Security is evolving. That’s not news, but as it is happening not everyone can keep up with what that means. This is especially true for those who have embraced maturing their risk and security programs, while still getting traditional assessments which have become commoditized and oftentimes not as valuable as they used to be. These definitions are by no means final or even the most detailed, and they are an amalgamation of various sources. As we know, things can move in different directions quickly, but with that in mind, we’ve taken a little time to define a few terms that are expanding in popularity.
- Risk: A risk is a chance of something bad happening. More technically, it’s the combination of the probability of an event (likelihood) and its consequence (or loss magnitude). The common equation is [Risk = Threat x Vulnerability x Impact – Controls], or some variation of that.
- Vulnerability: Any weakness that makes an information asset susceptible to exploit by a threat. Also called a failing, or hole, or problem area.
- Impact: The consequences of a risk. i.e. the disruption of a business process. This is usually a function of timing and duration of a disruption. e. How severe for how long? And does it affect Confidentiality, Integrity and Availability (CIA)?
- Countermeasure: (also, Control or Safeguard) An action, process, device, or system that can prevent, or mitigate the effects of threats on a vulnerability. It’s something that diminishes the ability for a threat to act on a vulnerability.
- Threat: A potential cause of an unwanted impact to an asset, system or organization. (Technically, there are threat agents/actor and threat events which are different). In security there is a focus on the adversary.
- Risk Management: The process of determining an acceptable level of perceived risk, assessing the current level of risk, taking steps to reduce risk to the acceptable level, and maintaining that level of risk.
- Security is the ability to protect information and organizational resources with respect to confidentiality, integrity, and availability.
- Privacy: Protection and proper (appropriate) use of anyone’s personal information that you hold. More formally, it is the proper collection (i.e., legitimate business need for the information), safeguarding, use, and ultimately destruction of personally identifiable information (PII).
- Maturity: The level of attainment of a final or desired state. Often this is measured by how well an organization can repeat and improve a formal process.
- Capability Maturity Model: 1-5 ranking of increasingly organized, systemic and continuously improved process developed by the Software Engineering Institute.
- Resiliency: The ability to recover (quickly) from difficulties (breach, outage, etc). It’s a trending term as organizations cannot stop hackers, so there is a need to detect and respond quickly.
- Loss Event Frequency: The number of times, within a given timeframe, that a loss event may occur. Also used for likelihood.
- (Probable) Loss Magnitude: The monetary impact of a loss event.
- Loss Threshold: The magnitude that must be exceeded for a certain reaction or result to occur. Practically, this would be used in a risk assessment to help determine acceptable risk.
- TCAP/ Threat Capability: A risk variable that is intended to rank an adversary’s ability to successfully exploit an existing vulnerability that then contributes to a breach event with associated losses.
- Adversarial Analysis: An investigation of a subset of threats that have a threat actor. Adversary analysis looks at the capability and motivation of an adversary. e. Who could come after you? What are their capabilities? This is about knowing your enemy.
- Adversary/ Threat Agent Simulation: A simulated breach that compromises the confidentiality, availability and integrity of some asset. It emulates the tactics, techniques and procedures (TTPs) of a modern advanced adversary. e. This could be an advanced penetration test (internal, external, wireless, physical, etc.) or more thoroughly, a red team exercise.
- Red Team: The opposing force in a simulated conflict. Within information security, a red team exercise is expanded penetration testing that better emulates real-world attacks. It typically integrates multiple testing strategies (including wireless attacks, physical attacks, spear-phishing of personnel, etc.) with more advanced tactics, techniques & procedures (TTPs), specialized malware, and the use of threat intelligence. Often there is a particular target or targets in mind.
- Blue Team: The defenders of the organization (against both real attackers and red teams).
- Purple Team: A purple team, as the name would suggest, is a hybrid cooperative combination of the red and blue teams working together to better evaluate and improve the adversarial detection and countermeasures for a better response. Assuming a breach, it demonstrates a variety of techniques, collaborating before, during, and after an incident to best help an organization detect, deflect, or deter an attack.
- Detection– The ability to identify an attack through multiple phases of a compromise. This is the foundation to any capabilities of reducing the damage inflicted during a breach. Detection systems include SIEMs, NAC rogue device detection, account change monitoring, suspicious command usage, user behavior analytics (UBA), etc.
- Deflection– (Also referred to as protection) – The ability to build proactive measures that directly defend the network through preventative measures. This would include Antivirus, Intrusion Detection/Prevent Systems, Network Access Controls, etc.
- Deterrence– To discourage an adversary from doing something. The implementation of patch management procedures and enforcement of complex password policies would be examples. This also includes creating paths of least resistance to bait an attacker to use a specific system or set of credentials in order to detect their activity. This is often done with Honeypots, HoneyTokens, and HoneyCreds.
- Attack Vector: The avenue or path by which an attacker or threat may take.
- Attestation: To sign off on (attest to) the quality or accuracy of a report or statement. In PCI there is an attestation of compliance (AoC), which is a more formal, third party validation that a Self-Assessment Questionnaire (SAQ) is compliant. Some companies prefer this to ensure they’ve done due diligence and for marketing purposes.
Looking for information on how the correct risk assessment can help your business or organization? Listen to our webinar “Ensuring Risk Assessments Have Business Value.”
Author: Stephen Marchewitz
Stephen has been in the security and risk industry for over 13 years and in IT for over 20 years. He has assisted companies in driving change to ensure clients are successful both in receiving value from products and services as well as managing the security and compliance risks of new projects and technologies. He’s served as an outsourced Chief Information Security Officer for a dozen different companies and consulted to some of the largest companies in the world. Prior to joining TrustedSec, Stephen was the Global Risk Practice Manager in the Digital Transformation Group at Cisco, President and Advisory Practice Lead for a leading information security firm for nine years, a Management Consultant with Ernst & Young, held Technology Management and sales positions with CA and Oracle, and developed new offerings in the insurance industry as an Underwriter and Program Director with Willis Coroon/Chubb in underwriting risk. He is dedicated to helping customers implement the right solutions and services that best meet their business needs, thus allowing them to achieve new levels of success.