|
Step 1. |
Characterize the system: Understand the business processes and interdependency of the systems under review. Where does it fit into the organization and how is it used? What are the software and hardware versions deployed. How is it configured? |
|
Step 2. |
Identify threats: Identify the threats to confidentiality, integrity, and availability. Extortion, corporate espionage, data theft, and disasters are all examples of potential threats. |
|
Step 3. |
Identify vulnerabilities: Catalog the services and protocols used to generate a list of potential attack vectors. Software, hardware, and configuration can all have potential vulnerabilities. Automated software tools help, but experience and knowledge find the ones that scanning tools miss. |
|
Step 4. |
Analyze controls: Identify whether or not the controls in place are sufficient when compared to the risks a successful compromise would have to the business. Each of the primary control categories—administrative, technical, and physical—must successfully address prevention, detection, correction, and recovery for the threats and vulnerabilities identified. This analysis finds which controls are missing or inadequate. |
|
Step 5. |
Determine the likelihood of an event: Utilize the quantitative or qualitative approach to rank the likelihood of an event happening. The next section addresses a number of methods for doing this. |
|
Step 6. |
Analyze the impact of an event: Attempt to put a monetary value on the impact a potential event can have to the company as a whole. Management understands the severity much better and is in a better position to allocate resources if it has an idea of how much money the event could cost the company. |
|
Step 7. |
Determine risks: The values identified in previous steps are compiled to provide a snapshot of the risks the business faces. This step provides the prioritized list of security issues that need to be addressed. |
|
Step 8. |
Recommend controls: A key part of an auditor’s role is to recommend controls to reduce risk. These recommendations help the organization under audit better protect its assets. |
|
Step 9. |
Document results: Documenting the results of the risk assessment helps to show due care and due diligence. This step is also where the results of the process are presented to management. |
Risk, as it relates to information security, can be defined quite simply as the probability or likelihood that a threat will exploit a vulnerability and cause damages. Although this definition might sound simple, there is some work that needs to be done to figure out the values you need to build your equations. There are two main approaches to risk analysis; one is quantitative and the other is qualitative.
The quantitative approach uses formulas to equate the frequency of a risk to a monetary value. These formulas themselves are not particularly complex, but the data used to feed the variables can be time-consuming and difficult to compile. Most of the data that exists is historical, and the rate of change that is seen in technology makes it difficult to maintain accurate values. In security, you don’t have actuarial tables that give the average number of incidents per type of company or industry—similar to what is seen with insurance claim data—because most organizations simply do not track security incidents accurately or consistently. The most widely used source for this type of data generally comes for the yearly FBI/Computer Security Institute report on cyber crime. This report provides the number of reported incidents in various categories, such as data theft or security breaches; however, you are on your own to figure out what these events cost, as it is different per company and employee. You might have a worm infect a laptop, causing a user to be unable to work for a day. Calculating the technician time in reloading the machine might give you two hours at $60 per hour or $120 for that incident. What is often under reported is the total cost in productivity and lost data. You have the technician’s time accounted for, but what about the individual who can’t do his job because of the downed laptop? What about the lost report that took two weeks to complete and now must be rewritten because key files were corrupted? It’s more difficult to quantify those types of losses. Still many, organizations have standardized on quantitative methods for risk analysis. Auditors must be aware of how these formulas work. Here are a few classic examples:
- Single Loss Expectancy (SLE) = Asset Value x Exposure Factor: SLE is a formula that determines the expected cost of loss to an asset based on the exposure to the event that the asset incurs. The exposure factor represents how much damage there is as a percentage of loss to the asset. The percentage of loss ranges from 0 (no damage) to 100 percent (total loss). Unless there is complete destruction of the asset, the exposure factor is less than 100 percent. If a web server database worth $100,000 is corrupted during an attack, and the backup is able to recover only 70 percent of the data, then the exposure factor would be $30. A $100,000 asset x percent (EF) = $30,000 loss.
