To Measure Risk means to measure impact and threats(likelihood)
(R=L*I) Risk = Likelihood * Impact
So what does that mean? What are the threats and their effects to your environment? Answering this will give the true impact of the problem figuring out what risk one really has.
(Above image was copied from @ipfconline1 twitter images)
So let’s assume these are the major threats and Major concerns (from image)
- Unauthorized Access 53%
- Hijacking Accounts 44%
- Insecure interfaces / APIs 39%
- External sharing of data
- Data Loss/leakage 49%
- Data Privacy 46%
- Confidentiality 42%
- Legal and regulatory compliance 39%
The threat is one portion of risk, the impact is another.
The idea is to view all of the threats coming at you and review where you should spend your time.
The problem with this methodology is one has to have a decent understanding of the impact and likelihood of various threats. Some of these items need to be also taken into context.
If you have 100 computers and they are all running Windows Operating systems (different versions 7,8,Server, 10) then a threat to your Windows base for MS17-10 is not as dangerous for all computers.
But what if a virus/trojan attacked and affected 20 computers? Now the impact would be higher. So the Risk to your organization is higher from a relatively minor Microsoft vulnerability.
So one thing you will find is that even minor vulnerabilities can grow into major problems. So the potential effect of an exploited vulnerability is the issue. Every month new patches are released and at the same time criminal hackers are trying to exploit the patch exploitability.
Unfortunately every vulnerability has an attack timeline.
Here is the crux of the issue, what is the impact for each separate vulnerability to your environment? As criminals develop better attacks you have to keep the threats in mind and do proper patching so as to defend your network.
By performing an audit of your environment and reviewing impacts and likelihood you will hopefully be able to evaluate your risk properly.
Contact Us to help you with this process.