further their ideological cause.

Now that you’ve determined who are the most likely actors in your threat model and also determined which would cause the largest potential impact, you can create a list of threats to focus on.


A quick example would be a coal company operating a mine.


Asset                                Actor                                                 Threat              Mitigation

External Website             Hacktivists/Hackers/Crackers        Defacement       Quarterly Web Application Scans

Personnel HR Data          Employees/Third Party                   Data Theft           Access Control Policies

Internal Network             Criminal Elements                            Phishing               Phishing Awareness Training


Obviously, this list would be very long for any organization, but at some point, many of the mitigation elements will overlap. This means that in the previous example, the Access Control Policies that protect HR Personnel Data from Data Theft also protect it from access if a criminal element gains unauthorized access to the network. The best mitigation items will protect multiple assets from a variety of actors and eliminate most risk.

Where to Start

The simplest threat model is something (Asset) being manipulated by someone or something (Actor), resulting in a threat.


Threat Model Overview

Threat Model Overview

This post deals with the first part of the equation.


Threat Model Asset

Threat Model Asset

What are you protecting? Computer systems are relatively expensive to purchase. A server and attached disks that cost five thousand dollars to purchase new can easily store millions of dollars worth of data. Prior to engaging any company for a security assessment, it is imperative to understand exactly what needs to be protected and why.

Data and Data Flow

What is your company’s secret sauce? If you are protecting design documents for a widget, there is a chain of systems that all require protection. The storage system needs to be protected from unauthorized access. The end user system that is used to modify the documents require that same level of protection. Also, the entire network that transmits documents needs to be protected. This also needs to be done within a fixed budget and not affect the ability of the company to make money. While Secure Network Management makes money securing networks, most companies do not.


Why would someone want to compromise a computer? Data is valuable, but computers and networks can also be monetized. Bitcoin mining reduces the computing power available for legitimate activities and increases electricity usage. Spam malware uses computing power, network bandwidth, and has the potential for a legitimate business to be blacklisted by SMTP servers.

Now What

Know what your network is. While this sounds easy enough, it is normally one of the limiting factors. That is easy right? You use that one network for all your computers and servers. Done! Well…except each wireless access point uses a network and the LAN-to-LAN tunnel into the Cloud providers network using that network. And that one guy who brought a wireless router in from home so he could watch movies on his iPad during work…I wish I had made that last one up.  Better update all the spreadsheets! Security assessments are garbage in/garbage out; the assessors will only test what is in the scope you provide or authorize. If you do not know or don’t have the technical expertise to determine all of the networks in use, any reputable security or IT support company can review the network fabric. This review should not be a long or costly engagement.

Most people underestimate the number of devices on their network by at least 30%. Everything with a network cable is a potential target. Server and computer counts are normally pretty accurate. Printers, scanners, and peripherals are normally underestimated, if included at all. Network devices, beyond the core switch and router, normally do not show up on device spreadsheets. Obtaining a fairly accurate count of devices using a simple network scanner is also easily performed by a competent systems administrator, security, or IT support company.

You are now a few days into getting an asset list in order. This is a solid investment with or without an assessment. You cannot protect what you don’t know about.

End of Step 1: What you know – The networks and devices in use and data that is stored, processed, and transmitted on the network.