So far in this book, you’ve learned what cybersecurity is, why black hats want to steal your data, how adversaries attack your systems in various ways, and what you can do to stop specific types of attacks. You should have a good idea of the threats you might face across various landscapes, such as your networks, social media, email, and more. However, as you’ve probably guessed by now, quality security can’t be reactive. If you wait for an attack to happen before trying to prevent it, you’ve already lost. It’s like playing a game of Whac-A-Mole: you might hit one mole, but unless you fix all the holes, another mole will pop up soon enough.

To have truly effective security, you need to build it from the ground up. That means starting with a plan that details how you’ll create, maintain, and update your security at the outset. In this chapter, you’ll learn how to create a security plan that is proactive, putting all the elements you’ve learned so far into action. At the end, you’ll create a custom plan to protect a house, school, business, or any other entity. Practicing how to create a security plan will help you connect everything you’ve learned about in this book. By the end of this chapter, you’ll be ready to start developing a security strategy as a major element of any undertaking at work or at home.

What’s the Worst That Could Happen?

When you’re beginning any sort of security plan or even just thinking about security in general, you should always start by envisioning the worst-case scenario. Indeed, security people are often characterized as pessimists because they’re constantly considering what could go wrong in any given situation, often to a degree that might seem unnecessary. But it’s this type of thinking that will help you understand where your system’s threats are and the risks it faces. You can only solve a problem once you identify what it involves. To start, you need to know the difference between a risk and a threat.

At first glance, risks and threats seem to have the same meaning in that they can both wreak havoc with your system or your organization. In theory, they both indicate ways your organization can be attacked or damaged. But in practice, risks and threats are distinct issues, and you must mitigate them in different ways.

Risks

A risk generally occurs because of something you do. You can think of a risk as the possibility that a dangerous event could happen as a result of a person or organization’s actions. For example, consider getting out of bed in the morning. There is a risk that you’ll twist your ankle and fall on the floor. There’s a risk you’ll step on a LEGO and hurt the bottom of your foot. There’s even a risk that a grizzly bear will jump out of your closet and attack you as soon you get up. Now, you might think, there is no way a grizzly bear will be in my closet. You might not even live near where grizzly bears are known to roam. But that doesn’t mean that it’s impossible. It just means it’s not very likely. In cybersecurity, there is no such thing as a risk-free action.

We calculate risk by multiplying the likelihood of an event by the impact of that event. Let’s return to the getting out of bed example. What’s the likelihood that you’ll step on a LEGO piece when you get out of bed? If you have young children, the likelihood increases. If they own LEGO sets or have friends who do, the likelihood increases even more. If they play with LEGO bricks in your bedroom, it increases even further. But what is the impact? A hurt foot, yes, but probably nothing more than some short-term pain. If you combine the likelihood with the impact, you might be looking at a moderate risk that you will step on a LEGO brick. This risk is high enough to make you check around your bed before you go to sleep but not enough to ban LEGO within 200 yards of your house.

It helps to use numbers when calculating risk to give you an idea of how some risks compare to others. Although there are formal ways to measure risk, such as by the amount of money a risk will cost if realized, you don’t have to use a standard. For example, you could choose a number between 1 and 5 to measure the likelihood and the impact. In the example of the grizzly bear in your closet, you might rate the likelihood as 1 because the possibility is extremely low. However, the impact of a grizzly bear attack would be severe, so you might rate the impact as 5. Multiplying these two ratings results in a total risk of 5.

Although a 5 rating might seem high, it can get a lot higher. Let’s look at the risk of stepping on a piece of LEGO. If you have a lot of LEGO bricks in your house, the likelihood of one being near your bed is probably a 3. But the impact is a bit lower than a grizzly bear attack; let’s say a 3 as well (I mean, it does really hurt to step on a LEGO piece). So the risk total is 9. That’s almost double the risk of the grizzly bear attack!

Table 10-1 provides a breakdown of these calculations.

After you rate each risk, you must then determine how you’ll handle that risk. When you discover a risk, you should always deal with it immediately. Take special note of a legal term called due diligence, which means to do what a prudent man would do. Essentially, if you know something is a risk, don’t ignore it, or you could be held legally responsible should the risk be realized.

That said, there are several ways you can deal with risk:

1. Avoid the risk Don’t do the act that causes the risk. If you don’t get out of bed, you won’t step on a piece of LEGO.
2. Transfer the risk Give ownership of the risk to another group or entity. Usually, this relates to insurance. For example, if there’s a chance your house might flood, you can transfer that risk by buying flood insurance. Then, if the risk is realized, the insurance company must handle it by paying for the damage.
3. Mitigate the risk Do something that reduces the impact or likelihood of the risk to an acceptable level. For example, if you look around your bed for loose LEGO bricks before you go to sleep or make a rule banning them from the bedroom, you’re mitigating the risk of stepping on them.
4. Accept the risk Accept that a bad event might happen. This is usually only done when either the impact or the likelihood of the risk is so low that it’s not worth the time to try and mitigate it. For example, the likelihood of a bear attack in my bedroom is so low, there’s no reason to take precautions against it.

