It Can’t Happen Here – or – Do You Have Threat Blind Spots?

November 6, 2017
It can't happen here
It can't happen here
I'm telling you, my dear
That it can't happen here
Because I been checkin' it out, baby
I checked it out a couple a times, hmmmmmmmm

Read more: Frank Zappa - It Can't Happen Here Lyrics | MetroLyrics

At least Frank had an idea of the threat because he checked it out a couple of times. I am not sure that is the case with many small and medium size organizations when it comes to their operational or information security threats and risks.

There is much discussion around risks, but you can’t have risks without treats. My quick search on threat blind spots found the usual suspects – tools to find flaws in your current networks or applications. I want to focus on a more general view of threats. One where you don’t have a fully functioning security operations center, but where you don’t even think about something as being a threat to your organization or business.

The first step is to understand the relationship between threats, vulnerabilities and risks.

  • Threat – any circumstance or event that has the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service. Other operational threats exist in the form of theft, destruction of property, and other, non-system related interruptions the normal business.
  • Vulnerability – A weakness in security procedures, system design, implantation, internal controls, etc., that could be exploited.
  • Risk –
    • Basic - The possibility of suffering harm or loss.
    • Expanded - The probability that a particular threat will exploit a particular vulnerability.
    • Risk and Risk Assessment are often used interchangeably. Quantitative Risk Assessments requires calculations of two components of risk (R): the magnitude of the potential loss (L), and the probability (p) that the loss will occur.

The second step is to investigate approaches to applying these concepts to your business.

There are many approaches that could be chosen but the one that stands out is OCTAVE Allegro. There are three OCTAVE approaches: OCTAVE, OCTAVE-S and OCTAVE Allegro.

  • OCTAVE – intended for large organizations that maintain their own computing infrastructures, have the ability to run vulnerability evaluation tools, and have the ability to interpret the results of vulnerability evaluations.
  • OCTAVE-S – intended for small manufacturing organizations of 100 employees or less. It is more structured and has security concepts built in. It allows for less experiences practitioners to address a broad range of risks with which they may not have familiarity.
  • OCTAVE Allegro – designed to allow broad assessment of an organization’s operational risk environment with the goal of producing more robust results without the need for extensive risk assessment knowledge. This approach focuses primarily on information assets.

From a small business perspective, OCTAVE Allegro will help identify those threat blind spots and once identified, the risks associated with those threats can be assessed and appropriately mitigated.

What to do next – contact me of course. I have used the OCTAVE method in the past to develop a corporate-wide risk assessment and applied that assessment to over 300 applications but that is not the focus of this article. Small organizations face many of the same problems as large ones but without the internal infrastructure or experience to address todays quickly changing information technologies. You know a lot about making and selling your products. You understand your customers’ needs. But do you understand the technologies that have crept into your organization and their associated risks? OCTAVE Allegro can help you find those threat blind spots and understand the associated risks.

More information about OCTAVE Allegro can be found at https://www.cert.org/resilience/products-services/octave/