Threat Identification: In the Internet world, a threat could be a potential danger that may exploit a vulnerability to breach security and so cause harm to the organization. A threat will be “intentional” or “unconditional”, man made actions, or occurred through any internal events. A threat-source doesn’t show off a potential risk when there is no vulnerability that can be exercised from it. A vulnerability is a weakness that can be unintentionally triggered or intentionally exploited. We should conduct the Risk assessment to evaluate the relative likelihood of occurrence for each threat. We should carry out a more detailed risk assessment plan, and we evaluate each threat against the likelihood and actual impact of risks during each stage. Once you have identified the potential threats, the next step is to identify the corresponding weaknesses (vulnerabilities) in your organizational network, Internal/external systems, resources, and organizational policies the external/internal threats could exploit that. I recommend following up on the latest standard listing of threats and vulnerabilities. ISO27005 We can assess it through the concepts about the threat, threat consequences, the likelihood of nature, and the total impact and exposure of threat matrix. The functional goal of this step is to analyze the controls that have been implemented, or yet to be implemented, by the organization to minimize the probability of a threat’s exercising a system vulnerability. Control Analysis: The control methods of the technical and nontechnical can be classified into preventive or detective. Control Categories: The security requirements checklist can be used to validate security noncompliance as well as compliance. Therefore, it is essential to update such checklists to reflect changes in an organization’s control environment regularly. Control Analysis Technique: Threat-Source Identification: A threat-source is defined as any circumstance or event with the potential action to cause harm to an IT system. There are some common threat sources can be natural, human, or environmental. After performing a risk assessment, you may find a considerable number of ongoing threats and vulnerabilities that can affect your company. These may include intrusions, vandalism, theft, or other incidents and situations that may vary from business to business. THREAT CLASS DISCLOSURE ✔ INTERRUPTION ✔ MODIFICATION ✔ DESTRUCTION ✔ REMOVAL ✔ The distinct class of threat concepts, consequence, likely hood, total impact, and exposure are used to carry out the threat identification. Specific threat events such as hacker attempts, virus attacks, malware intruder attempts etc., fall into a particular threat class will be defined as per the matrix in the given below table. How to perform Threat identification? Threat identification Risk Rating templates : In this section, we project potential effects and the , with consideration of existing controls safeguards that could reduce the impact of the likelihood. Use a risk rating of Critical, High, Medium, Low, and insignificant to describe the magnitude of risk. likelihood of occurrence (I) Risk rating: (ii) Likelihood Rating: To develop an overall likelihood rating criterion, that shows the probability of a given vulnerability associated with multiple factors. Threat-source motivation and capability Nature of the vulnerability Existence and effectiveness of current controls. In the likelihood, we define a threat-source as High, Medium, Low as shown in Fig.2. (iii) Impact Rating: The next significant step in measuring the level of risk is to determine the adverse impact when a threat actor exercises a vulnerability.  In this approach, while analyzing the actual impact, to interview the system and information owners to analyze and rate further as shown in Fig.3. Describing threats in terms of who, how, and when. a) Establishing into which threat class a threat falls. b) Determining the threat likelihood. c) Determining the implications on the business operations should a threat achieve success. d) Assessing the impact of the results as less serious, serious, or exceptionally grave injury. e) Assigning an exposure rating to every threat, in terms of the relative severity to the organization. f) Prioritizing the impacts /likelihood pairs, according to the determined ratings. g) Risk Rating Factors: The we used to determine the premium. Ideally, we should use all as rating . factors risk factors factors Conclusion: We discussed the Risk assessment of the relative likelihood of occurrence for each threat. The organization should carry out a more detailed risk assessment plan, and we test each threat against the likelihood and actual impact of risks during each stage. Quote of the day: “A good beginning makes a good ending” You could say that your preparation beforehand will help you start well. If you rush any project at the start, most often the end will not be well. Starting right always ends well. Explanation: Thanks for reading! Have a pleasant day! Also published at https://medium.com/faun/how-to-identify-a-threat-how-to-perform-risk-exposure-matrix-and-threat-management-26908d2eb519

The Ultimate Strategy To Identify Threats In A Network And Perform Risk Exposure Matrix

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

5 Simple Ways To Get Rid Of High CPU Usage Troubles on Windows

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

An Intro to Sitecore XP Deserialization RCE (CVE-2021–42237) in 2022

Common Vulnerabilities and Exposures - Top Offenders in 2019

Docker Images: Kicking the Tires of Docker Scout

Prioritising Security Vulnerabilities with CVSS 3.1 [An Overview]

5 Simple Ways To Get Rid Of High CPU Usage Troubles on Windows

Time Bombs Inside Software: 0-Day Log4Shell is Just the Tip of The Iceberg

An Intro to Sitecore XP Deserialization RCE (CVE-2021–42237) in 2022

Common Vulnerabilities and Exposures - Top Offenders in 2019

Docker Images: Kicking the Tires of Docker Scout

Prioritising Security Vulnerabilities with CVSS 3.1 [An Overview]

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps