Regardless of its size, every company has the technology it uses daily: email accounts, IP cameras, routers, computers… All this allows work to be carried out more straightforwardly and more agile. Still, the technology is not always completely secure, and cybercriminals know this and take advantage of it.
With the advancement of technology, attack methods have evolved. Although there is no way to be 100% protected, it is necessary to know what the vulnerabilities of the technological devices, hardware, and software that we use are and thus minimize the risks.
Know Your Assets and Their Threats
The first thing is to carry out an inventory of assets. To do this, we will look at the company’s main activity. Thus, we will be able to identify those systems or services that are critical; that is, those that, if they fail, paralyze our activity, such as email, CRM, some production or logistics processes, etc.
These will depend on the company, and we will also include outsourced assets. Regarding risk analysis, for each purchase, we will calculate its replacement cost in the event of loss or failure. We will also identify interrelationships and dependencies between them; if one failed, how would it affect others?
To have an inventory adapted to cybersecurity, we will indicate the criticality, grouping by service, system, or type of information handled, or analyze how an asset failure affects the security parameters, that is, the integrity, availability, and confidentiality that we need for that service.
After creating this inventory of assets, it is necessary to determine who is responsible for each purchase; that is, the person or group of people who will be in charge of the application of security controls them.
But What is that About Vulnerabilities?
Vulnerabilities are weaknesses in our assets that will allow threats to become incidents. If vulnerabilities exist, the potential damage of threats to assets increases. Technological assets are not exempt from having vulnerabilities, that is, failures by design or in its deployment or use.
In design vulnerabilities, those that come with the product or service, it is up to the manufacturer or developer to release the patch, so we will be attentive to these corrections in the technical support services or security alerts of the manufacturer or distributor so that, in As soon as the patch comes out, we can install it.
The vulnerabilities that have to do with the deployment and configuration are those that would not occur or would be mitigated following good practices; for example, creating a DMZ to isolate services that need to be accessible from the internet or setting up Wi-Fi security.
The vulnerabilities that have to do with the use of hardware and software are mitigated with policies that define the correct use of equipment and programs, for example, a password policy, use of external devices, cloud services, mobility, etc.
It is essential to know the vulnerabilities of our assets. To do this, we can search for the ones published by manufacturer and product on this INCIBE-CERT page or go to the pages of international reference organizations, such as the NVD.
Once we know the vulnerabilities that exist, we will have to set a plan to correct them in critical assets, at least the most severe, which are the easiest for cybercriminals to exploit.
How Does This Affect Risk?
In security, it is impossible to protect everything against all threats; we have to strike a balance and know where to invest to achieve excellent protection, assessing risks and managing them. To achieve balance, we must prioritize, which is only possible by knowing the risk formula.
Impact or consequence: The value of our asset or what it would cost us to replace the damage caused by the threat if it were to materialize.
Risk: The probability of a security incident occurring. As the risk is nothing more than a probability, it can be measured. It is usually quantified with a number between 0 and 1 or a percentage.
Also Read: Big Data and Analytics