What Threats Should Be Considered

One of the things that an assessor often runs across in an assessment is an inadequate risk assessment. It doesn’t go far enough to address operational risk across the organization- and part of that comes from the idea that most of the entities that we work with do not begin with considering threat across all potential threat sources. Luckily, we have an external source to work with. NIST special publication 800-30 offers us a table at the back in appendix D2 which details some examples of where threats can come from. This is a great place to start to consider within your own organization. Some highlights of this include adversarial threats. These are the ones that are most commonly caught. Individual threats from outsiders or insiders within the organization. This is hackers or blackmailers. This is that internal person who’s having a bad day and decides to delete the entire database. This is a privileged user who goes through and, like we saw in a recent event, turns off all of the traffic lights for a major city once they get fired. These are the things we know and that we deal with. But what about your suppliers? What about your vendors? What about the third parties that provide key parts of your systems. And not just your information security system systems, but the things that impact service delivery. Even your cleaning vendor may actually present a threat to your organization and should be addressed as a function of your risk assessment. What about accidental threats? Things that happen just because people mess up and we’re imperfect. If an administrator suddenly, accidentally, deleted your active directory- learn from my failures- that deletion wasn’t on purpose, but how do we address the business disruption that is caused after that fact. What about structural threats? The very way your company is built may represent key-man vulnerabilities or key systems that if they drop, or go down, or are otherwise compromised may represent a complete inability for you to deliver your good, service, or process. What about environmental controls? Could you work in your office if the AC went out? That’s a different answer depending on where you sit across the country. What about fire, flood, civil unrest? We don’t think about these things when we talk about information security- not often at first blush. But any threat to your organization's processes or your ability to deliver your service should be considered. From the top to the bottom. From management, to administration, to the delivery person on the floor. From systems, to architecture, to just the environment in which you stand.  

Related Videos