ASSESS RISKS TO IT SECURITY
PREPARED BY: ER. LOCHAN RAJ DAHAL

What is Cyber Security?
Cyber Security involves the practice of
implementing multiple layers of security
and protection against digital attacks
across computers, devices, systems,
and networks. Usually, organizations
have a system and a framework in place
for how they tackle attempted or
successful cyberattacks. A good
framework can help detect and identify
threats, protect networks and systems,
and recover in case any attack was
successful.

Scale of Cyber Security Threats
 Both cyber-defense tactics and Cyber Security threats are evolving in an attempt to outdo
one another. As a result, there is a growth of malicious software and threats in new forms
that constantly need protection against. Any individual or organization that uses any form of
network is equally vulnerable to such attacks and is a potential target.
 There are three different types of Cyber Security threats that one needs to be aware of:
1. Cybercrime: Committed by one or more individuals who target systems for financial gain or to
cause havoc
2. Cyberterrorism: Designed to break into systems and instill fear
3. Cyberattacks: Often carried out for political reasons and aimed at collecting and/or distributing
sensitive data

ASSESS RISKS TO IT SECURITY
• The term “information security risk” refers to the damage that attacks against IT
systems can cause. IT risk encompasses a wide range of potential events, including
data breaches, regulatory enforcement actions, financial costs, reputational
damage, and more.
• Although “risk” is often conflated with “threat,” the two are subtly different. “Risk”
is a more conceptual term: something that may or may not happen. A threat is a
specific, actual danger.
• Worries about security risk can often slow progress and keep companies from
meeting their goals. On the other hand, by taking the time to understand the risks
you face and the best security measures you can implement, a company can create a
strategy that balances cybersecurity risk with opportunity – one that allows you to
grow while safeguarding your sensitive information.

What are some potential IT security
risks?
 Viruses and worms. Viruses and worms are malicious software programs
(malware) aimed at destroying an organization's systems, data and
network. ...
 Botnets. ...
 Drive-by download attacks. ...
 Phishing attacks. ...
 Distributed denial-of-service (DDoS) attacks. ...
 Ransomware. ...
 Exploit kits. ...
 Advanced persistent threat attacks.

Phishing
 Phishing is a fraudulent attempt to send emails claiming to be from
reputable sources to obtain sensitive data such as credit card numbers,
usernames, passwords, etc. Phishing is the most common type of
cyberattack. It can be prevented if the public is educated on it and if
the latest technology solutions screen such malicious emails

Ransomware
 Ransomware is malicious software designed as a means to extort money.
Attackers block access to files or systems until a demanded ransom is
paid by the victim. However, paying the ransom does not necessarily
guarantee file recovery or system restoration, which can again be a huge
setback.

Malware
 Malware is a software that is designed to attain unauthorized
access to systems or cause damage. These types of malicious
software include viruses, worms, ransomware, and spyware.
Clicking on malicious links or attachments installs the software
that activates the malware. Once activated, it can:
 Stealthily acquire data by transmitting it from the hard drive
(spyware)
 Block users from accessing key network components
(ransomware)
 Make systems inoperable by disrupting individual components
 Install malicious software that can cause harmful effects

Social Engineering
 Social engineering is a tactic to manipulate people into giving up
confidential information, including bank information, passwords, or
access to their computer to covertly install malicious software that can
steal such information from the system.
 Social engineering may also work in conjunction with other cyber threats
to make it more likely for users to click on malicious links, sources, or
malware download links.

Advanced Persistent Threats (APTs)
 APT happens when someone unauthorized gains access to a system or
network and stays there undetected for a long time. These threats
generally do not harm the network or machines and are more focused
on data theft. APTs are known to go unnoticed and undetected by
traditional security systems, but they are notorious to be the reason for a
number of large, costly data breaches.

SQL Injection
 SQL injection involves inserting a malicious code into a
server that uses SQL and allows the attacker to
intervene with queries. This web security vulnerability
can be as simple as entering the code into an
unprotected website search box. The infection causes
the server to release sensitive information.

Man in the Middle (MITM)
 MITM attacks, self-evidently, occur when hackers alter a
two-party transaction and steal data. Any unsecured public
Wi-Fi network is prone to such kinds of attacks. The
attackers who resort to such tactics insert themselves
between the visitor and the network and, with the help of
malware, carry out malicious activities.

Denial of Service (DoS)
 A Denial of Service (DoS) is intended to shut down a
machine or network so that it cannot respond to any
requests and to make it inaccessible for users. This
type of attack is carried out by flooding the target with
traffic and triggering a crash.

What are the security concerns?
 Misconfiguration. At 77%, misconfiguration was the most common
concern—and for good reason. ...
 Phishing. ...
 Poor Passwords. ...
 Lost or Stolen Devices. ...
 Orphaned Accounts. ...
 Prioritizing Security Weaknesses With Penetration Testing.

