One of the problems for the CISO is that it is not easy to visualise where the attack vectors are likely to come from. This is hindered by the ‘silo’ nature of information systems and the need for specialist knowledge about context, configuration and usage settings.
Creating this taxonomy has allowed some of the key areas and groups for the technical management overview of enterprise systems protection to emerge. These areas have been labelled into the following categories:
- Asset Threats – Concerned with securing the physical contents of your estate, including devices and backups.
- Network Threats – The risks associated with getting information from A to B without any outside tampering.
- Social Engineering – The vulnerabilities that come with having people involved in Socio-Technical systems.
- Data Security – Stopping sensitive information and data from leaving the organisation.
- Software Threats – The vulnerabilities introduced as a result of using internally or externally produced software, or of software that is introduced maliciously.
- Access and Authorisation – The risks involved in the administration of systems and the granting of access to others to view and amend information.
The information provided here has been compiled from known security vulnerabilities taken from various web sources, the NCSC and partly from the ICO data Security trends data. Due to the nature of the changing security landscape this is not intended to be comprehensive, but identifying the vectors an aid for practitioners to communicate the risks to executives and implement protections that will cover future threats.
Knowing the likely vectors by which information systems risk is introduced into the organisation is the best way to begin a holistic strategy to mitigate Cyber risks. Ensuring that each of the potential vulnerability categories are covered from a management perspective allows these types of risks to be dovetailed with other risk strategies and plans produced for initiatives like compliance or business continuity without the need to re-invent the wheel from a security context.
It is also important to note that intruders will use these threat vectors as part of their business processes, and vigilance across several categories is necessary to prevent an attack. For example, an attacker may use social engineering to gain password details that are then utilised to access and exfiltrate information. see my post on modelling attack processes here .
Taking a category based approach to security can help to manage the complexity associated with reacting to the latest security vulnerabilities, whilst allowing the freedom to guide specialists in the areas that are vital to the organisation.