ISO 27001 heavily uses risk assessments as part of the process of maintaining an Information Security Management System (ISMS). As part of the process, realistic threats to the company are listed, controls implemented, and effectiveness monitored. Below are some ideas for making risk assessments that work in everyday use, and larger ideas for company wide risk assessments.
Consider Other Industries Good Practises for Adoptable Ideas
When looking for good examples of risk assessment for ISO 27001 related processes, in order to improve your own process, consider non-IT organisations that use risk assessment. An example is the fire service. Upon attending the scene they don't stand around filling in a risk assessment before getting out the hoses, but when an incident commander arrives to assist the initial response, the incident commander takes a step back, collates information from what's happening and starts assessing the risks. The reason the fire service does this, is because they don't want firefighters becoming so focused on fighting the fire that they overlook an obvious danger, such as operating out of range of timely colleague support, or by walls in danger of collapse.
Core vocabulary for the fire service includes dynamic risk assessments (DA or DRA), and analytical risk assessment (ARA). Dynamic risk assessment , without getting too in depth, is essentially that in a time critical situation, if you are properly trained to access a type of incident, such as swift water rescue, you can decide on the spot using your training what risks to take to rescue a person in imminent danger. A good example of more strict analytical risk assessment can be seen from public exmaples of fire service documents; I've provided a small screenshot of one as fair use below:
So the above is a good example of a basic risk assessment for a new scenario that you can complete under pressure, whether it's coordinating fire crew teams or (with some slight alterations) as a busy project manager with a new IT project. The key points of the form are similar to all risk assessments: what hazards are there, what current controls do you have, what's the impact and likelihood and is the result higher than your acceptable risk appetite? If it is, what do you need to bring it back to an acceptable level? In short, keep the forms simple and avoid complexity where possible.
If it is not possible to reduce the risk to an acceptable level, it's time to take a decision: perhaps a fire officer might have to decide whether to commit two fire service staff to quickly drag a casualty out from a unstable structure that's potentially about to collapse further? In the IT world, is the business going to accept the higher risk of an immediate situation in order to be first to market with a product? If so, someone will own that risk.
Be More Adventurous with Considering Sources of Risk
At the more strategic level, companies sometimes don't think about what's a realistic threat from risk scenarios. Try and be broad minded. Try and think of new and inventive threats. Two good examples of sources not normally considered are nation state interference and terrorism.
More Likely: "Terrorism Related Activity" Less Likely: "Terrorist Attack"
Ask most companies if their risk assessment includes terrorism and they might talk about how they are considering putting in anti-ram bollards at the front of the reception building. Although possible, this isn't a realistic assessment of the threats from terrorism that an average company is likely to face (but might be useful if ram-raiding is a realistic threat in your industry or locale). Let’s break down what a terrorist group typically does:
- Recruitment: the group has to recruit others to its cause so that it has staff to perform the attack, spread propaganda, find financing and similar.
- Fund raising: the group has to raise funds, perhaps for travel, hardware and similar.
- Training: the personnel have to be trained.
- The actual attack.
The second bullet point, fund raising, is where the most likely contact will be with the average business (with some common sense assumptions). Terrorism funding in the past has typically revolved around fraud and blackmail/extortion.
It's well worth searching for and reading articles about historic arrests and reports about the fundraising and extortion activities involving terrorist groups. Well known examples include organisations threatening persons who originated from the troubled country, now living in Canada and Europe. This includes demanding that they transfer large sums from the victims businesses. Other detected activities included phishing campaigns to access bank accounts and fraudulent transfers through holding companies.
What does this mean? The most likely terrorism related activity you may see is blackmail of staff or fraudulent customer account activity. As such, if not already in place, consider strengthening controls to target that risk such as:
- Separation of duties, so that malicious activity by a staff member (such as when being blackmailed) would require approaching other staff for attempts to get staff to collude.
- Where you can't separate duties, log actions to locations the user can't affect, such that another team can monitor actions and detect unexpected behaviour.
- Enforced holidays, so that for some periods another person takes over duties, giving a chance to discover any irregularities that would otherwise not be noticed.
- Ensuring access rights reviews are flagging users with accidental accumulation of rights due to position changes.
- Building and improving detection methods for fraudulent activities on customer accounts.
- Ensuring systems use strong security, are fully patched, and that staff are trained to notice social engineering attempts and to report them.
What's Likely in Terms of Nation State Interference
Most companies just give up on this one and claim it's impossible (or the stuff of conspiracy theories) and therefore not worth considering. In addition a cynical person might state that a popular modern move is that when your company gets hacked you state that a nation state must have done it, which carried with it the idea that it was impossible to defend against and therefore no one in the company is guilty of negligence.
A major role of intelligence organisations is protecting the interests of their country. Whilst counter terrorism gains lots of press, a major portion of intelligence services work will always be political and industrial espionage, and there has been plenty of information released (leaked) over the past few years to give a realistic insight into how intelligence services are operating.
