Conducting Better Risk AssessmentsENISA Works Toward a Comprehensive View of Risk
Dr. Louis Marinos of ENISA says its recently-published Threat Landscape report serves as a tool for helping organizations improve their risk assessments.
In the report, published by the European Network and Information Security Agency, drive-by exploits, worms/Trojans and code-injection attacks are the top cyberthreats to organizations globally.
"The rationale behind this report was to look at the most frequent threats," Marinos says in an interview with Information Security Media Group [transcript below]. "This is the first step towards risk assessment."
By identifying the most frequent threats to organizations and consolidating as much information as possible, Marinos says organizations can better understand the risks affecting them and develop a systematic approach to risk management and assessment. "[We want to] make risk assessments pre-cooked so that ... one day risk assessment activity is being done in a way which is more or less similar in many organizations," he explains.
For risk managers, revising assessments frequently needs to be a top priority. "This unfortunately does not systematically happen in organizations," Marinos says.
"I would recommend organizations to enforce or enhance risk assessment and risk management," he says. "Take it seriously and repeat it regularly in order to reflect changes in the threat landscape."
In an interview about the new threat landscape report, Marinos discusses:
- How top threats were selected;
- Key technology trends and their risks;
- How ENISA will help organizations respond to these threats in 2013.
Marinos is an expert in the areas of risk management and risk assessment. During his engagement within ENISA, he has been working in the areas of emerging risks, continuity risks and risk management approaches for SMEs. He has established an inventory of risk management and risk assessment methods and tools and has been managing numerous teams of international experts in the area of risk management.
TOM FIELD: To begin with, could you take just a minute to tell us a bit about yourself and your experience with ENISA, please?
LOUIS MARINOS: I've been with ENISA for about seven-and-a-half years now. My responsibility was and still is risk management. We started with some basic stuff, looking at existing methods, tools and so on. Then we looked at different practices. Later, we have been doing quite a lot in the area of emerging risks, by looking at emerging technological scenarios and trying to assess the risks. For almost one year now, I have been doing work in the area of threat analysis.
Threat Landscape Report
FIELD: This is a significant threat landscape report. Tell us a little bit about the genesis of the report and the target audience.
MARINOS: From the first days with ENISA when we looked at risk assessment, we found out that in order to evaluate risk, it's like an algorithm. In this algorithm you have parameters and asset, which is a valuable item of your company. You have vulnerability present, and massive potential vulnerability, and you have threats who try to abuse these vulnerabilities in order to get the assets. And you have some probability of how probable it is that this threat might realize.
We found out that in risk assessment, these parameters are not used by experts in the same way, so many times we try to find out what some standard ways are to perform risk assessments and how you can fix what an asset is, what the vulnerabilities are, what the threats are and so on.
Recently, through our committees, we have had many discussions and we felt it was a good idea to try to fix some of those parameters in the risk assessment algorithm I just mentioned, in order to enable people to make better risk assessments. The idea was going to look at threats because, in many cases, we do not have the opportunity to look at particular assets of companies or to say something about their value and the impact, what happens if this asset is being taken by an attacker? It's not possible to do it because we don't have the details of the company. So we try to find things. Vulnerability analysis is already a well-set service, if I may say so. Within the threat area, we have difficulty to consolidate what's out there and ... make risk assessments pre-cooked so that we can achieve one day that the risk assessment activity is being done in a way which is more or less similar in many organizations.
In this respect, we decided last year to look at existing threats and make a neutral compilation of all these threat reports we found around into one single comprehensive report.
Top Risks to Organizations
FIELD: Let's talk a bit about the report. What emerged as the top threats that are currently impacting organizations, and what is most at risk?
MARINOS: First of all, I have to say that we have prioritized these risks according to a statistic sample, meaning that most frequent ones are higher. This doesn't mean that the most frequent ones generate the biggest impact or generate the biggest risk. This must be clear. Something which is down in our priority list - for example, targeted attacks - as we know from last year [they] might generate a huge impact, be in the media and so on. However, this does not happen so often. Drive-by exploits, which are the number-one threat we identified, are the ones that happen more often. That's why it's on the top of the list. Drive-by exploits, worms and Trojans are very high in the hierarchy; code-injection attacks, exploit kits and botnets, if we just take the top five.
