Category Archives: News

Privacy in Practice: Securing Your Data in 2022 and Beyond

Read Time:6 Minute, 6 Second

Every year we can count on new technology to make our lives easier. Right? As beneficial and convenient as tech can be, it can also pose risks to our online safety and privacy—risks that we should be prepared to handle. Increasingly, we’re seeing governments around the world implementing stricter privacy laws. And even major players like Google are phasing out invasive tracking technology like cookies. However, when it comes to activities like banking, shopping, taxes, and more, the need for broader online privacy protection has never been greater. Let’s take a look at some prominent trends in the way we now live online and how we can protect our data.  

Web3

Crypto, the blockchain, NFTs, tokens – all of these terms are considered part of what’s being termed Web3. Whereas Web 2.0 described an internet made up of large corporations hosting content and consumers, Web3 is governed by the blockchain. What this means is that applications use a decentralized online ledger to document transactions of all sorts. The most famous example is bitcoin, a blockchain that acts as a digital currency. Another example would be NFTs, which are digital works of art. Web3 may be in its infancy, but it’s important to consider what this means for privacy and data protection. Blockchain affords users anonymity in regards to currencies like bitcoin. Of course that means bitcoin also has a reputation as the currency of choice for money-launderers and other shady enterprises. Still, that means it’s good for privacy, right? Well, maybe. The EU’s GDPR rights to erase or amend data are at odds with transactions on a blockchain, which are essentially unchangeable. So if you’re buying cryptocurrency, NFTs, or interacting with blockchains in other ways, just understand your personal information might be hidden, but the record of your transactions is totally visible. 

Tip: If you’re keeping cryptocurrencies in an online wallet, you’ll want to use an identity protection service to monitor those account credentials so you can be warned of breaches and leaks onto the dark web. 

 Education

Student privacy is a top concern as households turn to remote learning. In a rush to optimize remote learning experiences in the face of a rapidly evolving digital landscape, many educators and remote learners may not realize the hazards that put student privacy at risk. 

Since 2020, schools have adopted a range of technologies to optimize the digital classroom, including virtual learning platforms, holistic learning solutions, and even social media applications. However, many of these digital platforms are not designed for child usage, nor do they have privacy policies in place to ensure that the student data gathered is protected. Many learning platforms may even treat student data as consumer data, raising more red flags regarding student data privacy and compliance. Online learning has also garnered the attention of cybercriminals looking to exploit student data, resulting in online bullying, identity theft, and more. 

For educators and parents alike, knowledge is the greatest asset to mitigating the risks of remote learning. IT teams and educators must understand the implications of the student data they collect, govern access to it, and control its usage to comply with child privacy regulations. Parents can take proper precautions by discussing the importance of privacy with their children. Keeping learning platforms up to date and monitoring their children to prevent them from downloading suspicious apps or straying to unknown websites are all ways to ensure safer remote learning environments. 

Tip: Getting a VPN for the family to use is a great way to safeguard your privacy while your kids are learning online. 

Work

Remote work has become commonplace nowadays as more companies permit their employees to work from home long-term and, for some, permanently. In a recent Fenwick poll among HR, privacy, and security professionals across industries, approximately 90% of employees now handle intellectual property, confidential, and personal information in their homes. Endpoint security, or the protection of end-user devices such as our laptops and mobile devices, poses more of a concern as employees trade in office networks for their in-home Wi-Fi. If these devices and networks are unsecured or if the data is not encrypted, employees run the risk of exposing sensitive information to hackers. Those of us working from home can help ensure the safety of our company’s confidential information by boosting our awareness of security threats and prevention measures via company-mandated security training.  

