Enter the Matrix: Cyber Security Risk Assessments Demystified

by Tal Zamir on April 2, 2020

Cyber security professionals are, by definition, in the risk management business. Your job is all about making sure information systems and sensitive data are protected against cyber attacks. And now with COVID 19 pushing more workers — and work — online than ever before, getting a handle on your evolving risk couldn’t be more critical.

“Risk” can be defined in a number of ways. To make sure we’re all on the same page, let’s go with how the National Institute of Standards and Technology (NIST) defines it: “Risk is a function of the likelihood of a threat event’s occurrence and potential adverse impact should the event occur.”

How do you discover what your company’s level of risk really is? The best way is to conduct thorough risk assessments on a regular basis. They provide the foundational knowledge required to pinpoint your most important devices and data, identify threats, and eliminate and/or minimize the chances of malware and human error compromising your information assets.

Risk Assessment Tools

There’s no shortage of tools and matrices for helping CISOs and IT staff map risk levels. Some of the more popular ones include:

NIST’s Security and Privacy Controls for Information Systems and Organizations document and the NIST vulnerability database
20 Critical Security Controls for Effective Cyber Defense, jointly developed by the SANS Institute and the Center for Internet Security
MITRE ATT&CK, which lists attacks, techniques, and mitigations

These assessments include both qualitative information (i.e., deciding which data, if exposed, could have significant impacts on your business) and quantitative techniques (i.e., using probabilistic models to calculate risk levels). I can’t overstate the importance of quantitative data. Without it, subjectivity in the risk assessment process can weaken the credibility of, and cause senior management to question, your findings, thereby compromising risk management programs.

Sponsorships Available

Common Risk Management Guidance

A key part of all cyber security risk assessment programs is implementing security controls. Among the most critical controls mentioned by NIST and others are those that keep privileged / sensitive data and systems isolated. In NIST’s words, these include:

“Least privilege” – not mixing privileged and non-privileged accounts and information
“Provide separate processing domains to enable finer-grained allocation of user privileges”
“Security function isolation”
“Heterogeneity – employ virtualization techniques to support the deployment of a diversity of operating systems”
“Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments.”
“Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information”
“Non-persistence”

Hysolate’s Security Controls

The Hysolate platform fulfills all of the above NIST guidelines to help organizations improve their security posture. It splits a single physical endpoint, which is the gateway cybercriminals use to access privileged information, into multiple isolated operating system environments. These OSes are built on top of a bare-metal hypervisor that sits below the physical device’s OS.

Hysolate uses a virtual air gap to separate the environments. This vGap provides all the security benefits of having separate physical devices for privileged and non-privileged work, without the hassles and costs inherent in users having to juggle multiple devices.

To mitigate risks, you dedicate one OS to privileged information that must be kept free of potential threats like malware, and make it fully locked down. The other OS is reserved for general day-to-daywork. It’s open to the internet and used for email and non-privileged information. If people try to use the wrong VM for a particular task, Hysolate automatically redirects them to the correct one.

Any cyber criminals that breach the general OS are completely contained within it. They cannot reach the privileged OS or even see that it exists. For added protection, configure that general OS to be non-persistent so that it’s wiped clean at specified intervals.