Ask HN: Should a risk assessment list all dependent tools?
The Crowdstrike incident highlights the need for IT analysts to effectively communicate third-party service risks to leadership, advocating for structured risk assessments to inform decision-making on risk management strategies.
The recent Crowdstrike incident has raised concerns about how IT analysts communicate the risks associated with third-party services to leadership. In environments like AWS, where regional failures can occur, organizations face a choice between accepting the risk or implementing multi-regional deployments to mitigate it. A structured approach, such as a risk assessment matrix, could be beneficial. This matrix would categorize Software as a Service (SaaS) tools based on whether their associated risks can be eliminated, mitigated, or transferred. Additionally, it would be important to evaluate the potential impact of accepting these risks. By clearly outlining these factors, IT analysts can provide leadership with a comprehensive understanding of the risks involved, enabling informed decision-making regarding third-party service usage and risk management strategies.
Related
SAPwned: SAP AI vulnerabilities expose customers' cloud environments and privat
The Wiz Research Team identified vulnerabilities in SAP AI Core, enabling unauthorized access to customer data. Reported issues included network bypass, AWS token leaks, and exposure of sensitive information. SAP addressed and resolved all vulnerabilities.
It's not just CrowdStrike – the cyber sector is vulnerable
A faulty update from CrowdStrike's Falcon Sensor caused a global outage, impacting various industries. Stock market reacted negatively. Incident raises concerns about cybersecurity reliance, industry concentration, and the need for resilient tech infrastructure.
Microsoft: Helping our customers through the CrowdStrike outage
CrowdStrike released a global software update causing IT disruptions. Microsoft collaborated to aid affected users, deploying engineers and sharing remediation instructions. Industry collaboration is crucial for resolving rare incidents effectively.
CrowdStrike fail and next global IT meltdown
A global IT outage caused by a CrowdStrike software bug prompts concerns over centralized security. Recovery may take days, highlighting the importance of incremental updates and cybersecurity investments to prevent future incidents.
Lessons from CrowdStrike's Buggy Update
Recent events underscored the importance of robust release processes in the software industry. A buggy update to CrowdStrike's Falcon security software caused system crashes, emphasizing the need for comprehensive testing, integrity verification, staged rollouts, and transparent communication. Justin Cappos highlighted the necessity of software supply chain validation mechanisms like in-toto for enhanced security.
2 comments- Brand impact of risk: how will marketing and sales be affected?
- Business impact of risk: how much business will be lost? How much productivity will be lost? Will business transactions be lost?
- Customer impact of risk: will sensitive customer data be leaked? Will customer data be lost?
- Time to recover? How long would it take to get operations back to normal?
- How likely are people to die or be severely injured?
- Are your customers businesses instead of people? What are your SLAs?
Taken together, this informs you the severity of the risk.
Then there's the mitigation for each risk:
- Data backups & a data backup strategy
- Alternate hosting
- Alternate networking
- Secure communications and secure storage
- Alternate power sources
Your mitigation depends on the severity of the risk.
In your case, if your deployed solution is dependent on multiple SaaS providers, then a mitigation plan for your solution is comprised of the mitigation plan for all your SaaS providers. If you're not accounting for your 3rd party dependencies, then you're not properly presenting the risk. It's perfectly fine to have different mitigation plans for different components. If there's a SaaS component you're using and its failure means your application loses a capability that your business determines as having minor impacts and the customer could go without that capability for a couple days, then maybe your mitigation for that SaaS component is to do nothing. Another 3rd party component in that same application may need alternate hosting and data replication as its mitigation plan because its critical to the application and the application is critical to the business. Not even all the 3rd party components comprising your application may have the same mitigation strategy!
Related
SAPwned: SAP AI vulnerabilities expose customers' cloud environments and privat
The Wiz Research Team identified vulnerabilities in SAP AI Core, enabling unauthorized access to customer data. Reported issues included network bypass, AWS token leaks, and exposure of sensitive information. SAP addressed and resolved all vulnerabilities.
It's not just CrowdStrike – the cyber sector is vulnerable
A faulty update from CrowdStrike's Falcon Sensor caused a global outage, impacting various industries. Stock market reacted negatively. Incident raises concerns about cybersecurity reliance, industry concentration, and the need for resilient tech infrastructure.
Microsoft: Helping our customers through the CrowdStrike outage
CrowdStrike released a global software update causing IT disruptions. Microsoft collaborated to aid affected users, deploying engineers and sharing remediation instructions. Industry collaboration is crucial for resolving rare incidents effectively.
CrowdStrike fail and next global IT meltdown
A global IT outage caused by a CrowdStrike software bug prompts concerns over centralized security. Recovery may take days, highlighting the importance of incremental updates and cybersecurity investments to prevent future incidents.
Lessons from CrowdStrike's Buggy Update
Recent events underscored the importance of robust release processes in the software industry. A buggy update to CrowdStrike's Falcon security software caused system crashes, emphasizing the need for comprehensive testing, integrity verification, staged rollouts, and transparent communication. Justin Cappos highlighted the necessity of software supply chain validation mechanisms like in-toto for enhanced security.