Tip: McAfee’s Protection Score is a great way to understand how protected you are online and what you can do to stay more secure 

The Metaverse

This buzzy term is being used to describe Meta’s (previously Facebook) vision for a fully connected future. Right now it exists as an AR/VR space accessible through Meta’s own VR hardware, Oculus. However, the terminology has caught on as a catch-all for platforms that may contain work, business, gaming, entertainment, social interactions, and more in one easily navigable, immersive online setting. Web3 features, like blockchain, NFTs, and cryptocurrencies are being touted as integral parts of the metaverse. As exciting and futuristic as this is, there are major privacy questions that will have to be answered. This means that as customers you’ll want to think hard about what you choose to share through the metaverse and look into the privacy settings a platform offers you.  

Tip: Use comprehensive online protection. McAfee Total Protection secures all aspects of your life online. From identity to online connections to antivirus, a full security suite like Total Protection keeps you and your family safer on all the devices you use and places you go online. 

 Personal Finances

Some of the platforms I use the most allow me to keep track of and manage my finances. Whether it’s my mobile banking app or taking advantage of online tax filing, there is such a convenience in having the ability to pay bills, deposit checks, and more, all with the devices I use every day. But many of us may not realize just how much trust we put into these platforms to protect our online privacy, especially when we don’t have a clear picture of who exactly is on the other end of our online transactions. 

While recognizing the signs of online banking and tax-related fraud helps ease the burdens associated with these schemes, there are multiple steps users can take to prevent becoming a victim of these scams in the first place.  

Tip: Full-featured identity protection will protect you financially. Services like McAfee Identity Protection Service include credit checks, identity theft restoration, and even stolen fund restoration as benefits. 

Digital devices are part of how we live our lives every day, whether we’re taking conference calls on our laptops, tracking the latest mile on our smartwatches, or banking on the go. Although our everyday digital devices make our lives that much more convenient, securing them makes our lives that much safer by minimizing online threats to ourselves and those around us. Safeguarding the digital platforms we use for work, school, finances, you name it, is the first step to ensuring our private information remains just that—private. 

The post Privacy in Practice: Securing Your Data in 2022 and Beyond appeared first on McAfee Blog.

Read More

Orange County Launches Cybercrime Initiative

Read Time:1 Minute, 48 Second

Orange County Launches Cybercrime Initiative

Authorities in California’s Orange County have launched a new initiative to help the public identify and report cyber-threats.

SafeOC is a localized version of the national ‘If You See Something, Say Something’ anti-terrorism public awareness campaign that emphasizes the importance of reporting suspicious items and behaviors to law enforcement.

A website and a social media account have been created to support the campaign. The website provides examples of suspicious cyber-activity and online threats, including configuration changes to files, sharing of account access and changes in user permissions.

Through the website, users can report suspicious activity directly to the Orange County Intelligence Assessment Center (OCIAC)

“Cyber is by far the up-and-coming crime and risk domestically,” said Orange County sheriff Don Barnes. 

He added: “Crimes happening online are much more prevalent than they were just a decade ago and criminals are finding new ways to create new victims and ways to victimize people.” 

Cyber-investigator with the OCIAC, Lance Larson, said solving cybercrime cases is challenging as bad actors often operate from overseas, and encryption makes it difficult to “follow the money.” He added that early detection was crucial in the fight against cybercrime.

“It gives us that ability to go on and be able to start the disruption process of stopping the cyber-attack, potentially being able to freeze money as it’s moving through the financial system potentially trying to go overseas,” said Larson.

The SafeOC website also provides information about the dangers children face when gaming online such as cyber-bullying, malware, spying and data loss. Advice offered to parents includes ensuring webcams and microphones are defaulted to the ‘off’ setting and ensuring children don’t create usernames that reveal any personal information.

The site also warns parents about hidden fees in freemium games that provide some content for free but charge users to access the game’s full features and functions. 

“In 2018, these ‘free’ games generated $61bn in revenue,” states the site before warning users never to share their payment card details with a freemium game and to regularly check their credit card bills for unapproved purchases.

Read More

Fake Influencer Flags Hacking Tactics

Read Time:1 Minute, 51 Second

Fake Influencer Flags Hacking Tactics

A Swiss secure storage company has launched a creative cybersecurity awareness campaign to show how hackers gather personal data from social media.

