IT Security Risk

From Open Risk Manual

Definition

IT Security Risk is the Risk of unauthorised access to IT systems and data from within or outside the institution (e.g. cyber-attacks).

IT Security Risk is a subset of the more general IT Risk that encompasses various risk events associated with IT systems that do not have a material security profile.

A Cyber Incident is viewed as a series of events that adversely affects the information assets of an organization. The overall narrative of this type of Risk Event is captured as who, did what, to what (or whom), with what result.

IT Security Risk can be subdivided and categorized in various ways. Below are two indicative taxonomies:

The EBA taxonomy

The EBA taxonomy[1]includes three sub-categories of risks, with the primary dimension being the nature of the attack. This focuses primarily on the "what" question, e.g., whether physical or digital and whether internal or external to the organizations systems:

  • External (Cyber Attack and other External IT based attacks)
  • Internal (Inadequate Internal IT security) and
  • Physical (Inadequate Physical IT security)

The VERIS taxonomy

The VERIS taxonomy uses 7 primary categories of threat actions:

Correspondence between EBA and VERIS

  • The last two risk types (Error, Environment) fall outside the scope of the EBA IT Security Risk.
  • The Physical category has a direct (1-1) match
  • The first four VERIS types correspond to a combination of the EBA external / internal attack modes

Detailed EBA Risk Sub-types

Inadequate internal IT security

  • Gaining unauthorised access to critical IT systems from within the institution for different purposes (e.g. fraud, performing and hiding rogue trading activities, data theft, activism / sabotage) by a variety of techniques (e.g. abusing and/or escalating privileges, identity theft, social engineering, exploiting vulnerabilities in IT systems, deployment of malicious software).
  • Unauthorised IT manipulations due to inadequate IT access management procedures and practices.
  • Security threats due to lack of security awareness whereby employees do not understand, neglect or fail to adhere to IT security policies and procedures.
  • The unauthorised storage or transfer of confidential information outside the institution.

Examples

  • Installing key stroke loggers (key loggers) to steal user IDs and passwords to gain unauthorised access to confidential data and/or commit fraud.
  • Cracking/guessing weak passwords to gain illegitimate or elevated access rights.
  • System administrator uses operating systems or database utilities (for direct database modifications) to commit fraud.
  • Failure to disable or delete unnecessary accounts such as those of staff that changed functions and/or left the institution, including guests or suppliers who no longer need access, providing unauthorised access to IT systems
  • Granting excessive access rights and privileges, allowing unauthorised accesses and/or making it possible to hide rogue activities.
  • Employees that are deceived into providing assistance for an attack (i.e. social engineering).
  • Bad practices regarding credentials: sharing passwords, using ‘easy’ to guess passwords, using the same password for many different purposes, etc.
  • Storage of unencrypted confidential data on laptops and potable data storage solutions (e.g. USB keys) that can be lost or stolen.
  • Persons stealing or deliberately leaking or smuggling out confidential information to unauthorised persons or the public.

Inadequate Physical IT security

  • Misuse or theft of IT assets via physical access causing damage, loss of assets or data or to make other threats possible.
  • Deliberate or accidental damage to physical IT assets caused by terrorism, accidents or unfortunate/erroneous manipulations by staff of the institution and/or third parties (suppliers, repairman).
  • Insufficient physical protection against natural disasters resulting in partial or complete destruction of IT systems/datacentres by natural disasters.

Examples

  • Physically breaking into office buildings and/or data centres to steal IT equipment (e.g. computers, laptops, storage solutions) and/or to copy data by physically accessing IT systems
  • Physical terrorism (i.e. terrorist bombs) or sabotage of IT assets
  • Destruction of data centre caused by fire, water leakage or other factors.
  • Earthquakes, extreme heat, wind storms, heavy snowstorms, floods, fire, lightning.