WHAT ARE THE STEPS FOR AN INFORMATION SECURITY
RISK ASSESSMENT?
A successful cybersecurity strategy (one that can feed into larger enterprise risk management
efforts) starts with a risk assessment. While all risk assessments will differ depending on your individual
needs, there are certain common elements that you can use as a framework.
 Identify
Start by identifying every security risk your company is currently facing or could reasonably face in
the near future. Including future risks in this step is crucial, as IT risk changes frequently when new
technologies develop.
 Analyze
In this step, examine each risk and determine both its likelihood of occurring and the potential
impact. Not every risk will require the same amount of attention, and risk analysis can help you prioritize
the risks that have the largest potential for harm.

RISK ASSESSMENT
 Prevent
Once you understand what risks are faced by your company, you’ll need to develop controls and procedures to
either minimize the damage or prevent it altogether. Your incident response strategy will also be developed during this
step. The four most common types of risk response (discussed below) will help you create a risk management program
that is tailored to your company and your goals.
 Document
Clear documentation of your policies and risk mitigation efforts will serve you well long term. Creating a risk
register with your risks, assignments, and controls will keep everyone on the same page and minimize confusion and
miscommunication. Documentation will also help you revisit your policies and revise them if change is needed in the
future.
 Monitor and Reassess
Your security risks will change as your business operations evolve, or as new technologies emerge, or as attackers
find new ways to penetrate IT defenses. So monitor the success of your security efforts, reassess your risks periodically
(usually once a year), and adjust your policies, procedures, and controls as necessary.

WHAT ARE THE FOUR TYPES OF RISK RESPONSE?
Deciding how to respond to your risks is an important element in your risk management process. There
are four primary types of response, and you should assess your information systems as well as each risk individually
to determine which approach will be the most effective.
 Accept
This response understands that a certain amount of risk is always present. Also known as risk retention,
risk acceptance is the decision that the potential gain for a given scenario outweighs the chance of loss.
Determining what risks are worth taking will depend on your company’s predetermined risk tolerance and
appetite. It is up to your company to decide what constitutes an acceptable level of risk. In IT, a certain degree of
risk acceptance will always be present when adopting new technologies that can provide growth for your
organization.
 Share
Another common strategy is to share risk with an outside contractor or partner. An example of risk sharing
in IT risk management would be using a cloud storage service like AWS or Microsoft Azure.
These companies have data protection baked into their agreements, and while such arrangements won’t
entirely absolve you from responsibility, they will help you control and correct the damage should a security
incident occur.

RISK RESPONSE
 Transfer
Risk transfer is when you move the responsibility for the risk onto an outside
party. This is usually done by purchasing insurance for the issue in question. Security
threats like malware or ransomware are frequently covered in IT insurance.
Cybersecurity insurance is still a developing market, but could be a useful investment
depending on your circumstances and goals.
 Avoid
Risk avoidance is generally the safest of these strategies. Avoidance, however,
can keep your company from progressing the way you might want. To grow your
business, a certain amount of risk will be required, and this is particularly true of IT
risk. While it may seem wise to rely on trusted technology, risk avoidance in the IT
realm can quickly render your company obsolete.

INFORMATION SECURITY RISK MANAGEMENT BEST
PRACTICES
IT risk management goes beyond listing your risks. To provide the best possible protection against cyber threats
you’ll need to embed risk management into your company at every level.
 Educate Your Staff
Your staff are your first and best defense against cyber breaches. Providing them with training and informing them of
your policies can help you identify the warning signs of a breach and stop the damage before it starts. This kind of training can
also help mitigate human error, prevent unauthorized access, and instill strong security hygiene throughout your organization.
 Monitor Your Progress
Providing the strongest possible security for your will require consistent attention. The documentation that you created
during your risk assessment will be instrumental in assuring that your security policy is up to date. A list of risks – more
commonly known as a risk register – will also assist with changes in staff and make sure that all of your risks are correctly
assigned and accounted for.
 Embrace Change
Successful risk management is flexible and will change over time as new threats emerge and old threats become
redundant. It’s important that you revisit and revise the policies surrounding your information assets at least annually, or
whenever your company undergoes significant change.
Adjusting your risk management program to changes will ensure that your security controls remain effective against new
innovations in cybercrime.