The campaign by pCloud uses a fake influencer account on Instagram (@thealiceadams) to highlight how users unintentionally give away pieces of sensitive data through their bios and the content they post. 

“Through what we share online, the pictures we post and the locations we tag, hackers and criminals can guess your password in seconds, putting your identity and your bank accounts at risk of being stolen,” said a pCloud spokesperson.

In one post from the mock account, the influencer reveals her date of birth by sharing an image of birthday balloons that spell out her age. Other seemingly harmless posts give away information commonly used in passwords and security questions, including her pet’s name, where she went to school and her favorite movie.

Additional posts emphasize the importance of checking photographs for sensitive data before sharing them. Captured in an image of the influencer at her desk is a post-it note upon which a password has been written. Another shot of the influencer dining at a restaurant features her credit card, revealing her bank details. 

“You may be posting a picture of your birthday balloons, a heartwarming picture of your newborn baby or snapping that ‘picture perfect’ bar you spent the weekend at. But those seemingly harmless posts could actually be giving away security information that gives hackers access to all your accounts,” said pCloud.

Research performed by pCloud found that the most common themes for passwords that hackers are aware of include the last name followed by a number, date of birth, child or grandchild’s name and date of birth, pet name, place of birth and current place of residence. 

Other popular password choices are Qwerty (the first letters on a keyboard), favorite films, foods and nicknames. 

The company advised users to leave personal information out of their passwords and make their passwords long and nonsensical, making them more challenging for hackers to guess. It also recommended using different passwords for different accounts so that cracking one password won’t enable a hacker to access all accounts

Read More

Online Ad Association Fined for Privacy Violation

Read Time:1 Minute, 51 Second

Online Ad Association Fined for Privacy Violation

An association for online advertising companies has been fined hundreds of thousands of dollars for developing an ad-targeting tool that violated European Union data laws. 

The Belgian Data Protection Authority (BE DPA) said it was necessary to impose “harsh sanctions” on IAB Europe because the association’s Transparency and Consent Framework (TCF) “could, for a large group of citizens, lead to a loss of control over their personal data.”

The TCF tool allows online publishers and websites to obtain users’ consent to process their personal data for targeted advertising. It was designed to facilitate real-time bidding (RTB) – a means by which advertising inventory is bought and sold on a per-impression basis via instantaneous programmatic auction. 

In a statement released October 2020, IAB Europe said that the TCF is a voluntary standard whose purpose is to assist companies in the digital advertising ecosystem to comply with EU data protection law.

“It contains a minimal set of best practices seeking to ensure that when personal data is processed, users are provided with adequate transparency and choice,” said IAB Europe. 

“Its policies do not assist or seek to assist the processing of special categories of data. It does not intend to replace legal obligations nor enable practices prohibited under the law.”

The Belgian data watchdog imposed a fine of €250k ($282,690) on IAB Europe and ordered the advertising association to implement a “series of remedies” to ensure that it complied with the EU’s General Data Protection Regulation (GDPR).

“Contrary to IAB Europe’s claims, the Litigation Chamber of the BE DPA found that IAB Europe is acting as a data controller with respect to the registration of individual users’ consent signal, objections and preferences by means of a unique transparency and consent (TC) string, which is linked to an identifiable user,” stated the BE DPA.

IAB Europe has been given six months to bring the framework into compliance with European law. 

David Stevens, a chairperson of the BE DPA, said: “Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one, which really concerns all European citizens that shop, work or play online.”

Read More

Finding Vulnerabilities in Open Source Projects

Read Time:45 Second

The Open Source Security Foundation announced $10 million in funding from a pool of tech and financial companies, including $5 million from Microsoft and Google, to find vulnerabilities in open source projects:

The “Alpha” side will emphasize vulnerability testing by hand in the most popular open-source projects, developing close working relationships with a handful of the top 200 projects for testing each year. “Omega” will look more at the broader landscape of open source, running automated testing on the top 10,000.

