Cyber threats and cyber risks

There are many sources of threats to a VMS, including business, technology, process and human attacks or failures. Threats take place over a lifecycle. The threat lifecycle, sometimes called the "cyber kill" or "cyber threat chain," was developed to describe the stages of advanced cyber threats.

Each stage in the threat lifecycle takes time. The amount of time for each stage is particular to the threat, or combination of threats, and its actors and targets.

The threat lifecycle is important for risk assessment because it shows where you can mitigate threats. The goal is to reduce the number of vulnerabilities, and to address them as early as possible. For example, discouraging an attacker who is probing a system for vulnerabilities can eliminate a threat.

Hardening puts in place actions that mitigate threats for each phase in the threat lifecycle. For example, during the reconnaissance phase an attacker scans to find open ports and determine the status of services that are related to the network and the VMS. To mitigate this, hardening guidance is to close unnecessary system ports in XProtect VMS and Windows configurations.

The risk and threat assessment process includes the following steps:

  • Identify information and security risks
  • Assess and prioritize risks
  • Implement policy, procedures, and technical solutions to mitigate these risks

The overall process of risk and threat assessment, and the implementation of security controls, is referred to as a risk management framework. This document refers to NIST security and privacy controls and other publications about risk management frameworks.

Cyber Risk Management Framework

The security and privacy controls in SP 800-53 Revision 5 (https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final) are part of an overall risk management framework from NIST. The NIST document SP800-39 (https://csrc.nist.gov/publications/detail/sp/800-39/final) is a guide to applying a risk management framework. SP800-36 is a foundational document for the NIST Cybersecurity Framework, which is described in Cybersecurity Framework (https://www.nist.gov/cyberframework).

The figures here show:

  • An overview of the risk management process. It shows a high-level, overall approach.
  • Risk management at a business level, taking strategic and tactical considerations into account.
  • The lifecycle of a risk management framework, and the NIST documents that provides details for each of the steps in the lifecycle.

Security and privacy controls represent specific actions and recommendations to implement as part of a risk management process. It’s important that the process includes the assessment of the organization, the particular requirements of a given deployment, and the aggregation of these activities into a security plan. SP 800-18 Revision 1 (https://csrc.nist.gov/publications/detail/sp/800-18/rev-1/final) provides references for detailed security plans.

High-level view of risk management (SP 800-39, page 8 (https://csrc.nist.gov/publications/detail/sp/800-39/final))

The process is interactive, and responses and their outcomes are iterative. Security threats, risks, responses and results are dynamic and adapt, and as a result so must a security plan.

This diagram shows how a risk management framework considers IT systems, business processes, and the organization as a whole to find a balance for the security plan.

Balancing security and business goals (SP 800-39, page 9 (https://csrc.nist.gov/publications/detail/sp/800-39/final))

When hardening a system, you balance the impact on business productivity and usability for the sake of security, and vice versa, in the context of the services you deliver. Security guidance is not isolated from other business and IT activities.

For example, when a user enters their password incorrectly on three consecutive attempts, the password is blocked and they cannot access the system. The system is secure from brute-force attacks, but the unlucky user cannot use the device to do their work. A strong password policy that requires 30 character passwords, and changing passwords every 30 days is a best practice, but it’s also difficult to use.

Example of a risk management framework (SP 800-53 Rev 5, page 8 (https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final))

To document its risk management framework, NIST produced multiple special publications. It includes the following components:

  1. Categorization (identification of risk level)
  2. Selection of security and privacy controls
  3. Implementation
  4. Assessment of the effectiveness of security controls
  5. Creating an improved system security profile, and what’s called an Authority to Operate (ATO)
  6. Monitoring and evaluating through iterations

The risk management framework helps put a security plan and guidance in a security context.