Know your enemy

Major security incidents have featured prominently in the news recently. First there were the stolen diplomatic messages published on Wikileaks and then the Stuxnet worm, which was so specialized and complex that it could control a pump in a specific type of nuclear installation.

These incidents are signs of the growing level of risk to sensitive corporate data. If your information assets, such as project records, bids, financial reports, credit card transactions or customer records, reach the value that makes them worth stealing, it will only be a matter of time before somebody will try.

The motivation for these security assaults and leaks is not always monetary. For some perpetrators, it is idealistic and, for so-called script kiddies, it can be to impress their friends. The tools to de-face corporate Websites are freely available on the Internet.

Those inside the security industry believe that social networking Websites, such as Facebook, Twitter and MySpace, will soon become the most insidious places on the Internet, where users are most likely to face frequent cyber attacks and digital annoyances. Many organizations have become increasingly concerned about malicious attacks originating from social networking sites, as well as the risks of users revealing sensitive personal or corporate data online.

And risks don’t always arise from deliberate miscreants. We have seen other risks make the headlines, such as the flooding in Australia and demonstrations in Egypt. These low-probability but high-impact risks can cause widespread damage and threaten business continuity.

Raising the alarm
Most corporate security officers are well aware of the threats to their businesses. But it can be difficult to convince their bosses to create budget for something that is not generating revenue. Senior management is sometimes only interested in spending on security controls when the loss expectancy for a risk can be quantified in terms of hard dollars. Shareholders don’t like surprises and do not want to wake up to a foreseeable risk that was not mitigated.

If you also consider regulatory compliance, the weight of evidence suggests that security officers need a risk-management strategy based on a solid business case. Whether the answer is to improve existing security controls, implement new ones, transfer the risk to another entity or just accept the risk and do nothing, it is important to do a risk assessment.

Risk assessments are an important tool in identifying threats and vulnerabilities that may harm or disclose your valuable assets and lead to considerable operational risk. The security consultants at Orange Business have worked closely with customers in various industries building a wealth of experience in the latest threats and vulnerabilities.

Risk assessments
Orange consultants perform risk assessments with customers’ business managers who are able to qualify or, even better, quantify the business impact and associated loss expected if a certain risk occurs. This exercise helps to prioritize risks, create business cases and schedule risk mitigation programs.

The scope of a risk assessment can be purely technical, such as testing a customer’s Internet gateway or specific applications for vulnerabilities. Risk assessments can also be done from a business perspective, such as looking at the threats of exploiting weaknesses in internal policies or procedures that manage Web presence or company reputation.

Typically, a risk assessment starts with identifying the company’s most important assets and owners depending on the scope. An asset can be anything that has value to the organization and which therefore needs protection. An asset can be primary, such as company reputation, business processes or data in any physical format, or supporting, such as hardware, software, networks, personnel or anything on which the primary assets rely. In cooperation with the customer, these assets will be given a value in order to quantify their value. The next step is to identify the threats that these assets may face, taking into consideration probability, impact and risk acceptance criteria. After that, risks will be prioritized, qualified and/ or quantified. Based on an evaluation session with the customer, a business case and risk mitigation plan will be developed.

Orange Business has performed risk assessments with different scopes for many customers in the financial and manufacturing industries and European institutes. Orange consultants helped evaluate their current environment and provided input to help develop risk mitigation measures, business contingency plans and disaster recovery plans as part of their IT strategies.

The experience Orange gains in evaluating risk is collected in a knowledge base and is used as input for the risk assessments it conducts with customers. The Orange risk assessment methodology is based on best practices taken from the leading industry security standards, such as ISO 27005, and provided by the National Institute of Standards and Technology (NIST). These fit seamlessly into existing Information Security Management Systems (ISMS) and Quality Standards based on ISO 27001, ITIL, ISO 20K, COBIT or companies that are subject to the Sarbanes-Oxley Act.

Today, Orange employs about 650 consultants in 50 countries covering all regions and industry sectors, turning business trends, issues and strategies into communications solutions that deliver business value. Of these, 87 consultants are security specialists, holding a wide scope
of certifications, such as CISSP (Certified Information Systems Security Professional).
Marcel van Wort is a CISSP-ISSAP qualified Senior Security Consultant within Consulting & Solutions Integration, Orange Business.

Risk assessments from Orange Business

  • Vulnerability assessment: discovering and assessing IT and network assets and associated vulnerabilities or potential threats as well as classifying and prioritizing vulnerabilities and policy violations. Recommendations and remediation plan are also provided.
  • Maturity assessment: vendor-agnostic evaluation of the customer’s level of security. It focuses on the customer’s business needs and the risks associated with them, and measures how security is both understood by the various stakeholders and implemented throughout the organization.
  • Compliance assessment: a control function to determine if up-front agreed policies and procedures are implemented within an organization and operated effectively according to security standards.
  • Penetration testing: simulating malicious activities as if they are real network break-ins.

 This blog appeared first as an article in June's issue of Real Times.

Marcel van Wort

Marcel is the Managing Consultant specialized in Information Security and Green IT at Orange Business with more than three decades of experience in ICT. He is an active member of the Orange Green Act program committed to achieve Green IT, sustainability and CSR goals at Orange Business and help our customers with their digital sustainability transition. Marcel likes mountain biking and is on a mission to develop ways to use CO2-neutral bio-fuels in motorsports while racing the Dakar Rally 2023.