This is an excellent idea. This code ends up in all sorts of critical applications.

Log4j would be a prototypical vulnerability that the Alpha team might look for ­– an unknown problem in a high-impact project that automated tools would not be able to pick up before a human discovered it. The goal is not to use the personnel engaged with Alpha to replicate dependency analysis, for example.

Read More

Tenable Launches Suite of New Product Features to Deliver Full Lifecycle Cloud-Native Security

Read Time:3 Minute, 0 Second

Our newest Tenable.cs product features are designed to enable organizations to stay agile while reducing risk.

A suite of upgrades to Tenable.cs, our cloud-native application protection platform, are designed to enable organizations to secure cloud resources, container images and cloud assets to provide end-to-end security from code to cloud to workload.

Even as organizations are adopting the cloud at exponential rates, they continue to face the challenges of protecting and securing resources and workloads in the public cloud. And, as the responsibilities of modern security teams continue to evolve and increase in complexity, the pressure to meet workload demands while minimizing security risks continues to mount. Implementing a new framework, one that allows organizations to remain agile while strengthening security is key. Enter Tenable.cs.

Tenable.cs delivers full lifecycle cloud-native security to address cyber risks from build to runtime. It enables organizations to programmatically detect and fix cloud infrastructure misconfigurations in the design, build and runtime phases of the Software Development Lifecycle (SDLC) to prevent unresolved insecure configuration or exploitable vulnerabilities from reaching production.

Tenable.cs secures infrastructure as code (IaC) before deployment, maintains a secure posture in runtime and controls drift by synchronizing configuration between runtime and IaC. It enables IaC to remain the single source of truth, eliminating the need for complex and manual processes.

Newest capabilities in Tenable.cs

Tenable.cs offers continuous visibility to assess cloud hosts and container images for vulnerabilities without the need to manage scan schedules, credentials, or agents. It provides Frictionless Assessment and Nessus Vulnerability Assessment for cloud workloads as well as Tenable.io container Security.

With Tenable.cs, all cloud assets —including ephemeral assets —- are continuously reassessed as new vulnerability detections are added and as new assets are deployed. This always-on approach allows organizations to spend more time focusing on the highest priority vulnerabilities and less time on managing scans and software.

Tenable.cs now also supports Tenable.ep

Tenable.cs further expands the scope of Tenable’s comprehensive cyber exposure management platform. Now, with the addition of Tenable.cs to Tenable.ep, organizations can determine the cyber risks of their cloud resources alongside other assets, such as IT assets, web apps, containers and operational technology (OT) devices.

With Tenable.cs, Tenable now delivers an integrated, end-to-end cloud security solution and a complete picture of cyber risks across the modern attack surface with unified visibility into code, configurations, assets and workloads.

Accessing the new features

Tenable.cs gives DevSecOps teams pragmatic, cloud native security solutions to continue the mission of helping organizations innovate in the cloud with confidence.

It is available as both a standalone solution and as a part of Tenable.ep. Additionally, Tenable has further expanded Tenable.ep, adding Tenable.ad for Active Directory environments to its platform’s single and flexible asset-based license for simple procurement and deployment. Tenable.ad will also continue to be sold as a separate solution and will be available Feb. 2

Schedule your free consultation and demo

If you’re not already a Tenable customer, please schedule a free consultation and demo to discuss how we can help you improve your security program and results.

For more information about Tenable.cs, visit tenable.com/products/tenable-cs or join us on March 2nd at 2:00 p.m. EST for a webinar on Introducing Tenable.cs: Cloud-Native Security From Code to Cloud.

Learn more

Visit the Tenable.cs product page
View the Tenable.cs press release
Attend the webinar, Introducing Tenable.cs: Cloud-Native Security From Code to Cloud

Read More

#Enigma2022: Pandemic Misinformation Reveals Challenges for Online Health Information

Read Time:3 Minute, 9 Second

#Enigma2022: Pandemic Misinformation Reveals Challenges for Online Health Information

The fact that misinformation is rampant online is not a new phenomenon. Perhaps less understood is the intersection between how often an individual sees a piece of misinformation and how likely they are to believe it.

