CySA+ domain #1: introduction to threat management
CompTIA’s Cybersecurity Analyst certification is a solid cybersecurity certification you can earn which will help boost your information security career. The question remains — what will you have to traverse to earn this solid certification? Simply put, you will need to pass the CySA+ certification exam.
This exam comprises four domains of knowledge, and the first domain is Threat Management. This article will provide an introductory review of what you will need to know to successfully trek through this domain. You will learn about some commonly used terms, risk assessments, identifying vulnerabilities, identifying threats, determining likelihood, impact and risk.
Please bear in mind that this article will only detail an introductory view of threat management and you will need to look for subsequent articles to guide you through the rest of the domain.
Commonly used terms
To start out this introduction, let’s look at some commonly used terms you will need to know. Most probably already know these definitions, so it is mainly here for those who need a refresher.
- Vulnerability: A vulnerability is a weakness in a system, application, device or process that might allow an attack to occur
- Threat: With regard to cybersecurity, a threat is an outside force may exploit a vulnerability
- Risk: A risk is the combination of a threat and a corresponding vulnerability. In other words, risk is the intersection of threats and vulnerabilities
- Risk can also be defined with an equation: Risk = Threat x Vulnerability
To take stock of the current risk landscape, organizations need to perform a risk assessment. Risk assessments play a pivotal role in real-world threat management and, as such, will be the lens that we view threat management through.
A foundation for risk assessment that is widely used throughout cybersecurity is established in the National Institute of Standards and Technology (NIST) SP 800-30. The process that NIST suggests is that first threats and vulnerabilities become identified and then, once identified, they can be used to determine the organization’s level of risk. This publication recommends the following:
- Step 1 – Prepare for assessment
- Step 2 – Conduct assessment
- Identify threat sources and events
- Identify vulnerabilities and predisposing conditions
- Determine likelihood of occurrence
- Determine magnitude of impact
- Determine risk
- Step 3 – Communicate results
- Step 4 – Maintain assessment
The first step in the risk assessment process for many organizations is to identify the threats. NIST has done some of the legwork in this regard by offering four distinct types of threats that an organization may face. These threat types are:
- Adversarial threats: This type of threat comprises individuals, organizations or groups with a goal of deliberately undermining the information security of another organization. Examples of potential adversarial threats include trusted insiders, customers, competitors and suppliers, just to name a few. Capability, intent and likelihood of attack should be considered when facing adversarial threats
- Accidental threats: This type of threat is when an individual, when performing work as part of their routine, mistakenly undermines the information security of an organization. These threats are mainly caused by insiders of the organization. When facing this type of threat, cybersecurity analysts consider the possible range of effects that the undermining action may cause within the organization
- Structural threats: This type of threat is when IT resources fail due to exhaustion of resources, exceeding operational capability and simple old age. When facing structural threats, cybersecurity analysts consider what is the possible range of effects that the structural threat may cause the organization
- Environmental threats: These threats are either man-made or natural, but either way, they are outside of organizational control. These include fires, earthquakes, tornados and so on. Cybersecurity analysts consider the possible range of effects that these threats may have on the organization
These different types of threats vary in their size and severity, and whether your organization will face these threats depends on different factors. Among these factors are the size of the organization, the nature of the business and many other organization-specific questions.
After the first step of identifying threats, organizations must turn their focus within and identify vulnerabilities that exist within the organization. This topic will be discussed in greater detail in a subsequent article I will publish entitled CySA+ Domain: Vulnerability Management Process.
Determining likelihood, impact and risk
With both threats and vulnerabilities having been determined, cybersecurity analysts then create different combinations of threats and vulnerabilities that would undermine the confidentiality, integrity and availability of organization information and systems.
This is performed by creating a waffle chart that measures both the likelihood that a risk will occur with the impact that said risk will have upon the organization. This is best displayed in a risk matrix with the vertical side labeled likelihood, the horizontal side being labeled impact and an incremented scale of low, medium and high.
This risk matrix allows cybersecurity analysts to get a good idea of what the organization’s risk landscape looks like, allowing them to make the right decisions for the organization’s specific situation.
Threat management is one of the four domains of knowledge on the CompTIA CySA+ certification exam. By using this article as a guide for the introductory material of this domain, you will be in a solid position to earn a passing score on the material in this domain and bring you one step closer to adding this useful certification to your growing war chest of information security certifications.