CYBER SECURITY TOOLS
• Cyber Security tools consist of various apps and solutions that are used to mitigate risks and
safeguard sensitive information from cyber threats. Examples of some of the widely used tools
are:
• Wireshark
• Web security
• Nmap
• Metasploit
• Ncat
• Entersoft Insights
• Aircrack-ng
• Nikto

WHAT IS SECURITY TESTING?
• Security testing checks whether software is vulnerable to cyber attacks, and tests the impact of
malicious or unexpected inputs on its operations. Security testing provides evidence that systems and
information are safe and reliable, and that they do not accept unauthorized inputs.
• Security testing is a type of non-functional testing. Unlike functional testing, which focuses on whether
the software’s functions are working properly (“what” the software does), non-functional testing
focuses on whether the application is designed and configured correctly (“how” it does it).
• Security testing is structured around several key elements:
 Assets—things that need to be protected, such as software applications and computing infrastructure.
 Threats and vulnerabilities – activities that can cause damage to an asset, or weaknesses in one or more assets
that can be exploited by attackers. Vulnerabilities can include unpatched operating systems or browsers, weak
authentication, and the lack of basic security controls like firewalls.
 Risk—security testing aims to evaluate the risk that specific threats or vulnerabilities will cause a negative
impact to the business. Risk is evaluated by identifying the severity of a threat or vulnerability, and the
likelihood and impact of exploitation.
 Remediation—security testing is not just a passive evaluation of assets. It provides actionable guidance for
remediating vulnerabilities discovered, and can verify that vulnerabilities were successfully fixed.

WHAT ARE THE DIFFERENT TYPES OF CYBERSECURITY TESTING?
• The best way to use cybersecurity testing methods is to create a schedule for various tests to
keep your security systems robust and up to date. Explore the different testing methods and
security testing processes to find out what processes your company may benefit from most.
• 1. Cybersecurity Audit
• A cybersecurity audit is designed to be a comprehensive overview of your network, looking for
vulnerabilities as it assesses whether your system is compliant with relevant regulations. These
audits usually give companies a proactive approach to the security design process. Once they know
what gaps they need to fill, they can design a security setup with more intention.

WHAT ARE THE DIFFERENT TYPES OF CYBERSECURITY TESTING?
• Independent IT professionals usually conduct audits to eliminate any conflict of interest.
Sometimes, they’re handled internally, but it’s a rare occurrence. There’s a range of
regulated procedures used in an audit to ensure IT professionals assess every area of a
security system.
• A complete audit process covers substantial ground, and it usually starts with a review of a
company’s data security policies. During the review, professionals will consider how policies
support the confidentiality, availability and integrity of a company’s data. Creating a wide
few of security environments gives IT professionals a sense of what needs the most
attention.

2.
Often called pen testing, penetration testing is a form of ethical hacking. During a pen test, IT
professionals will intentionally launch a cyberattack on a system to access or exploit applications,
websites and networks. The main objective of a pen test is to identify areas of weakness in a security
system.
The specific goals of a pen test depend on the area professionals hack. In the case of networks,
the aim is to calibrate firewall rules, close unused ports and eliminate any loopholes. For websites,
professionals want to identify and report notable vulnerabilities like cross-site scripting and buffer
overflow.
There are several methods of penetration testing, and the type that IT workers use will depend on an
organization’s goals and security concerns:
 Internal tests: These pen tests are performed within a company’s environment and simulate
events where a hacker penetrates the network perimeter or an authorized user abuses access to
private data.
 External tests: IT professionals perform external tests by hacking a network perimeter through an
outside source, like the internet.

2.
 Blind tests: In a blind test, testers will simulate the actions of a real hacker. IT professionals go into
the process with little to no information about a company’s security infrastructure, and they
attempt to access the network perimeter. During the test, they rely on third-party online
information to access the network, which can reveal how much private information is readily
available to the public.
 Double-blind tests: This test is similar to a blind test, but members in the company, like IT
personnel, are unaware of the penetration test. This method tests threat identification processes
and associated procedures to determine how well they can hold up against a hacker.
 Targeted tests: Unlike blind tests, targeted tests require complete transparency. IT teams are
involved in the process to address specific concerns about a network. These tests take less time to
execute, but they may not provide a full picture of a company’s cybersecurity.
Typically, businesses should perform penetration tests annually or after any major changes to
network infrastructure

• A vulnerability scan is the process of identifying security weaknesses in systems and software with
the goal of protecting an organization from breaches. This scan is often confused with penetration
testing because they have similar functions. However, they’re different.
• While pen testing involves simulated hacking that can locate the root cause of gaps, vulnerability
scanning is an automated test that simply identifies gaps. IT professionals use designated software
to identify vulnerabilities. These
scanners create an inventory for all
systems and run them against a
database of known vulnerabilities to
see potential matches. At the end of
the scan, known vulnerabilities will
be highlighted for a company to
handle.