In a session at the Enigma 2022 conference on February 1, Patrick Gage Kelley, trust and safety researcher at Google, outlined the results of a two-year study conducted by Google about online misinformation. The study was conducted throughout 2020 and 2021 and involved a series of regular surveys that included feedback from over 50,000 people from 16 countries worldwide.

Kelley explained that the researchers had two basic lines of questioning. The first focused on exposure. The researchers asked about a certain statement of information and whether the survey participant heard the information once, many times or not at all. The second line of questioning focussed on beliefs. Respondents could tell the researchers if they strongly believe a specific statement, if they kind of believe it or if they strongly don’t believe it.

Pandemic Conspiracy Misinformation and Beliefs

The Google-led research asked about a series of pandemic-specific conspiracies and found a shocking level of awareness and belief in them.

“We asked people if Bill Gates, George Soros or some other powerful person is behind COVID-19, and 16% globally had that belief,” Kelley said. “We asked people if injecting cleaning products or UV light into people is an effective treatment for COVID-19 – that had an 11% belief.”

Kelley noted that the research wasn’t conducted as just a single point-in-time study but conducted with researchers doing the survey and asking similar questions every few months.

“One of the effects that we find over and over again is that although the narratives move quickly, once these fringe beliefs take hold, they’re difficult to change,” he said.

The researchers also tested views about multiple conspiracies related to the COVID-19 vaccinations, including the falsehood that the COVID-19 vaccine has microchips and is used to track those who get vaccinated secretly. In 2020, 11% of global respondents believed that falsehood to be true, dropping to 10% in 2021.

Reasons for Optimism

While there is much to worry about in terms of online misinformation, there is also some cause for optimism, according to Kelley.

Kelley said that overall, there was a higher level of belief in several positive public health statements that the researchers tested than in the more clear-cut misinformation statements tested.

One such statement was that wearing a face-covering in public is an effective way for slowing the spread of COVID-19. 73% of people globally believed that statement in 2020. Another tested statement was that social distancing, by staying at least six feet from people not in your household, effectively slows the spread of COVID-19, which was believed by 70% of respondents globally. In 2021 however, the results dropped by 5% for face masks and 7% for social distancing.

“While this keeps both above the 60% belief range, it shows how much effort is required to maintain these extremely high levels of belief,” Kelley said. “We take this to show how important continued unified proactive health messaging is.”

Kelley concluded his presentation by noting that Google overall continues to see substantial populations in every country believing in various misinformation and low-quality information statements after widespread exposure to that information.

“People are going to believe a wide range of things and what we need to make sure is that we continue to get access to good information,” Kelley said. “There’s going to be misinformation, and one of the things we can do is measure and understand that so that we can best respond.”

Read More

Third of Employees Admit to Exfiltrating Data When Leaving Their Job

Read Time:2 Minute, 7 Second

Third of Employees Admit to Exfiltrating Data When Leaving Their Job

Nearly one-third (29%) of employees admitted taking data with them when they leave their job, according to new research from Tessian.

The findings follow the ‘great resignation’ of 2021, when workers quit their jobs in huge waves following the COVID-19 pandemic. Unsurprisingly, close to three-quarters (71%) of IT leaders believe this trend has increased security risks in their organizations.

In addition, nearly half (45%) of IT leaders said they had seen incidents of data exfiltration increase in the past year due to staff taking data with them when they left.

The survey of 2000 UK workers also looked at employees’ motives for taking such information. The most common reason was that the data would help them in their new job (58%). This was followed by the belief that the information belonged to them because they worked on the document (53%) and to share it with their new employer (44%).

The employees most likely to take data with them when leaving their job worked in marketing (63%), HR (37%) and IT (37%).