Why Would a Nation State be Interested in Us?
In a similar fashion to how nation states don't "hack everyone’s computer", nation states aren't going to "hack every company". It's prohibitively expensive and increases the risk of detection. The more companies are targeted, the greater the risk of any valuable not-yet-publicly-known exploits (zero days) used for the attack might be discovered and published, leading to the vulnerabilities being mitigated by vendors and political embarrassment . They might however take interest in you in specific circumstances (these suggestions are not exhaustive):
- If you are a communication service provider (such as email hosting, and instant messaging)
- If you provide internet search results
- If you provide internet connectivity or infrastructure
- If you create common software used by many others
- If you provide networked products to organisations
- If you provide networked products to domestic environments
- If you are a potential source of fraudulent income
- If you are a competitor to a domestic industry the government backs (an example being the allegations surrounding Airbus versus Boeing competitions )
If Your Company Provides Services to Users
With the exception of the last two entries, the target is third parties using your service. An important note is that political friendliness between companies is not relevant for the purposes of considering the above (governments are not a single person, and can be both friendly and malicious at the same time). An example if the US monitoring of UK mobile phones and landlines outside of the agreement under which the facility was provided to the US by the UK .
If you provide any form of service that centralises information about people, their communications or a service that links to their devices, then your service might be of interest to nation states, regardless of if your willingness to participate in that program. Whilst you may see your own government as benign (rightly or wrongly), the governments targeting your users may not be. Hence raise the bar to increase the expense any nation state would have to go, to attempt to monitor your users. Whilst nation states may have large resources, the hardening of the services you provide creates the need for them to have to deploy an expensive manual resource (such as a technician, or team of technicians, to research a user and break into their account) as opposed to the relatively cheap ability to monitor all your services users via automated means.
To expand on this, nation states have large but still not unlimited resources. A government employee devoted to watching each individual at all time just isn't sustainable. What is within the realms of possibility is to perform very basic monitoring of the major communications channels, such as with flags to denote potential targets of interest for manual review, and then closely monitor your biggest suspects.
An example would be keyword matching in phone text messages: not every text mentioning "bomb" in it will be of interest and there would be false positives, but it's enough so that the problem is no longer an impossible number of texts to be reviewed but more an interesting technical challenge to make the system more accurate such that the most suspicious texts matching specific selectors can be followed up with further review. An example is a case of UK person sending song lyrics which triggered an alert , which is a likely result of this. The monitoring would be phone-network wide as a fairly inexpensive facility, the alerted text would have matched an automated selector check, and would have gone for (more expensive) manual security analyst review. The police response was the labour intensive final step reserved for the most likely suspicious texts, with statements about the text message being sent to the wrong number likely being to reduce the damage of procedure exposure:
In a similar fashion, capturing all data traffic sent via major internet service providers in your country would be extremely expensive, but net flow monitoring of the same connections becomes just a reasonably large-budget project. A government don't need to hack each individuals computer – that would be time consuming (and hence expensive), and greatly increase the chances of detection – but you can flag potential targets using blanket monitoring so that a minor handful of targets then receive special (expensive but for a greatly reduced target set) treatment. So in short:
- Ensure communications protocols use strong encryption, implementing forward secrecy where possible.
- Ensure authentication mechanisms are strong.
- Penetration test your internet facing services and consider internal penetration tests (and ensure teams have time and resources to address the vulnerabilities found).
- Ensure passwords are stored hashed and salted, preferably using a hash that's designed for password storage. This way if an attacker obtains your password database, they can't easily obtain the account credentials and use them against other services.
- View the act of keeping stored user data as a risk, not solely as an asset.
If You Are Financial, or Involved in Large Contract Bidding
Consider if the organisation is providing a service or bidding for work that might attract nation state interference, such that inexpensive drag-net monitoring is overtaken by focused (more expensive) directed government attacks. If not already doing so, consider implementing or strengthening the following controls:
- Consider consciously shifting more business resources (financial and human) to security measures.
- Revisit threats that might have been deemed acceptable previously. For example the strength of protections of communications between datacentres, including private fibre optic lines .
- Consider in what country resources are hosted and what third party services are in use. These third parties will comply with legal orders in their country and they may not be permitted to tell you .
- Consider what access third party support companies have to your networks and how you can limit that access as much as possible .
- According to the risk level you face, add realistic threats which are now potentially likely; for instance the UK government takes the step of instructing staff to place phones in a soundproofed and metal box during meetings .
- If not already in place, ensure all laptops and removable drives are encrypted so that a snatch on a train or drive cloned in a hotel room will not yield information to an attacker. There are other attacks possible against encrypted devices however , so assess how exposed devices are and review laptop build and usage procedures based on the level of perceived risk.