5 Steps to Perform a Cyber Security Risk Assessment on Your Network

The first part of any cyber security audit is to assess risk. Risk is anything that could damage infrastructure, cost money from lost revenue, or threaten intellectual secrets. If you’re a small business owner and need to improvise, here are the steps to perform your own cursory review.


  1. Review Your Network Resources


Before you can start assessing risk, you need to review network resources. One mistake many business owners make is to only audit resources that they think could be a risk. Assess everything connected to your network, the bad guys certainly will!


For instance, printer memory can be used to store hidden malware, or the stored files scanned and printed by employees could be stolen by a clever hacker. Printers are normally considered benign resources, but they can be used in an attack.


Always document every resource even if you think it has no risk. Remember to include even the most innocent resources like printers, IoT devices, internal hubs and routers, and unused desktops.


  1. Identify Possible Threats


This part of the assessment should really be done by a professional, but it’s still possible to do a cursory review of your resources. For instance, you know that malware often infects individual desktops, so they pose a threat to your security.


The hard part with this step is properly identifying risk. Using the printer example, you might not realize that printer firmware must be upgraded to defend against attacks. In addition to being a possible source for document leaks, printers can also be used in DDoS attacks (http://www.securityweek.com/printer-vulnerabilities-expose-organizations-attacks). To understand resources that pose a risk, you need to understand cyber security.


If you have a limited understanding of cyber security, you can still do a high-level risk assessment. Just remember that even the simplest network component can still pose a threat if it has an IP address on the network, stores any sensitive data, and/or allows users to access it over the network.


  1. Rate Each Risk and Impact


Not every risk is a high priority. With this step, you rate each risk as low, medium or high. This helps to prioritize where you should focus most of your effort initially, and you work down your list to the medium and low-risk resources.


Perimeter routers are high risk unless patched with the latest firmware and properly configured.  A router with outdated firmware would be a high-risk, high-impact resource that should be a priority.


Low-risk items are resources that don’t impact much when compromised. Documents containing information already available to the public might be low risk. This drive would be low risk and low impact should it be compromised, so you should rate it low on the priority list.


  1. Analyze Your Protection


Most organizations know cyber security is necessary, so you probably have some protection in place, such as firewalls and antivirus software installed on desktops.  This step also takes a professional, because you might think you have protection in place but I guarantee you that any competent hacker will get through. Hence, why PeopleSec guarantees  our services.


Analyze any cyber security protection in place, because it reduces risk. This step might affect your priority because you could have a high-priority item that already has the best protection. This type of resource would then be a lower priority.


  1. Calculate Your Risk


Identify all resources an adversary could utilize. When you’re doing a cursory review to qualify risk, you won’t have a number to work with but rather an overall outlook on risk versus impact. Follow these steps, and you will have started a basic risk assessment.


After you finish these steps, you should have an overall outlook on what type of cyber security your business needs. A professional will still want to go through your resources and do his own risk assessment. Performing audits gives you a gauge on just how much of a target your network could be for an attacker.


Information Security Awareness Tips from a Newborn

While the linked post may be stretching a correlation, the points are accurate, entertaining, and what Information Security loving expert doesn’t want to buy that onesie.  The top tip, Putting in only 45 minutes a year is bad, PeopleSec is in full agreement.  A single 45-minute training a year is not a good practice.

Phishing with emotion and stress results in bad choices

Recently on one of my personal sites, I received the below phishing attempt:


I see a ton of phishing examples as part of PeopleSec’s Security Awareness Training and Education (SATE) program.  It is not often a phish in the wild catches my eye and looks like anything other than spam.  This email is an excellent example.  It causes stress that invokes an emotional reaction which in turn solicits an emotional response.

“Emotions can cloud our judgment and influence our decisions when triggered by the [stressful] situation at hand,” stated by Harvard Business Review (https://hbr.org/2015/05/dont-let-emotions-screw-up-your-decisions).

Emotional responses are at the core of successful social engineering and phishing attacks.  As an aside, the success of emotional responses is why we use so many of them in PeopleSec’s SATE program.

In summary, it is hard to keep emotions in check, and they cloud your ability to think.  So when you are stressed and emotional, Think Before You Click.


The secret sauce for IT to Manage Risk – You would never guess it!