The research also found that 55% of workers are considering leaving their jobs in 2022, while two in five (39%) are currently working their notice or actively looking for a new job in the next six months, meaning organizations remain at high risk of data exfiltration.

Josh Yavor, chief information security officer at Tessian, commented: “It’s a rather common occurrence for employees in certain roles and teams to take data when they quit their job. While some people do take documents with malicious intent, many don’t even realize that what they are doing is wrong. Organizations have a duty to clearly communicate expectations regarding data ownership, and we need to recognize where there might be a breakdown in communication which has led to a cultural acceptance of employees taking documents when they leave.

“The great resignation, and the sharp increase in employee turnover, has exposed an opportunity for security and business leaders to consider a more effective way of addressing insider risk. It comes down to building better security cultures, gaining greater visibility into data loss threats and defining and communicating expectations around data sharing to employees – both company-wide and at departmental level. Being proactive in setting the right policies and expectations is a key step before investing in preventative controls.”

study last year found that over three-quarters (78%) of insider data breaches involved unintentional data exposure or loss rather than any malice.

Read More

The ultimate guide to Cyber risk management

Read Time:6 Minute, 17 Second

This blog was written by an independent guest blogger.

Ambitious information security experts serve as a critical part of cyber risk management.

The corporation is responsible for structuring IT and information security activities to protect its data resources, such as hardware, software, and procedures.

To stay competitive, enterprises must design and establish secure environments that retain confidentiality and privacy while also ensuring the integrity of corporate information. This can be achieved through the use of cyber risk management approaches.

This article explores the need for security and provides an overview of cyber risk assessment. We’ll discuss control categorization and approaches with an example.

Need for security

Organizations have long encountered various types of risk. Still, cyber risk has emerged as a critical component – evaluating risks to corporations, their information, and their financial results is a priority.

Malicious hackers are taking advantage of technological advancements and developments to hack and exploit the resources of businesses.

Cyber risk is the third critical corporate risk in 2021, as per the latest Allianz Risk Barometer.
Cybercrime costs approximately $600 billion per year, accounting for over 1% of global GDP, as per The Center for Strategic and International Studies (CSIS), and 300,562,519 people were affected by publicly disclosed security breaches the previous year, as per the Identity Theft Resource Center.

The following table shows some classifications that reflect realistic and prominent threats to a company’s personnel, data, and technology.

Each organization must prioritize the risks it confronts depending on the security scenario in which it works, its organizational risk approach, and the vulnerability levels at which its resources execute.

Cyber risk management

Risk management is the method of identifying vulnerabilities to a company’s data resources and architecture and implementing strategies to reduce that risk to tolerable levels.

The three primary steps of cyber risk management are:

Risk identification
Risk assessment
Risk control

Cyber risk assessment example

Let’s understand the stages of risk assessment with the help of an example.

For instance, your department head assigns you to perform risk management and shares the network architecture, employee lists, software list, etc., with you.

Risk identification

The first step of identification is to identify the assets, categorize, prioritize and store them in the inventory.

It is simple to identify numerous assets first by glancing at network architecture, but preserving them together in memory is difficult, so why not categorize the assets with the components of information security management.

Traditional Components

SecSDLC Components

Examples

People

Employees

Support Staff
Developers
Application Admin

 

Non-Employees

Stakeholders
Vendors
Operational users

Software, Hardware, Network

System Devices/Networking Components

Server
Firewall
IP
Utilities
Application Layer
Database
Routers

Procedure

Procedure

Network elements
Policies and Procedures
SLA
NDA
Reports

Data

Information

Data Owner
Size of Data
Backups
Who will manage the data?
Transmission
Processing

After identifying and categorizing assets, we need to create an inventory of all assets.

We must not prejudge the worth of every asset when compiling an inventory of data assets.
Whether automated or manual, the inventory approach needs significant planning.
It must also include the sensitivity and security level of each item in the inventory.

