Strategic Security: Risk Assessment

McDonald's founder Ray Kroc once said, "If you're not a risk taker, you should get the hell out of business." Today, technology provides golden opportunities that would amaze yesterday's entrepreneurs. The flip side is that companies willing to take the leaps necessary to thrive in a competitive global economy expose themselves to hazards unheard of even 10 years ago. To survive, enterprises must continually use risk-assessment methods. Otherwise, they could unwillingly follow the second half of Kroc's advice.

Specifically, IT professionals can't limit their risk assessment to IT networks and computers. Physical security must be considered, as well as employees: People aren't just a company's most valuable asset, they're also the easiest to compromise. Risk-assessment practices must be codified within your organization through policies, standards and guidelines.

A Neverending Process

Risk assessment, which we define as the process of identifying factors that can negatively influence operations and an executive's ability to make informed choices, has been around for years as a means of gauging the status of a company's assets versus potential risks. Like most activities in business, it focuses primarily on the bottom line. An infosec professional's role in risk assessment is to determine the cost to the organization if particular vulnerabilities are exploited.The risk-assessment process can be anything from a quick walk-through and analysis of known hazards--in the case of a small business--to a lengthy process involving multiple teams and consultants. But one thing is always true: Risk assessment must be revisited at least twice a year to ensure that new dangers are not overlooked and old risks are managed effectively. Additionally, security policies must be reviewed and updated continually to account for changes in business methods and processes.

The first step is to know your organization's view of, and tolerance for, risk. In addition, note that requirements to manage, mitigate and eliminate risk no longer depend only on your company's tolerance level. Uncle Sam has gotten into the act, and risk assessment is intertwined with an ever-growing set of regulations that mandate or "strongly recommended" specific risk-management methods. Make the regulations that apply to your company part of your vocabulary, if they aren't already.

Are you in a business that escapes most regulatory oversight? Undertake risk assessment anyway. All too often, IT pros who should know better function in an "It won't happen to us" mindset. When "it" does happen, we're caught off guard. There's a reason police officers take target practice, even though they may never draw their weapons. Wait until a crisis hits to plan, and your ability to react effectively will be impaired. Look at the daily news reports about organizations experiencing loss due to attacks against systems with known vulnerabilities--even a half-hearted risk-management effort would have caught these basic vulnerabilities.Risk assessment comprises asset identification and evaluation, threat and vulnerability identification, control identification, determination of the likelihood of a threat, impact on the CIA (confidentiality, integrity and availability) of an asset, risk determination, control recommendation, and documentation and policy (see illustration at right). These steps may be consolidated or compressed, as long as they're all present.

Identify Your Assets

No auto insurance company will issue a quote unless it knows the type of car to be covered and who will be driving. It's the same story in organizational risk assessment. Business units must be forthcoming as to their assets, replacement costs associated with those assets and users. IT's job is to evaluate this information for potential loss.

The task of asset identification and evaluation, as with most processes, starts with a comprehensive information-gathering process. Consider forming a multidiscipline risk-assessment team involving a cross section of your organization. Our experience shows that this team approach is most effective. And, you'll see ongoing benefits from cross-departmental IT-to-business relationships.Assets are what make your business successful and functional--not only hardware and software items that have property tags on them, but also hard-copy reports, data within a database, even critical employees who can make or break an organization if they are lost due to competition, retirement or even the flu. Is the most important asset in your internal intranet the $20,000 firewall, or the data that's sitting on a $2,000, four-year-old box that's serving as a data repository? It's not easy to put a value on data that may have taken years to acquire. Is it worth thousands, even millions of dollars? Business units are the best source for up-to-date figures.

After you've documented your organization's assets, start again, because you probably missed something. Did you count client and CRM data, marketing figures and intellectual property?

Threat Sources

Once you have a feel for the organization's assets, compile a list of IT threats and sources that could exploit your system vulnerabilities. In addition to including outside attacks, consider insider theft, system failure and even environmental hazards.

Also consider possible threat motivations. Will it be script kiddies having fun, organized criminals seeking identity information, a disgruntled employee with a vendetta, or industrial espionage, in which a rival organization is looking to gain a financial or competitive advantage?Not all threats pose the same risk factor; the severity of a risk can be mitigated based on need, cost and even the expendability of departmental assets. Typically, an external Web site is invaluable for a marketing department in terms of loss of service. However, other departments may not depend on their sites for sales, so reduced connectivity may not represent lost business or revenue. On the same note, sites that could provide access to financial information or controversial data are tempting targets, requiring additional controls.

In addition to calling on team personnel who understand the systems and data, use sources of threat data, such as national estimates for government sources, CERT (Computer Emergency Response Team) reports and even media reports that highlight trends in information security.

Next, identify vulnerabilities with regard to both systems and processes. You likely have tools on hand to assist, including desktop-management applications and third-party assessment tools--risk calculators, vulnerability scanners and guides, and checklists, such as Security Configuration Checklists from the NIST (National Institute of Standards and Technology), and Security Technical Implementation Guides from the Defense Information Systems Agency.