Now, who's most exposed to these threats depends. It's something that we cannot say definitely depends, as we said previously, according to the risk algorithm. It depends on the assets you have. It depends on the impact the loss of the asset might create. This is case-by-case, but a threat might affect and generate different risks, which we cannot assess by now because we just look at the threat alone.
Threats to Emerging Trends
FIELD: One of the other things that you look at in the report is some of the emerging trends that are tied to the risks, and you include mobile, social media, cloud and big data. Which specific threats do you see impacting these trends the most and why?
MARINOS: The rationale behind this report was to look, firstly as I said, at the most frequent threats. Then what we did was we projected these threats to different areas. This is indeed the first step toward risk assessment, but due to the fact that we're not owners of any assets, we just have made a reflection of this risk in different areas. That's how these emerging risks have been created.
As a matter of fact, we believe that the proliferation of mobile computing and mobile devices will be very important, especially because in our mobile devices different technologies converge, and this generates a very good substrate. But some of these assets are going to be attacked. Taking the assumption that mobile computing is already very famous, seeing many people are using it, and due to the fact that on these platforms different other services converge, like social networking and cloud computing in particular, and to some extent big data because as we know these small devices generate data, general location and so on, it seems to us that these platforms are very good candidates to be attacked, so many of the threats we have identified are going to eventually materialize in mobile devices.
FIELD: You've looked at the trends. You've looked at the threats. What's your sense of how organizations now are responding to these threats?
MARINOS: Our vision is that as far as we have generated this material, people who perform risk assessments are going to take this information into account so that they might generate more accurate risk assessments. Now what we have is we came out with this list of threats, so we hope and wish that risk managers are going to use our material in order to make risk assessments more close to the reality, if I may say so.
FIELD: As I review the report, I see these threats, in my eyes, are pretty common to organizations globally. Do you find that any of these are unique in any way to the European Union countries?
MARINOS: No. We don't think these are unique to the EU. Actually, in our work, we looked at many different reports which exist globally. However, as we also said, we discussed at the beginning of the document and almost at the end that we still need some more accurate information in order to make a better estimation of the threat potential. This kind of information will be a better geographical spread. Quite a few of the reports we looked at already have this information. However, it will be nice to have more information about the geographical distribution of these threats. This doesn't really exist and there are other things which are missing in order to complete the puzzle. For example, we don't have significant information about the threat agents, the adversaries. This is something which is missing and it's very necessary in order to better estimate what's the potential behind all the threats.
For example, it's a different thing if you experience a drive-by exploit which is performed by script kiddies, or there's something bigger behind that for example, some professional organization, some competitors or what have you. This is a significant part which is still not that present in the field.
Advice to Mitigate Risks
FIELD: You spoke about how organizations should use this report, which is to inform their own risk assessments. What's your advice for how organizations should respond to the threats that you've identified?
MARINOS: Definitely one good thing is to perform a risk assessment, because ... some security measures or mitigation measures are not the result of a thorough risk assessment. And secondly, revise your assessments frequently - for example, once a year - in order to reflect the changes in the threat landscape. This unfortunately does not systematically happen in organizations, so I would recommend organizations to enforce or enhance the faction of risk assessment and risk management. Take it seriously and repeat in regularly in order to reflect changes in the threat landscape.
FIELD: You spoke about your research for the year and how you're going to further develop your threat landscape reporting. What can you tell us about what ENISA's role will be in helping organizations respond to these threats in 2013?
MARINOS: ENISA's strategy for organizations is actually quite defined through the ENISA regulation. ENISA is primarily working for the European Commission member states. ... First of all, our results are public. As we said before, we think this report can be used by any risk management [organization] globally. However, sometimes we service requests from member states and the commission to look more closely at a particular issue, [such as] smart-grid infrastructure or some specific case of cloud computing. Then, on a case-by-case manner, we look according to some of the requests we receive at the systems or services of member states. This is what we do specifically for our stakeholders. If I may say so, these are direct stakeholders. However, this report is a public good so people globally could use it to enhance risk assessment quality.