Digital Risk Assessments
A digital risk assessment will provide a set of evidenced, validated risks to a given subject using a provided or assessed threat picture.
Problem Statement
With the rise of internet vigilantism, online trolling, conspiracy - fueled auditors and investigative journalism people in the public eye as spokespeople, industry experts and/or figureheads have become targets of online abuse and physical assault.
Organisations and their associated sites have also become the targets of amateur investigation or attack for the same reasons. Being associated with a contentious issue has galvanised some people to demonstrate their opposition via online trolling, disinformation and physical attacks.
Project Objectives
Digital risk assessments aim to provide both the security specialists with an evidenced set of risks from a given threat picture and a number of recommendations to improve the subject’s security stance.
Approach
A digital risk assessment can be conducted against an individual, site or organisation and is conducted from the attacker’s point of view using only information that is publicly available. Starting with the minimum amount of information, usually just the subjects name or a location, an attack surface is developed from online sources to identify potential vulnerabilities.
Using official databases, social media, news, mapping and imagery sites, a digital profile of the subject is constructed. The extent of this attack surface can vary wildly from non-existent to substantial and site visits can be conducted to supplement the online collection and refine the attack surface.
The vulnerabilities will be incorporated into attack trees to evidence a path from threat actor through to potential effect. This allows a refined approach to risk mitigation; cutting an attack tree at any point removes the risk and allows a focused approach to risk management.
The identified vulnerabilities can be enhanced by a ground visit to prove their validity.
Outcomes
A digital risk assessment will provide a set of evidenced, validated risks to a given subject using a provided or assessed threat picture. It will produce evidenced attack trees that result in a risk. Breaking the attack trees by applying controls will deny the risk and enhance the security of the subject.
The risk assessment can be delivered as a traditional report or as a slide pack, particularly useful if the subject is an organisation or site and has more interconnected facets than a person.