Recent cases of health data breaches have been reported by the news, such as the Arizona-based Banner Health that experienced a cybersecurity attack potentially affecting 3.7 million patients. The data might have been compromised after an organization’s employee accessed corporate data outside of normal job duties, without following existing regulations.
Such examples show how attacks targeting companies’ assets and critical information, often resulting in major data breaches, are increasing and becoming a dominant a source of concern. Although it is impossible to remove all risks to organizations, it is possible to reevaluate a company’s strategy towards risk and decide which risks it is going to accept in order to reduce its risk exposure.
One of the first steps your company should be considering is a threat risk assessment, or better yet, a cybersecurity posture assessment that would give you an overview of your current security posture and give you recommendations on where to go next.
One of the main purposes of performing a Threat Risk Assessment (TRA) is to ensure that policy and appliance settings are at an acceptable risk level within the organizational infrastructure. The organization might ask to review its policies on confined areas or issues.
In order to achieve these goals, a Security Consultant analyzes the initial risks and looks for controls that could be used to reduce the risks, all while keeping the quality and the functionality of the organization services unchanged. In order to elaborate mitigation strategies, 'industry norms' are analyzed as much as the specific standards that the organization might be following. Assuming the recommendations are discussed and applied within the organization, a new set of risks is generated. This results in a virtual elimination within the ‘very high’ risks, and all the high risks that can be removed in the immediate. Some ‘high’ risks might be caused by a number of vulnerabilities that are more difficult to modify in the short term.
Consultants usually follow the TRA-1 ‘Harmonized Threat and Risk Assessment Methodology’. TRAs provide a systematic way of understanding risks and exploring them from an enterprise interest perspective and how a particular project will affect these interests. The methodology also attempts to quantify the risks so that enterprise resources may be best deployed to reduce the most serious risks to an acceptable level. While no risk can ever be removed completely, this systematic procedure helps organizations minimize the risks to an appropriate level while using the fewest resources necessary.
All numerical scores are numbered from 1 to 5. The exact assignment of numerical values to the assets, threats and control implementation is part of the ‘art’ of the threat and risk assessment. Once this list of assets, threats and vulnerabilities is generated and values are assigned to each of these elements, the TRA continues by linking threats, controls and assets together in a plausible risk scenario:
A threat (i), exploits a vulnerability/missing controls (j), which affects an asset (k).
The values assigned from the initial procedure are then multiplied to obtain a ‘risk score’ for the given scenario identified by (i,j,k).
Risk scores can vary from a score of 1-4 (very low risk), 5-12 (low risk), 15-32 (medium risk), 36-75 (high risk) and 80-125 (very high risk).
The Healthcare Industry is a great example because it suffers from constant attacks due to its sensitive patient information. Let's consider the scenario in which a motivated attacker robs an iPad in order to steal health information related to a politician for malicious purposes (Asset: Patient data (confidentiality is impacted) score = 3).
Given the threat probability being low (2) and the severity being mid-to-high (4), the threat score = 3. Knowing that the Patient data is stored on an unencrypted device with no passcode protection on the tablet, the control score = 5 (very poor safeguards).
Following the TRA calculations, the risk score would be 3*5*3 = 45. This falls into the ‘high risk’ category and is probably worth mitigating. In this case, the security practitioner will suggest a possible mitigation strategy that results in introducing controls in such a way that data is not stored locally on the device, and enforce a passcode to access the patient information.
In this case, by assigning the updated control (j) a value of 2, the risk score will be equal to 18 (medium risk), which may be acceptable for the scope of the project.
The necessary effort to perform a TRA can be estimated but it is strictly dependent on the scope of the project. The total amount of hours being estimated is within the range of 160-250 hours.
In most cases, the first and the last phases of the engagement have a standard duration: one (1) day is required for the engagement initiation phase, and one (1) week for the final report definition and the presentation summary. The middle part of the project depends entirely on the scope and can be divided into two parts:
Final Note: As mentioned earlier, every Threat Risk Assessment’s scope is different. This information is for indication purposes only.