Over the last thirty years, the prevailing belief has been that process, technology and technique, manage risk. While it is true that processes and engineering & technology controls play a significant role in our risk strategy, it is ultimately people that manage risk. The dilemma is that people are very complicated; we don’t always act logically, and we can’t simply be poked once to produce the desired outcome. We have all sorts of quirks that persist in our heads and gut responses. When presented with uncertainty this will cause us to act or behave differently. Sometimes it is just raw emotion that drives our actions, choices, and responses. For example, road rage – compliant and safe on paper, but a major risk to others at the moment. If we do not factor people into our risk models, it will translate into a process that is very ineffective.

So how do we get our people to manage risk more effectively?

Well, it all starts with first educating the individual and group to recognize and understand the risks that they come across – overcoming risk blindness. From here there is an opportunity to shape their attitude towards those risks, which in turn affects behavior; and behavior shapes the risk culture of the organization.

An industry that illustrates risk management through people the best, in my opinion, is the health and safety programs. For instance, the construction industry (this is mainly because failure is quite tangible and visible). Companies with a strong risk posture operate with regular safety orientations, safety training, daily hazard assessments, incident reports, near miss reports, daily safety toolbox or team meetings, safety meetings, safety audits, etc. The purpose behind the frequency and repetitiveness of this process, which is to help the individual and group identify, assess, and manage the risks they see – or in other words, take ownership of the risks they encounter. The successful companies (which can be large or small) are those who strategically use the near miss reports, or reports of an incident that did not cause damage or injury but could have resulted in one.

Individualized Reports

These reports tell a story and allow for a tailored discussion with individuals and groups to help overcome the frequency and flawed thought process leading into the near miss. Now some companies in the construction industry will argue that they have all those meetings and forms and still have a weak risk posture. Well, the problem is they are going through the motions of safety compliance, but have failed to reach the individual.

Full disclosure, I think this industry is a leader in risk management it is also rife with bureaucracy. The system can get caught up in the process of compliance. Creating a false sense of security and can lose the spirit of the main objective – keeping people safe. Again it is people that manage the risk and not the process.

The notion of people managing risk should not be a surprise in the IT world. As many technologists are employed just to manage the aftermath of end users, despite the technology solutions in play.

We need to do a better job at seeing and understanding where people are coming from. The psychology of human thinking, and more importantly how bias plays a role in risk assessment. This will make our processes way more effective – and yes, keep our IT people sane.

Password security tips to keep you safe online

Do NOT use the same password for everything, this drastically reduces password security

It’s a bad idea. If that password is disclosed, the “bad guy” would have the keys to all your information. Furthermore, if that password is used to access your email address, all other account passwords may be reset using the “Forgot My Password” Link. Not using the same password for everything is the first step in password security.

Make your password long

Minimum eight characters long, the longer the better. Passwords shorter than 8 characters are easy to crack.

We commonly hear two rules for secure passwords:

  • Avoid common words or proper names
  • Use both uppercase and lowercase letters, numbers, symbols, and spaces

But who can remember 8UI1%@.e8aww ?

Try using a password phrase, the more ridiculous the better! Something like “There are 5 kangaroos jumping on the moon.” This phrase is 42 characters that follows all the rules, is in plain English, and very easy to remember. The odds this password would be cracked, even with a supercomputer, are astronomical. Make sure your password phrase is original and not a famous or familiar quote. Again, the more nonsensical and ridiculous the better!

Use a password protected screen saver

Desktop and laptop computers should be “locked” any time you step away. A Windows system is “locked” by setting a password protected screen saver then turning it on. To do this, right click anywhere on your desktop and go to the option “Properties”; select the “Screen Saver” tab; and check the box “On resume, password protect”.

Change your password on a schedule

Passwords are like food; they are better when fresh. The longer and more complex your password is, the harder it is to crack, and the less often you’ll need to change it. A good standard is if you use an 8-character password, you should change it about every six months. If you use a 9-character or longer password and follow the rules in Tip #2 it will stay fresh for a whole year. Can’t remember the last time you changed your password? Then it’s time to change it.

Bonus Tip: Think about using a password manager

Passwords managers, if used correctly, can simplify and secure your online presence with ease. One service I am a fan of is LastPass, though there are tons of other options available both mobile and desktop based. A good password manager will remove the need to both create passwords and remember them. In addition, a password manager, like LastPass, will hold all your passwords securely and protect them with a password and two-factor authentication (be sure to enable two-factor). For this reason, if you are a person that has struggled with password security for a long time, I highly recommend installing a password manager.