Studying the risk management dimension of the RESILIA Foundation course will enable people to better understand what is a threat, a vulnerability and an asset in the context of cyber resilience and how they combine to create a risk to the business.
One way to understand the difference is to take an example closer to home: domestic security. For example, a threat is posed by a burglar wanting to break into your house, while a vulnerability is created by not locking your doors or windows, so making it easier for a criminal to gain access. There are many assets in your home and therefore the risk is that a burglar (threat) exploits the vulnerability (unlocked window) to break in as steal your car keys (the asset).
Translating that into a cyber security environment, there is a risk a hacker (threat) could access your customer database because a firewall is out of date (vulnerability) and steal usernames and passwords of your customers (asset).
In both cases the thief could then use the asset (car keys or username/password) to gain access to a more valuable asset: your car, in the case of the car keys, or potentially your customer’s bank account if they use the same username/password combination, which many people do.
Managing the range of risks associated with cyber security requires recognition and use of the types of controls available. ISO 27001 lists 114 controls in 14 groups. Before we look at the question, let’s look at four groups of controls:
- Logical access controls, e.g. requiring a username/password to access an IT system
- Supplier relationship controls, e.g. non-disclosure agreements
- Physical access control, e.g. a locked door that needs an electronic pass to open it
- Human resource controls, e.g. security clearance requirement for confidential work.
Now, here’s a question from the RESILIA Foundation exam that looks at threats and how to manage them:
Which threats are BEST managed with physical access control?
a) Hackers trying to access systems remotely
b) Suppliers leaking sensitive information
c) Hackers trying to enter secure buildings
d) Users leaking sensitive data through e-mail
The right answer is (c), but why?
Clearly, stopping a hacker from entering a building needs something physical to prevent access. But why might a hacker want to enter the building at all?
In some organizations there are computer systems that are so important – such as those in a nuclear power station – they are not connected to a network, so there’s no way they can be accessed remotely. While that makes the systems much more secure from remote access, it raises the question of how safe they are from physical access.
Not all locations have excellent physical access security when someone, legitimate or not, arrives at reception. This can raise the risk of allowing physical access to the wrong person. If a criminal was able to enter a building, that person could potentially discover the necessary information to gain logical access to an otherwise secure computer system – for example, via a password written down on a sticky note and attached to a computer, oblivious to the threat from an unauthorized “visitor”.
Creating outstanding cyber security needs imagination, which involves thinking through the various ways someone might gain access to your assets. Remember: when one route is secured; criminals will look for an alternative to gain access to your precious assets.
See our RESILIA section for more information.
Read Matt Trigg's other RESILIA Foundation Examination Questions blogs
RESILIA™ exam questions: Part One
RESILIA™ exam questions: Part Three - Protective controls
Read Matt's previous AXELOS blog post, A culture of success: the thread that links PRINCE2 Agile, RESILIA and ITIL Practitioner.