Risk Assessments - A Cats Tale

Author: Sarah Knowles

Risk Assessments, Cat Flaps and Ransomware

One of the most common activities undertaken as a Security Consultant at Nexor is talking to clients about risk management and risk assessments.  There are many different methodologies that can be used to determine risk, but at the heart there are some key components, namely, the risk itself, vulnerabilities, threat actors and compensating controls.

However, many people are not familiar with these terms or the concept of risk assessments.  In fact, risk assessments are seen as difficult and cumbersome and just far too complicated.  Establishing who the threat actors are is too complex and just not understood.

But we actually do risk assessments all the time.  Take crossing the road for example - Is it safe; can I make it before that car reaches me?  That’s a risk assessment. I’d like to tell you a story which will hopefully help you with risk assessments in the future.

I live in my house with 2 cats.  Anyone who has cats knows that you are there to serve and be at their beck and call.  My cats like to go outside every now and then, and so that I don’t have to go into full Jeeves mode, I have fitted a cat flap.  How on earth does this help me with risk assessments I hear you ask?  Well read on…

Let’s think of my back door as the equivalent of your firewall which is the asset the risk assessment is being carried out against.  Prior to fitting the cat flap, the door was solid, with nothing able to get through.  Now I have the cat flap installed, this is like implementing some rules on the firewall; some traffic (cats) can now come through.

So now I have a way in through the door. This is the risk. There are a large number of cats in the neighbourhood, so the probability of one of them entering the house via the cat flap is high. If they were to come in, they could eat my cat’s food, maybe even attack my cats, and perhaps cause damage to the house. Therefore, the impact of what happens if this this risk were to occur is also high. Now in this example, I will calculate the risk rating of this event using a simple 5x5 grid.

 

 

A high impact with a high probability means this risk is rated Red. A red risk is bad. I don’t want red risks and so I need to look at some risk treatments, or a mitigating control to implement to reduce the risk. This is called risk treatment.

The chosen mitigation is the style of cat flap I have installed. It requires the authorised users (i.e., my cats) to have a magnet on their collar. If the cat flap detects the magnet, the cat can come in. No magnet – no entry. This simple mitigation means I have now changed the probability of an unauthorised entry to my house to Low. The impact remains the same as before; if entry is still gained by an intruder, the food may still be eaten, cats attacked and damage caused. However, by changing the probability to Low, I have reduced my risk rating to Amber. This is known as residual risk, which is basically the risk that remains once a mitigating control has been implemented. An amber risk may still be considered too high though, and so additional actions are required.

To expand our risk methodology though, we need to look at the threat actors in this situation. We obviously need to consider the external threats, i.e., the neighbourhood cats. Here is Frankie.

 

 

 Although Frankie thinks he lives at my house, he does not. Frankie will walk in through an open door and will attempt entry through the cat flap. Frankie is a hacker.

We also need to consider our internal users as threat actors. And this is something that should also be considered in business risk assessments. Internal users may cause damage to systems (accidentally or maliciously) thereby causing risk. Here are the internal users – Jack (top) and Jules.

 

 

You may need to consider more threat actors for your assessment, but for the purpose of this exercise, we just have the 2 sets.

Now as I mentioned, it is possible for internal users to inadvertently cause damage, thereby allowing an attack to take place.

Jack and Jules have a tendency to fight, and when they do, this generally involves chasing each other around the house until one decides to make a run for it outside via the cat flap.  Unfortunately, the exit process is done at such speed, the cat flap now does not operate correctly – i.e., it now has a vulnerability, whereby it no longer requires a magnet to gain entry.

Up until this point, our hacker – Frankie, has tried to gain access to the cat flap by seeing if it will open for him, i.e., he has carried out a port scan.  Prior to the cat flap breaking, he has not been able to gain entry as he does not have a magnet on his collar allowing him access (therefore my access control process is working as expected).  But now a vulnerability has been introduced, the next time he tries to gain entry, he will be able to get in the house.  Which he has now done.  So my perimeter defence has now been breached.

This is where a defence in depth approach can be deployed which will further reduce the residual risk.  Going back to our first stage risk assessment, one of the impacts considered was the external threat (Frankie the cat hacker) eating my cat’s food.  In addition to the magnetic cat flap, I have also installed cat feeders which only open when the appropriate microchipped cat is underneath the scanner.  Therefore, by implementing a second control, we can now reduce the impact to Medium, and our residual risk rating now becomes Green.  I’m now happy to accept a green risk in this scenario, although this may still mean that I have an extra cat wandering around the house from time to time!

Likening this example to the firewall, businesses certainly don’t want hackers gaining entry, therefore once a vulnerability has been discovered, it should be patched so that the perimeter defence is secure once again.  Or in my case, I have fitted a new cat flap.

So this is how cat flaps can help you with your risk assessments.

No cats were harmed in the writing of this article, and Frankie got some treats, mainly as bribery to get him out of the house again!  Was I the victim of a ransomware attack then?

How can Nexor help?

If you need assistance with your risk assessments, then Nexor’s experienced Security Consultants can help. Using our own developed methodology based on ISO 27005, we can identify your critical assets and the threat actors and determine the threat level to your business. Additionally, we can help train your staff to be able to carry out risk assessments.

Read more posts on

About the author

Sarah Knowles is a NCSC certified Security and information Risk Adviser, an ISC2 Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor and a Cyber Essentials and IASME Governance Assessor. She has a technical background primarily in Microsoft technologies and has provided security governance, compliance and risk management to both HMG and private sector clients.

Sarah Knowles on Linkedin

Read more posts by Sarah Knowles