Let’s consider these options in a cybersecurity context. For instance, think about the risk that one of your employees might click a link in a phishing email. This is a definite risk, given that nearly every business uses email in some manner. As you learned in Chapter 3, you can also regard this risk as having a high impact, especially if the victim downloads malware or provides the attacker with their credentials.

It’s probably unreasonable to avoid this risk, because eliminating email entirely isn’t a viable option for most businesses. You could transfer the risk somewhat by buying cybersecurity insurance, but this likely won’t cover the entire impact of the risk if realized. You can’t accept the risk either, because the impact of a realized event could be so devastating, it might shut down your business. In this case, the best option is to mitigate the risk by setting up spam filters and training your employees to recognize phishing attempts.

Often, managing risk isn’t this cut and dried; many factors go into deciding the likelihood, impact, and strategy for dealing with risks. However, even thinking about risk in simple terms, as they’re described here, can help you better understand the problems you might encounter.

Threats

A threat is a negative impact on a system, person, or organization. In other words, a threat is the impetus that causes bad events to happen. In the getting out of bed example, the threats are the factors that might cause you harm. In the LEGO and bear attack situations, the threat is obvious. But in the twisted ankle scenario, identifying the threat can be tricky, because it depends on what might cause you to twist your ankle. If it’s a misplaced shoe, that shoe is the threat. If it’s just your own clumsiness, well, then you’re the threat (or, at least, the part of your brain controlling your movement is).

Threats come in all shapes and sizes. They don’t necessarily have to be malicious or even conscious. For example, buildings are constantly faced with the threat that they might catch fire and burn down. But human or not, we call the agent that brings about the threat a threat actor. The distinction between threat and threat actor might seem silly to make, but it becomes important when you’re involved in threat management; managing a threat is much easier than managing a threat actor.

For example, say you’re managing the threat that your employees will click a phishing link. You might think that the threat actor is the attacker who sent the email, but that is only partially true. The employees are potential threat actors, too, because they’re the ones clicking the link to activate it. Because you can’t eliminate the threat actor (what’s a business without employees?), you need to reduce the threat through training and spam filters.

To better handle threats, it helps to categorize them. Doing so can give you a better idea of how to eliminate them from your environment. Table 10-2 shows a popular cybersecurity threat classification scheme known as STRIDE, which Microsoft created. The mnemonic represents six types of security threats: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privileges. Essentially, all cybersecurity attacks can be grouped into one of these threat categories. In fact, you’ll probably recognize most of these threats as various attacks from the earlier chapters in this book.

By classifying attacks into categories, you can get a general idea of how they work or at least what their goals might be. For example, if I told you about a new attack called Sparkle Kitten Bite, you’d have no idea what to do about it. But if I told you about a new elevation of privileges threat called Sparkle Kitten Bite, you’d at least understand that the attack was attempting to access accounts it wasn’t supposed to, most likely to execute commands in a privileged environment.

Controls

Categorizing threats and threat actors also helps you choose the best control, which attempts to either prevent or mitigate a threat. By now, you should have a good idea of the different types of controls used to stop various attacks. For example, you know that a DoS attack can be prevented by using redundant systems or by filtering the traffic before it gets to its target (as discussed in Chapter 6). Similarly, you know the best way to defeat a brute-force attack is to make a password so complex it would take too long for even a computer to guess it (as discussed in Chapters 5 and 9).

As with categories of threats, there are categories of controls that can help you decide which best fits your situation. For risk management, we generally categorize a control by how it attempts to protect a target from a threat. The five control categories are Administrative, Preventative, Detective, Compensating, and Corrective. Table 10-3 lists these categories as well as their purposes and examples of each.

Let’s consider how to deploy these controls in a real-world scenario. Preventative controls are self-explanatory. For example, a firewall prevents unwanted activity by blocking the connections its rules are set to deny. On the other hand, Detective controls usually provide a means to discover malicious activity after it has occurred, such as when you review login logs to determine whether an adversary broke into your server.

Compensating controls bulk up another control to make it more secure. Encryption is a great example of a Compensating control: if another control fails—for example, an authentication control used to protect a database—an attacker still won’t be able to read the data. Corrective controls fix a flaw found in another control. For instance, patching a system after discovering a critical flaw is a Corrective control.

Administrative controls provide guidance to an organization on how to implement security. A good example of an Administrative control is a procedure for setting up computers for new employees. If you document the steps involved, you’ll ensure that it’s done the same way every time and that the correct security configurations are always put in place. Administrative controls often dictate how other controls should be set up and maintained.

