Chapter 4 – Information Security Risk
4.1 Rating with Incomplete Information 4.2 Gut Feeling and Mental Arithmetic 4.3 Real-World Calculation 4.4 Personal Security Posture 4.5 Just Because It Might Be Bad, Is It? 4.6 The Components of Risk
4.6.1 Threat 4.6.2 Exposure 4.6.3 Vulnerability 4.6.4 Impact
4.7 Business Impact 4.7.1 Data Sensitivity Scales
4.8 Risk Audiences 4.8.1 The Risk Owner 4.8.2 Desired Security Posture
4.9 Summary
4.1 Rating with Incomplete Information
• It would be extraordinarily helpful if the standard insurance risk equation could be calculated for information security risks.
Probability * Annualized Loss = Risk
• However, this equation requires data that simply are not available in sufficient quantities for a statistical analysis comparable to actuarial data that are used by insurance companies to calculate risk. In order to calculate probability, one must have enough statistical data on mathematically comparable events. Unfortunately, generally speaking, few security incidents in the computer realm are particularly mathematically similar. Given multivariate, multidimensional events generated by adaptive human agents, perhaps it wouldn’t be too far a stretch to claim that no two events are precisely the same?
• Given the absence of actuarial data, what can a poor security architect do?
4.2 Gut Feeling and Mental Arithmetic
• Experienced security architects do these “back of the napkin” calculations fairly rapidly. They’ve seen dozens, perhaps hundreds, of systems. Having rated risk for hundreds or perhaps many more attack vectors, they get very comfortable delivering risk pronouncements consistently. With experience comes a gut feeling, perhaps an intuitive grasp, of the organization’s risk posture. Intimacy with the infrastructure and security capabilities allows the assessor to understand the relative risk of any particular vulnerability or attack vector. This is especially true if the vulnerability and attack vector are well understood by the assessor. But what if one hasn’t seen hundreds of systems? What does one do when just starting out?
4.3 Real-World Calculation
• For the purposes of architecture assessment for security, risk may be thought of as:
Credible Attack Vector * Impact = Risk Rating
Where: Credible Attack Vector (CAV) = 0 < CAV > 1 Impact = An ordinal that lies within a predetermined range such
that 0 < Impact > Predetermined limit (Example: 0 < Impact > 500)
4.4 Personal Security Posture
• Personal risk predilection will have to be factored out of any risk calculations performed for an organization’s systems. The analyst is not trying to make the system under analysis safe enough for him or herself. She is trying to provide sufficient security to enable the mission of the organization. “Know thyself” is an important maxim with which to begin.
4.5 Just Because It Might Be Bad, Is It?
• Given certain types of attacks, there is absolute certainty in the world of computer security: Unprotected Internet addressable systems will be attacked. The uncertainty lies in the frequency of successful attacks versus “noise,” uncertainty in whether the attacks will be sophisticated or not, how sophisticated, and which threat agents may get to the unprotected system first. Further, defenders won’t necessarily know the objectives of the attackers. Uncertainty lies not within a probability of the event, but rather in the details of the event, the specificity of the event.
4.5 Just Because It Might Be Bad, Is It? – Cont.
• We are interested in preventing “credible attack vectors” from success, whatever the goals of the attackers may be. We are constraining our definition of risk to: • Human threat agents • Attacks aimed at computer systems • Attack methods meant to abuse or misuse a system
4.6 The Components of Risk
• There is a collection of conditions that each must be true in order for there to be any significant computer security risk. If any one of the conditions is not true, that is, the condition doesn’t exist or has been interrupted, then that single missing condition can negate the ability of an attack to succeed.
To illustrate how network defenders can act on their knowledge of their adversaries’ tactics, the paper lays out the multiple steps an attacker must proceed through to plan and execute an attack. These steps are the “kill chain.” While the attacker must complete all of these steps to execute a successful attack, the defender only has to stop the attacker from completing any one of these steps to thwart the attack.
4.6.1 Threat
• The term “threat” is scattered about in the literature and in parlance among practitioners. In some methodologies, threat is used to mean some type of attack methodology, such as spoofing or brute force password cracking. Under certain circumstances, it may make sense to conflate all of the components of threat into an attack methodology. This approach presumes two things: • All attack methodologies can be considered equal. • There are sufficient resources to guard against every attack methodology.
4.6.1 Threat – Cont.
• In order to understand how relevant any particular threat agent is to a particular attack surface, impact or loss to the organization, and the level of protection required to dissuade that particular type of attacker. • Threat agent • Threat goals • Threat capabilities • Threat work factor • Threat risk tolerance Table 4.1 summarizes the attributes that can be associated
with cyber criminals.
4.6.2 Exposure
• In organizations that don’t employ any separation of duties between roles, administrative staff may have the run of backend servers, databases, and even applications. In situations like this, the system administrators can cause catastrophic damage.
• Even in mature and well-run shops, administrative staff will have significant power to do damage. The excepted protections against misuse of this power are:
• Strict separation of duties • Independent monitoring of the administrative activities to identify abuse of administrative access • Restriction of outbound capabilities at the time when and on the network where administrative
duties are being carried out • Restriction of inbound vectors of attack to administrative staff when they are carrying out
their duties