Remember that flaws can lie in internal processes used to manage data and information. Consider the source of the threat along with the potential target to ensure you keep your assessments in context. A common process vulnerability we see almost daily happens when employees print sensitive data, review it and then drop it in a trash can or recycling bin. It's at the expense of your security if waste paper is simply handed over to local recyclers without shredding. And dumpster diving remains a popular low-tech exploitation method.

Also remember to contact the sysadmins who monitor and manage your corporate firewalls and routers and ensure that these systems are in a deny-all, permit-some mode, allowing only approved ports access. When dealing with corporation-wide systems, it's always better to have a standard baseline build that has removed all unnecessary software. Recent malware attacks have shown a need to have rebuilds streamlined in the event you need to update multiple infected machines fast.Set security standards for those who travel or telecommute and require access to your intranet. Even remote offices should be closely monitored; many of the cases of corporate theft, remote offices are the best targets given that they have access to corporate networks but remain out of IT's direct control.

Finally, determine whether you need outside assistance with vulnerability-scanning tools, even penetration testing. Both have proven useful but they come at a cost in money and time. See "Is Penetration Testing a Good Idea?" at for more guidance.

Vulnerabilities are tamed with controls, which come in two flavors: technical and nontechnical. Technical controls include firewalls and automated password protection. Nontechnical controls include security training, separation of duties and even policy implementation.

When analyzing controls, the method of employment indicates whether they're preventive or detective. Preventive methods are those used to keep people from violating policy--visible access control, use of encryption or secure servers and authentication--whereas detective controls produce some kind of record of possible violation and include audit trails, event logs, intrusion- detection systems and even integrity tools used to confirm alteration of data.

Likelihood of a Threat

Asking the question "Will it really happen to us?" is the next step in the risk-assessment process. This exercise lets you assign probabilities to weigh the likelihood that vulnerabilities will be exploited and cause harm. In days past, where risk elimination was the method of operation, this step wasn't necessary. But in today's age of quickly changing technology, the best we can do is to try to manage the risks we ID.

NIST's Risk Management Guide for Information Technology Systems (PDF) recommends a three-tiered table for assigning likelihood measures that a vulnerability will be exploited. Analyze factors such as your organizational objectives and the products, sales, marketing or research you do. Then determine what the nature of an attack would be, along with the motivation behind the attack.

After you've analyzed your vulnerabilities and the threat environment, consider controls and how effective they'll be at fending off an incident. Keep your organizational practices in mind. What's worse, a severe vulnerability that can't be accessed remotely or two less-critical holes that can be exploited from the outside? Do you have employees who work at home on unsecured WLANs? Always consider the implications that your network and architecture have on your threats and vulnerabilities.

For each threat, play the pessimist and assume the worst has happened. How bad could it be? What business areas will be affected? What could it cost your organization? Although cost is valuable to determine loss, you must also consider major security goals in this analysis. You may be able to work with existing documentation, such as impact analysis reports and other cost-benefit studies, to estimate loss.

Although many things in the risk arena have changed over the years, qualitative and quantitative analysis remain the two primary means of assessing risk; the method you use will depend on the type of assets you're analyzing. We typically refer to risk in terms of annual loss expectancy, so the typical method of risk analysis remains quantitative evaluation, which assigns loss values in dollar amounts.In terms of the firewall and server mentioned previously, we can assign an initial cost to these assets, as well as any ongoing costs they require. Additionally, we evaluate any replacement costs for the hardware, standard software suites and initial installation in today's figures to determine replacement costs. It's hard to put a monetary value on intangibles, such as how much a network breach would cost your company in terms of loss of credibility or confidence. In these cases, you can list the impact as high, medium or low.

Make Risk a Part of Policy

To avoid losing any of the knowledge you've gained during your initial risk assessment, and to ensure that risk assessment remains an ongoing part of your organizational activities, take the time to fully update your existing risk-analysis policy or create a new set of documents. This policy will serve as the formal statement by the organizational management team dictating how risk-assessment activities will continue, by forming basic rules for ongoing initiatives. You still have a risk-assessment team in place, so use them to define and outline the policy, standards, guidelines and procedures that will be needed to continue these efforts.

And to guarantee that your hard work doesn't end up on a bookshelf gathering dust, develop a plan to properly train employees in their roles and responsibilities. Finally, ensure that your policy and risk-assessment activities are assigned in a maintenance program so that they will be followed, updated and modified where needed.Given the fast pace of change in the IT industry and the workplace in general, the threats you address today may be gone or replaced tomorrow, so be diligent about identifying new threats on a continuing basis. As Dan Quayle said, "If we don't succeed, we run the risk of failure."

Chad Korosec is a senior information security engineer/scientist with Mitre Corp. (His affiliation with Mitre is provided for identification purposes only and does not imply Mitre's support for the viewpoints expressed in this article.) Write to him at [email protected].

So, Can I Buy My Way Out of This?

Accomplishing ERM, or enterprise risk management, involves elements of business intelligence, regulatory compliance, data warehousing and integration, message-oriented middleware, and business process management tools.

For an overview see "Enterprise Risk Management: Illuminate the Unknown". We review BI tools at "One Suite To Serve Them All", and our Compliance Pipeline covers issues of interest to those trying to dodge regulators. Our evaluation of BPM suites is here.0