Understanding risk, threats, and controls helps you handle the problems you or your organization might confront, especially those that adversaries create. But knowledge of these aspects is only one part of the process. You must also make sure you’re doing your due diligence, which involves dealing with all threats and maintaining your controls. This is where a risk management program can be a major benefit.

Risk Management Programs

Managing risk can be complicated, because it requires juggling several aspects of cybersecurity at once. Not only do you have to address the threats, but you also have to maintain the control you’ve implemented. In addition, as a cybersecurity professional, you’ll be called on to answer questions about your organization’s security. You’ll have to explain to people with various levels of technical aptitude why certain risks need to be addressed and how the control you’ve chosen will address them. This requires having a full grasp of your organization’s security at all times. It’s no small task indeed.

A good risk management program can be a lifesaver. The purpose of a risk management program is to track your company’s risk, the threats related to it, and the controls you’re using to address it. Ideally, a risk management program will be flexible enough that you can continuously update it as changes happen within your environment. You should be able to add and remove controls as new risks emerge and resolved risks are no longer a concern. The program should also provide a template to use when you need to address the risk associated with one-time projects, such as major equipment upgrades or the opening of a new building.

To manage all of these activities, you need to use a special tool called a risk register, which is a system for documenting all the risks you’re currently tracking. Think of it as an assignment organizer, like you might have used in school. You can use it to track the risk, how you’re dealing with it, and the controls you’re using to address it. The program can also be an efficient way to track risks that you haven’t yet dealt with or controls that aren’t fully implemented.

A risk register can be a complex piece of software that provides detailed status information, but you can also use a simple spreadsheet as a risk register. In fact, it’s better to use a spreadsheet than nothing at all. Keep in mind that the point of risk management is to track how you’re managing risk, which, at the very least, is necessary to meet the due diligence requirements often mandated by law. Figure 10-1 shows an example of a spreadsheet created to track risk. Let’s discuss each section in more detail.

The first two columns track the organization’s risks and threats. Remember that risk occurs based on what we do, whereas threats are events that happen to us. In this example, because Sparkle Kitten Inc. uses email, it risks its email system being compromised. In particular, the concern is the threat of phishing attacks sent by black hats, as noted in the Threat column.

Risk registers don’t always track risks and threats, but doing so can help distinguish between the ways a risk can be realized. For example, loss of data from your servers is always a risk when you’re storing information. But notice that two different threats have been listed for this in the risk register, and they have two different outcomes based on their likelihood and impact.

The risk scores can help us determine which risks we need to address immediately and which we can move to the back burner. This risk register shows that loss of data from servers because of malware has the highest risk score. Therefore, we should address it first, because if that risk is realized, it’s likely to be the most detrimental. The next two columns detail how we’re addressing that risk and which control we used to address it. In the case of loss of data from servers due to malware, we mitigate the risk by using the control of anti-malware software, which we hope will detect and prevent the malware from destroying our backups.

The next three columns list the state of the control that we chose to address the risk. For example, you can see that the anti-malware software was implemented on 5/20/2020. The control owner, Cheryl, is in charge of maintaining and checking that control to make sure it still adequately meets our needs. These columns also indicate what we still have to do. Notice that, although we decided to transfer the risk of our kittens losing their fluffiness by purchasing kitten insurance, we’ve not yet implemented this control. It will be up to Ted to buy kitten insurance for the organization. Once he does so, he’ll update the register and include a new date to reflect when the insurance was put in place.

Even though this spreadsheet might be simple, it can help organize your company’s risks and threats, making them easier to address. At a glance, you can see the risks you’ve identified, the impact of the risks, and the state of the controls process. You can also identify who you need to talk to in order to get a status on a control. The best part is that you don’t need detailed technical knowledge to understand that your organization is safe.

Putting It All Together

Let’s combine everything you’ve learned in this book into a single example. Say you work as a security analyst for a medium-sized organization with 500 employees. Part of your daily job is to check for any alerts that come in either from employees or from your firewall and intrusion detection system.

One morning, you receive an email from a panicked employee saying they received a weird email and they clicked the link inside. Now they’re afraid it might have caused some issues on their computer. You check the email using some quick phishing analysis tools, such as VirusTotal and MX Toolbox, which you practiced using in Chapter 3. The email claims to be a password reset notice from Microsoft, but it comes from the email address M1cos0ft.com. Looking at the link, you realize that it’s possibly malicious. The employee said when they clicked the link, it asked them to download a password update tool that then ran on their computer. You realize this is likely malware and begin a virus scan on the system.