- Annual Loss Expectancy (ALE) = Single Loss Expectancy x Annual Rate of Occurrence: The ALE calculation uses the output of the SLE formula and multiplies it by the expected number of occurrences of the event in a single year. If the web server is hit by an attack twice a year, then ARO would be 2. If you have never been hit but estimate that you will experience an attack sometime in 10 years, then ARO would be 0.1. After you determine the ARO, you can then multiple it by the SLE to determine the ALE:
-
$30,000(SLE) x 2(ARO) = $60,000(ALE)
- Countermeasure Value = ALE Before – ALE After Annual Countermeasure Cost: To determine how much you should spend on countermeasures to reduce the risk to assets, you can use the data generated by the previous functions to build a cost benefit analysis to help justify the purchase of a new countermeasure. During the post-incident analysis, it was determined that the attack could have been prevented through a combination of an IPS and better backup software for recovery. The total cost of the new countermeasures is $10,000. If you have $60,000 (Before ALE) – $20,000 (after ALE savings from the new countermeasure) – a $10,000 countermeasure cost, then you have added $30,000 of “value” to the organization by purchasing the countermeasure. This enables you to determine that purchasing this countermeasure is a good use of your security investment and saves the company $30,000.
- Return on Security Investment (ROSI) = (ALE x Percent of risk mitigated) – Countermeasure cost) / Countermeasure cost: The ROSI calculation is used to determine a return on investment value for a security countermeasure. You utilize ALE and multiply it by the percentage improvement in effectiveness of the new countermeasure and then subtract it by the cost of the countermeasure. Then you divide the total by the cost of the countermeasure, to determine the rate of return. To arrive at a Risk mitigation percentage, you should test the equipment in a lab or rely on a neutral testing organization to determine an appropriate effectiveness rate. Continuing with the DoS example, your $60,000 (ALE) x 80 percent (increase in risk mitigation based on testing) – $20,000 (cost of the countermeasure) you get $28,000, which would be how much you should save from the increased effectiveness of the countermeasure. If you divide $28,000 by $20,000 (the cost of the countermeasure) you can hope to realize a return on security investment of 140 percent. Not a bad deal!
Although none of the quantification techniques described are 100 percent accurate, there is still value in having a consistent and replicable way to determine how an organization invests in security. These are simple examples that require research and time to increase accuracy. Because a large number of companies don’t have the time or inclination to do this level of number crunching, the qualitative methods for determining risk have become increasingly popular.
Qualitative risk analysis is less concerned with the numbers, and more interested in finding which assets are exposed to the greatest level of risk. The power of the qualitative approach is that it can provide a measurement tool that anyone can understand without majoring in statistical analysis. The results are actionable, and the rating system can be anything that the organization is comfortable with, such as high, medium, and low. The variables threat, vulnerability, and exposure are similar to the quantitative approach, but the ways in which we arrive at the values are quite different. The qualitative approach uses the following simple formula:
Risk = Threat x Vulnerability x Impact of Exposure
Assets are what you must try to protect, and those assets can be a database, business process, network access, or anything else that is an important part of how you do business. The easiest way to identify threats is to use the CIA triad of Confidentiality, Integrity, and Availability. These three areas represent the primary aspects that businesses attempt to protect, so if you measure your assets against CIA, you can determine potential threats to that asset. Confidentiality is keeping data private and out of unauthorized hands. Integrity is about ensuring that unauthorized parties do not tamper with data. Availability is concerned with keeping the service or system up and running.
After you determine your potential threats, you need to classify them based on the likelihood of an event happening. There are always potential threats out there, but some of them are just not practical. That’s where the vulnerability aspect of the formula comes into play. A threat with no vulnerability is still a threat, but there is no risk to the asset because if any one of the variables is zero, then risk is zero. Risk depends on the presence of a threat and a vulnerability. Take, for example, the threat of a teardrop attack. The teardrop attack took advantage of a vulnerability in the IP stack where a maliciously crafted fragmented packet with overlapping offsets could cause a kernel panic or blue screen of death. In 1997 this was a real risk because the vulnerability was present in a large majority of Windows and Unix-derived IP stacks, and the threat of someone using this attack was great due to easily accessible exploit code. Unless you are running very old or devices that aren’t patched, this is not something you would be concerned with today. The risk of this attack to modern operating systems is virtually nonexistent.
