Fresh Thoughts #11: Risk Assessment Mistakes & Do You Need More Security?

    Newsletter
dropped ice cream

The Biggest Mistake I Made on My First Risk Assessment

The biggest mistake I made on my first risk assessment?

It was too detailed.

I documented every possible way to break into the system.

Now I:

  • Decide which information is sensitive - and matters
  • Start with the most sensitive data
  • List where it is stored and processed (minimise these)
  • List the ways to get to the sensitive data (minimise these)
  • Remove duplicate steps
  • Start with the path with the fewest steps
  • Group possible attacks into families
  • Mitigate the attacks at a group level
  • Repeat for the longer routes and reuse existing mitigations
  • Repeat for less sensitive data

highest risk first + reusing mitigations = efficient risk assessments

5 Questions To Know if You Need More Security

Think of your most sacred and sensitive data.

Think about where it's stored...

  1. Can a hacker get here?
  2. What would they need to do?
  3. How easy is it to do those things?
  4. What defences are you relying on? (Are they implemented?)
  5. How can you strengthen those defences?

A recent example: Customer data on an e-commerce site.

  • Can a hacker get here?
    • Yes.
  • What would they need to do?
    • get into the admin account
    • ...
  • How easy is it to do those things?
    • use leaked, stolen, reused passwords
    • guess the password based on the most common passwords
    • ...
  • What defences are you relying on?
    • people not losing or reusing passwords (not very robust...)
    • ...
  • How can you strengthen those defences?
    • strengthen account management and password security:
      • make passwords a part of your acceptable use policy
      • all team members have unique accounts
      • use separate accounts for admins functions and everyday work
      • use a password manager so your team doesn't need to remember passwords and can easily create unique ones
    • use 2FA, so even if the password is lost, there is an extra line of defence

Some easy, quick wins here. Time to strengthen your security.

April 19, 2022
2 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

radio antenna on a hill side picking up signals

Fresh Thoughts #8: Seeing Signals & Why Some Bugs are Unpatchable

Security awareness training teaches your team how to spot the signals used in scams. Once they see it...

Little girl looking through binoculars

Fresh Thoughts #1: Trouble Ahead for Cyber Essentials?

Are the new Cyber Essentials v3 cloud requirements possible for small & mid-sized businesses? Let's discuss.

burned out car in the desert

Fresh Thoughts #9: Keeping on Top of Common Threats & Wasted Training?

Why use security awareness training when 90% is forgotten within 1 week? Security awareness training is about creating triggers. To cause people to "feel something isn't quite right".

Freshsec Logo

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.

Resources

Fresh Security Support

Your Questions

Blog

Legal Bits

Your Privacy

Our Terms

Cookies

Fresh Sec Limited

Call: +44 (0)203 9255868