Factors

  • an institution may be subject to IT security risks due to internet dependencies, high adoption of innovative IT solutions or other business distribution channels that may make it a more likely target for cyber-attacks. A measure of an institution's vulnerability is its attack surface, the set of attack vectors
  • an institution may be more exposed to IT security risks due to the complexity (e.g. as a result of mergers or acquisitions) or outdated nature of its IT systems
  • an institution that is implementing material changes to its IT systems and/or IT function (e.g. as a result of mergers, acquisitions, divestments or the replacement of its core IT systems)
  • the location of important IT operations/data centres (e.g. regions, countries) may expose the institution to natural disasters (e.g. flooding, earthquakes), political instability or labour conflicts and civil disturbances which can lead to a material increase of IT security risks

Controls

  • Clearly defined roles and responsibilities regarding:
    • the person(s) and/or committees that are responsible and/or accountable for the day to day IT security management and the elaboration of the overarching IT security policies, with attention for their needed independence;
    • the design, implementation, management and monitoring of IT security controls;
    • the protection of critical IT systems and services by adopting for example:
      • a vulnerability assessment process
      • software patch management
      • end point protection (e.g. malware virus),
      • Intrusion detection and prevention tools;
    • the monitoring, classification and handling of external or internal IT security incidents including
      • incident response and
      • the resumption and recovery of the IT systems and services;
    • regular and proactive threat assessments to maintain appropriate security controls.
  • an IT security policy that takes into consideration and, where appropriate, adheres to internationally recognised IT security standards and security principles, e.g.
    • the ‘principle of least privilege’ i.e. limiting access to the minimal level that will allow normal functioning for access right management and
    • the principle of “defence in depth” i.e. layered security mechanisms increase security of the system as a whole for designing a security architecture;
  • a process to identify IT systems, services and commensurate security requirements reflecting potential fraud risk and/or possible misuses and/or abuses of confidential data along with documented security expectations to be adhered to for these identified ICT systems, services and data, aligned with the institution’s risk tolerance and monitored for their correct implementation
  • a documented security incident management and escalation process, that provides guidance on the different incident management and escalation roles and responsibilities, the members of the crisis committee(s) and the chain of command in case of security emergencies;
  • user and administrative activity logging to enable effective monitoring and the timely detection and response to unauthorised activity; to assist in or to conduct forensic investigations of security incidents. The institution should have in place logging policies that define appropriate types of logs to be maintained and their retention period;
  • awareness and information campaigns or initiatives to inform all levels in the institution on the safe use and protection of the institution’s IT systems and the main IT security (and other) risks they should be aware of, in particular regarding the existing and evolving cyber threats (e.g. computer viruses, possible internal or external abuses or attacks, cyber-attacks) and their role in mitigating security breaches;
  • adequate physical security measures (e.g. CCTV, burglar alarm, security doors) to prevent unauthorised physical access to critical and sensitive IT systems (e.g. data centres);
  • measures to protect the IT systems from attacks from the Internet (i.e. cyber-attacks) or other external networks (e.g. traditional telecom connections or connections with trusted partners):
    • a process and solutions to maintain a complete and up to date inventory and overview of all the outward facing network connection points (e.g. websites, internet applications, WIFI, remote access) through which third parties could break into the internal IT systems.
    • closely managed and monitored security measures (e.g. firewalls, proxy servers, mail relays, antivirus and content scanners) to secure the incoming and outgoing network traffic (e.g. e-mail) and the outward facing network connections through which third parties could break into the internal IT systems;
    • processes and solutions to secure websites and applications that can be directly attacked from the internet and/or the outside, that can serve as an entry point into the internal IT systems. In general these include a combination of:
      • recognised secure development practices,
      • IT system hardening and vulnerability scanning practices
      • implementation of additional security solutions like for example application firewalls
      • intrusion detection (IDS) and/or intrusion prevention (IPS) systems;
    • periodic security penetration testing to assess the effectiveness of implemented cyber and internal IT security measures and processes. These tests should be performed by staff and/or external experts with the necessary expertise, with documented test results and conclusions reported to senior management and/or the management body. Where needed and applicable, the institution should learn from these tests where to further improve the security controls and processes and/or to obtain better assurance on their effectiveness.

References

  1. EBA, Final Guidelines on ICT Risk Assessment under SREP