While you’re scanning the system, you check your firewall and IDS alerts to see whether they contain anything suspicious. Sure enough, you notice alerts about new, possibly malicious traffic coming from the employee’s computer. You aren’t sure what to do with this information, so you escalate the alerts to a senior security consultant on the team. They look at the alerts and realize it likely means the employee downloaded a trojan that is attempting to spread ransomware across the network. The senior security consultant quickly updates the IDS and firewall to block any attempts from the employee’s computer to make connections to other computers on the network. Meanwhile, your scan picks up a well-known malware kit. You’re able to isolate it and delete the infection, but you completely reset the employee’s computer just to be sure.

After the incident, you and your fellow security co-workers do a post-incident analysis to discuss what happened and how to prevent it in the future. The CISO leads this meeting. From the discussion, everyone realizes that the organization has a weak point: training employees on how to recognize phishing emails, which are a major threat, as evidenced by the ransomware attack. The CISO adds this to the company’s risk register and discusses how best to implement the control of training employees. Everyone agrees that a special phishing training platform is the best way to implement this control.

The CISO brings the new risk to the quarterly risk management meeting and discusses the idea of purchasing a phishing training platform for the organization. The head of HR agrees with the CISO’s idea, because the current training platform that HR uses doesn’t include information about phishing. The CFO also agrees because the cost is low but the benefit would be immense. It’s decided that the CISO will investigate various options and report back to the committee in a month with a recommendation. The CISO updates the risk register and assigns a security team member to help with this task.

Although this is a fictional scenario, it represents how security should function in an organization. In the scenario, it wasn’t enough to manage an employee’s call about a phishing email. The security analyst had to cross-reference different sources of information and request advice from other team members to see the whole picture. Also, the work didn’t stop once the incident was over. Just as important was the follow-up, which allowed the organization to recognize its failings in security and fix them. Using the expertise of the security team, the CISO successfully showed why it was important to work with senior leadership to purchase the special training platform. This is why a risk management plan is critical: it helps tie every aspect of security together. It shows the need for security and the solution in a simple, easy-to-manage format.

Exercise: Conducting a Risk Analysis

For this final exercise, choose a target and conduct a risk analysis against it. A risk analysis defines all the risks to a target and examines the risk management process for each of these. Your target can be your home, your school, your place of work, or any other location where you have a good idea of the cybersecurity threats or risks that exist. Once you’ve chosen your target, complete the following steps:

1. Identify all the assets you want to include in your analysis. For example, in your home, you might list any computers, network devices like routers, and smart devices like game consoles or TVs. List these devices in a spreadsheet or on a piece of paper.
2. Record all the ways you think those assets could be attacked or otherwise harmed. When doing this, remember to perform the sanity check of considering the likelihood of an attack. Yes, in the movies a rogue AI might take over your game console and try to kill you, but in real life, that’s probably not something to worry about.
3. Look at all the ways your assets can be attacked and group them using the STRIDE model. Identify what the attacks have in common. These are the threats to your target. For example, your TV and game console might be susceptible to DoS attacks.
4. Determine which of your groupings have the highest number of instances. The higher the number of instances, the higher the likelihood. Also, add a quick note on the potential impact. For example, if your game console is hit with a DoS attack, you won’t be able to play the new video game that’s just come out with your friends, which will be extremely disappointing, giving it a high impact.
5. Place the threats into a risk register, such as the one shown earlier in this chapter. Include what the risk is, the threat, and the risk score.
6. Look at which controls you have in place to deal with these attacks. For example, in the case of a DoS attack against your game console, you might research how much bandwidth you would need to handle that sort of attack, what sort of security your console has, or what protections your ISP has in place.
7. Complete the risk register with how you’re dealing with the risk and which controls you’re using to address the risk.

Now you have a completed risk register that gives you a good idea of the threats your target faces and what you can do to address them, if you haven’t already. Although it might not always be practical to mitigate the threats identified (it’s very hard to stop a DoS attack on your own), the risk register provides you with a way to practice your risk management scenario.

Farewell and Good Luck

Now you’re ready to start your journey into the world of cybersecurity. Whether you intend to join the ranks of cybersecurity professionals or just want to apply this new knowledge to your everyday life, you’ve acquired a strong foundation that you can use to explore the security topics that interest you.

Here are some final tips for your security journey:

• Think twice before you click. Even the best professionals get fooled when they’re in a rush. Cybersecurity is slow but steady.
• Make the time to take the proper steps. Cybersecurity work might sometimes seem like a task that should have been dealt with yesterday; nevertheless, take a breather to choose the best next step.
• Never take someone’s word for it if the situation doesn’t feel right to you. If you’re not sure a configuration is done right, don’t assume another person caught it.
• Always ask for help. Cybersecurity isn’t a vacuum, nor is it limited to your team.
• Keep reading and learning. Cybersecurity requires constant upkeep to remain one step ahead of black hats.
• Have fun! Cybersecurity is serious, but that doesn’t mean it has to be serious.