• There are several vulnerabilities a scan might identify within a network. In 2020, the
Cybersecurity and Infrastructure Security Agency (CISA) identified the most
encountered vulnerabilities. The most common vulnerability they found was remote
code execution (RCE). This vulnerability involves a hacker running code of any kind
with system-level privileges on networks with the required weaknesses.
• Other vulnerabilities include:
• Arbitrary code execution: An attacker can run commands or code on a
vulnerable device.
• Arbitrary file reading: An attacker can read or write any content in a file system.
• Path traversal: A vulnerability that gives attackers access to unauthorized files.

• A security or configuration scan searches for misconfiguration in a system. A misconfiguration is
an incorrect or suboptimal design of a system or system component that can lead to
vulnerabilities. When security systems aren’t defined or the default values aren’t maintained, a
misconfiguration occurs.
• Unfortunately, hackers know misconfigurations are easy to detect. Typically, exploited
misconfigurations can lead to high-volume data leakage that can cause harm to businesses.
• Common misconfigurations include:
 Default account settings
 Unencrypted files
 Unpatched systems
 Outdated web apps
 Insufficient firewall

• These incorrect designs can classify as a vulnerability that may be identified during a
vulnerability scan. However, security scans operate under the intention of only looking for
misconfigurations, making them a more pointed cybersecurity test.
• As more applications shift to the cloud, misconfigurations are easy to overlook. Many
misconfigurations come from the cloud and hybrid environments brought about by an increase
in remote workforces. Research conducted by Gartner claims that 99% of cloud
misconfigurations through 2025 will be the customer’s fault.
• That said, companies have complete oversight into network configurations — it’s a matter of
paying attention to them. Among all other IT demands, it can be easy to miss them, even
though they’re easy to address. This fact is the reason security scans are essential to
companies’ cybersecurity frameworks.
• Considering the ease of overlooking misconfigurations, performing regular security scans can
give your team the foresight it needs to secure its network. While annual security scans are a
smart move, you may choose to conduct them more frequently. Performing them a few times a
year can help your company keep up with possible vulnerabilities.

• A cybersecurity risk assessment is a process that analyzes
the various security controls in an organization and what
possible threats can occur within them. These assessments
are comprehensive processes that assess existing risks and
create strategies for mitigating them.
• The information assets that are vulnerable to risks include
hardware, software, intellectual property, customer data
and more. There are four essential steps to a risk
assessment:
 Identify: The first step is about identifying all essential
assets in your company’s technology infrastructure. IT
professionals will determine all sensitive data associated
with said assets and create a profile of risks for each
one.

 Assess: IT team members will evaluate risk levels and determine how many resources a
company will need to dedicate to risk mitigation. This step aims to find the relation between
vulnerabilities, assets and mitigation.
 Mitigate: The risk assessment team will create a plan for risk mitigation and enforce security
controls for all identified risks.
 Prevent: A company’s personnel will enforce ongoing mitigation by implementing designated
tools and processes to minimize threats as they arise.
According to priorities, risk assessment teams will roll out mitigation and prevention. Some risks
will pose more potential harm than others, making mitigation critical. As a general rule,
companies should conduct risk assessments at least once yearly. These assessments should also
occur when your business changes its technology infrastructure, which may include cloud
migration, new applications or large expansions.

• A posture assessment is the best initial test among the security testing methods because it
can guide your approach to security. This assessment refers to your cybersecurity posture —
the strength of your protocols and controls at preventing cyber threats.
• IT professionals perform posture assessments through a range of processes that look at
internal and external factors. Unlike audits or pen tests, posture assessments can provide
definite guidance for improving cybersecurity maturity. This guidance often seeks to maximize
return-on-investment (ROI) for security protocols.
• These assessments can use a combination of methods like ethical hacking, security scanning
and risk assessments to define security posture to:
Identify and address the value of company data
Define threat exposure and risks
Evaluate if appropriate security methods are in place
Recommend a concrete plan for strengthening defenses

• Conducting posture assessments can be a wise move in a variety of circumstances — you can
conduct them to optimize ROI, get started with a new strategy, prepare for organizational
changes or address security gaps. While you may not need to perform them regularly, they’re
an excellent option for companies of all sizes.

7. HOST-BASED ASSESSMENT
• Host-based Vulnerability Assessment is an evaluation process that provides a comprehensive insight into
the potential internal and external risk exposure and the impact that it can have on business. It is an
assessment that performs an in-depth evaluation of systems, and networks for identifying security
weaknesses that needs to be addressed.
• The assessor scans the system from the security perspective of a user who may have an access to the
system/network from within the organization. So, with this assessment it provides an insight on potential
insider threat to systems and networks. The assessment helps identify suspicious insider activities and
detects intruders having already infiltrated the system. This way the Host-based Assessment provides an
additional level of security that helps prevent internal misuse or external intruders compromising the
security and accessing information.