I’m curious about how folks here think about and understand cyber risk.
At the risk of being facetious, I’d suggest most people don’t really understand “cyber risk.”
Part of the problem is we carry over a lot of physical/real world concepts and some of the techniques used for risk quantification are basically the same as using a Magic 8-ball.
There are few aspects to risk management, one of which is risk assessment, where you need to identify critical assets, threats, all sorts of vulnerabilities present in the system, and the potential impact in case of issues/ incidents.
All of this is rather aspects the defenders would deal with. I understand a lot of the folks here are pen-testers/ red-teamers, i.e. attackers, and they might not care too much.
I am DFIR rather than Pentes/Red-Team, but I think its an interesting question.
However, identifying critical target systems, networks, and data can also be of a great value from the offensive point of view. And my question is about this; i.e. to what extent identifying the criticality of assets (that are essential to a given business) is an important consideration in carrying out pen-testing? And how it is approached, if it’s an important consideration?
So, first - pentesting aside, identifying assets and assigning a criticality to them is pretty much foundational to any security posture. The fact it is often either totally overlooked or badly done is an indictment on how IT and Security teams operate. The tendency is to rush to exciting stuff without building a foundation.
If I am engaged by a client to scope a pentest, I’d use this data as the baseline. If I have knowledge about what systems are business-critical, what systems contain sensitive data etc, then I can build a sensible scope for the test which results in a valid test without creating additional business risk.
If I don’t have the data, then its either a YOLO pentest that will get pulled after the first hour when something which turns out to be critical fails or one so narrowly scoped it has zero real-world application. (And I’ve been in multinationals where both have happened on a regular basis).
IMHO: This is foundational security but it isn’t sexy-tech-ninja security. It is often overlooked by people with awesome technical skills because it really is tedious. Sadly the risk people (especially ones from accounting/legal backgrounds) tend to overlook the technical requirements of criticality.
tl;dr: It matters but very rarely gets done well.