After inventory, we perform relative assessments to guarantee that we assign the most significant assets top priority. You can also ask several questions to allocate weight to assets for risk assessment. Questions, such as:

What resource is associated with the highest revenue margin?
Which of the assets is the costliest to replace or to safeguard?
Which asset’s removal or corruption might be the most distressing or expose you to the greatest risk?

After performing initial identification, we start an assessment of the risks affecting the company.

If you presume that every risk will indeed target every asset, the project scope suddenly grows so vast that planning becomes impossible.

We should assess each threat for its ability to put the company in jeopardy. This is threat assessment. Answering a few simple questions can help you start a threat assessment:

What threats pose the greatest hazard to a company’s assets?
How much will the attack cost if data recovery is required?
Which threats pose high risks to the data owned by a company?

Risk assessment

You may assess the comparative risk for each vulnerability now that you’ve identified the organization’s assets and threats. We refer to this as risk assessment. Now, identify the vulnerability associated with assets and threats.

Assets

Threats

Vulnerability

Server

Exploitation
System failure
Overheating in Room
Out of Electricity

Backdoors
Unauthorized Access
Open Ports
Old Cooling Devices (AC)

Websites

Malicious Payloads
DDOS
XSS

Policies & Procedures
Firewall
IDPS

Rogue Devices

Spoofing
MITM
Sniffing

Misconfiguration
Not updating devices

 

Each asset is given a risk level or grade during risk assessment. While this number has no exact value, it helps determine the relative risk associated with every sensitive asset.

There is also a basic formula we use to assess the risk.

Risk = likelihood of occurrence of vulnerability * value of the information asset – the percentage of risk mitigated by current controls + uncertainty of current knowledge of the vulnerability.

Let’s utilize this formula with an example.

We have an “asset A” with a value of 40 and one vulnerability with a probability of 1.0 with no security controls. Your facts are 80% credible*.

(If the reliability is 95%, the uncertainty is 5%.)

(40 × 1.0) – 0% + 5% = 45

So, the vulnerability of asset A ranks as 45.

You’ll most likely have listings of assets with information by the end of the risk assessment. The aim was to discover assets’ information with security flaws and create a compilation of them, graded from most vulnerable to least vulnerable.

You gathered and stored a plethora of facts about the assets, the risks they pose, and the risks they disclose while compiling this list and so on.

Risk control

After completing the risk identification, and risk assessment process, we end the risk management with risk control.

Risk control give us five strategies to deal with the risks, and they are:

Defend
Transfer
Mitigate
Accept
Terminate

Let’s see the below table to learn the control strategies in depth.

Risk Control Strategies

Definition

Examples

Defend

The defend strategy tries to eliminate the vulnerability from being exploited.

a cryptographic-based verification technique RADIUS

Transfer

Using the transfer control technique, we shift the risks to other resources, activities, or companies.

Rethink how services are working and offered.

 

Revising deployment models.

 

Rechecking outsources services.

Mitigate

With planning and response, the mitigation control technique seeks to lessen the effect of vulnerability exploitation.

Incident Response Plan (IR).

 

Disaster Recovery Plan (DRP).

 

Business Continuity Plan (BCP)

Accept

The accept control strategy is doing less to prevent a vulnerability from being exploited and accepting the result of such an attack.

Risk acceptance is related to the risk level and the threat value of the risk.

 

Is the risk risky enough to accept it and do nothing for a while?

Terminate

The company’s terminate control strategy encourages it to eliminate commercial operations that pose unmanageable risks.

 

Instead of applying risk controls, the organization terminates the activity/product, which brings risks.

Risk reporting

The very last step we have is risk reporting. It’s a crucial part of risk assessment. After performing the entire risk management process, you have to document it. Risk reports are a technique of informing those that need to know about the project and company’s risks.

Conclusion

In a nutshell, as you progress along the risk management process, you’ll have a greater understanding of your corporation’s architecture, your most important data, and how you can improve your management and security.

Read More