The last variable in the simplified risk equation looks at the impact to the organization if the threat is successful. If the threat is stealing customer credit card information, you can feel confident that the threat level is high because there is significant evidence that there are plenty of individuals with the skills, resources, and inclination to engage in this type of crime. If a company houses its customers’ credit card information in a database that is connected to an Internet-accessible web server, then the potential for a vulnerability that could be exploited is also high. The impact of this event could be high, too, because customers do not forgive a company that experiences a breach like this. Based on this simple scenario, you can determine that the risk is high to this asset and it would be wise to focus your efforts on protecting the asset by providing controls and countermeasures that can reduce the risk of a compromise happening.
The point of all of this is to make sure that the organization that is being audited has addressed these issues in a manner that reduces the total risk to the organization. Auditors need to understand how to perform risk analysis to determine whether or not the controls are in place and appropriately address the level of risk to the asset. The auditor’s role is also to provide recommendations for reducing risk, and that takes us to the next area of risk management: risk mitigation.
Risk Mitigation
After you have determined that there are legitimate risks to the company’s assets, the next step is to figure out how to address those risks. The goal of most risk-management programs is to prove that the organization has preformed “due diligence” or “due care”. Due diligence and due care are legal terms that seek to determine whether a company or individual has been negligent in their duties. In the case of information, security organizations need to act (and document those actions) in a manner that secures business assets to a level that is prudent and reasonable given their value and risk. This prudent man rule is another aspect of law that comes up often when discussing risk mitigation. Directors and managers might be held personally liable for negligence of duty, if it is proven that they did not provide the necessary environment to protect the assets they have been charged with securing.
It is important to involve legal council to ensure compliance with local and federal law. I am not a lawyer (I don’t even know any good lawyer jokes), and this book isn’t a substitute for good legal advice.
Mitigating risk is not simply about buying a product or writing a policy. Purchasing technology can be a component of addressing risk, but there are a number of options available. The following list details the choices a company must make when managing risk.
- Accept the risk: A company can choose to accept a risk for many reasons. If the probability of a threat successfully exploiting a system is unlikely or the cost to protect the system is so high that it would be cheaper to recover the system in house, then an organization might choose to accept this risk as part of doing business. The danger here is in underestimating the total cost of an exploit and not fully realizing the impact of the event to the business or customers.
- Avoid the risk: Sometimes in business, the reward is just not worth the risk. Companies might choose to not conduct business in a way that opens them up to risk. If you have a retail establishment and store credit card information on your Point of Sale (POS) systems as part of your processing of daily transactions, you run the risk of credit card information being stolen because you have this data scattered across all of your POS systems in all of your stores. You can avoid this risk by not storing the data on the POS system and simply running your credit card transaction through a headquarters-based clearinghouse with much higher levels of security.
- Transfer or share the risk: The simplest mechanism for transferring risk is to purchase an insurance policy. Other ways include outsourcing the risky service to a third party and building in strict service-level agreements (SLA) and contracts so that they are responsible for securing the data. Of course, regardless of who is “responsible” for an incident, there is still the damage to reputation that can occur with a data breach.
- Reduce or mitigate the risk: Implementing controls and countermeasures are how you can reduce or mitigate risk. You can avoid the risks on the Internet by simply unplugging external connections, but you lose all of the benefits that a global marketplace gives you. Purchasing countermeasures and implementing controls is a much less drastic response to protecting your systems.
- Ignore the risk: This is the most dangerous of all options, because it can have dire consequences to shareholders and the organization as a whole. Ignoring risks does not make them go away and could cost your company everything in the end.