Skip to main content

The landscape of IT risk





Within Information Technology (IT) there was meant to be a common language but that is far from being achieved. The language used by developers, service managers, Information Security or even data centre experts remains different. Each use their own terminology and risk managers have their own version too. It is often highlighted that IT and business see things from different perspectives and this is exacerbated by the silos within IT itself.
Risk, as far as IT is concerned, has typically always been about dealing with threats and invariably is centred on technology. The first problem is that the approach lacks balance often only the negative is highlighted without the positive being acknowledged.  The impression might be that a situation in IT is in dire straits while in reality it isn't. In most cases a SWOT (Strength, Weakness, Opportunities and Threats) analysis is used to achieve a balanced approach but often this tends to be subjective.
The second problem is that the landscape of IT is more than just technology but also about people and processes. Risk management needs to deal with the latter as well as technology otherwise only a selective view of the risks are presented.
In many organisations, Information security tends to be an island. The attention seems to be heavily focused on security breaches and crime. All security professionals preach the attributes of confidentiality, integrity and availability. However, the time is focused mostly on confidentiality which is all about information and services being accessible to only those who are authorised. Very few actually address integrity (safeguarding the accuracy and completeness of information and services) and availability (authorised customers have access to the information and services when required). If we draw a matrix of this, this is what it will look like:

Taken into context then the overall landscape would be nine blocks, much like a nought and crosses grid. In the scenario above only one block is used which means that 89% of the landscape is never addressed. Further, only half the block might be covered as only the negative is addressed and not the positive.
Each of these blocks should have identified threats. Optimally, these threats can be verified from a knowledge base which will provide a source of information and ensure that unknowns to the person doing the assessment are also taken into account.
The risk of a threat is a product of the impact and probability of the threat. The impact is the consequences and the probability is the likelihood or vulnerability. This risk is now analysed to determine its rating on a scale from low to high. A decision is then made on this risk from addressing it to even ignoring it. All valid decisions if there are made with knowledge.  Often the risks are addressed with valid controls that are underpinned with suitable countermeasures.
The above methodology broadly describes a standardised approach to assess risk within IT. This is crucial when assessing the consequences of a major incident. The above can be utilised in the reporting and analysis component of the major incident process to provide a balanced risk assessment of the crisis that has occurred. The method lends heavily on CRAMM but has been simplified for rapid use. CRAMM (CCTA Risk Analysis and Management Method) is a risk management methodology which uses an automated tool based on qualitative risk assessment methodologies. It is used by going through the stages of a CRAMM review, i.e. asset identification and valuation, threat and vulnerability assessment, and countermeasure recommendation. CRAMM is a comprehensive and flexible tool especially for justifying prioritised countermeasures at a managerial level. However, it typically requires qualified and experienced practitioners as opposed to the tool and methods described here are much more simplistic.
A tool is available from ds.co.za under the Resources menu to perform a rapid risk assessment suitable for projects and major incidents within the IT landscape. Direct link here.  Furthermore, DS is able to assist in providing consulting and training with respect to the major incident process.

Popular posts from this blog

Using OPENDNS on a Mikrotik

At the office we use a Mikrotik which is connected via fibre to Cool Ideas.  We use OpenDNS as a Information Security tool.  It prevents ransomware and bots from becoming major incidents within the office.

The router is scheduled to do a daily update via script of the OpenDNS settings.  Below is the example:

:local opendnsuser "user@domain.co.za";
:local opendnspass "itsprivate";
:local opendnshost "office";

:log info "OpenDNS Update";
:local url "https://updates.opendns.com/nic/update";
/tool fetch url=($url . "\3Fhostname=$opendnshost") user=("$opendnsuser") password=("$opendnspass") mode=https dst-path=opendnsupdate.txt
:local opendnsresult [/file get opendnsupdate.txt contents];
:log info "OpenDNS: Host $opendnshost - $opendnsresult";

The Hours of WannaCry from the Cisco Umbrella Blog

In the span of just 10 days, two large-scale, wormable attacks grabbed international headlines. First, a phishing campaign posing as a Google Docs sharing request gained access to Google accounts then spread across its victim’s contacts, and now, a ransomware campaign with a bite, named WannaCry, autonomously infected vulnerable systems leveraging an exploit leaked on the internet. In the early minutes of the attack, we worked with our Talos counterparts to analyse the behaviour of WannaCry and protect our customers. We were also particularly proud to see that our Investigate product helped MalwareTech reduce WannaCry’s impact. In this post, we hope to give you a retrospective analysis of what we’ve observed during the first critical hours of the event. 
Read more here.

PUE: to compare is human – to improve is divine (part of the DS PUE series of articles)

Yes, I know – it’s an inadequate distortion of an old, clichéd proverb.  Yet, I say this too often in client meetings and peer discussions, “Don’t compare the PUE (Power Usage Effectiveness) of your data centre to that of another because it’s a pointless exercise. - Lee Smith Read the article here about Power Usage Effectiveness (PUE) in data centres on our website.