Welcome to our fourth article on Risk Management – Information Security Series. After having an “Introduction to Information Security”, and understanding concepts of Confidentiality, Integrity, and Availability (CIA Triad), and the relation between Subjects & Objects, we also learnt that the Security can be thought of as a continuous endless cycle (Security Wheel).
We then talked about the AAA Security Framework: its main building blocks: Authentication, Authorization and Accounting, and two practical implementations of the AAA : the RADIUS protocol, and the TACACS+ protocol.
We also discussed the Multi-layered Defense (Defense in Depth) concept, that implements multiple layers (lines) of defense to protect organization’s data and assets.
Then we talked about the legal responsibility in case of security breach, data disclosure, data loss, unauthorized tampering of data.
We learnt that providing evidences that the organization has made suitable, proper, and reasonable Due Care and Due Diligence practices would help reduce the legal responsibility and avoid possible penalties.
Now, we are about to start tackling another important foundational concept: the Risk Management.
What is Risk?
The Risk can be defined as the possibility that something will occur to cause damage, destruction, disclosure, tampering, or loss of data and/or assets of the organization, either maliciously or unintentionally.
What is Risk Management?
In very simple words: Managing Risk is to mitigate risk to reduce it to a level that is acceptable to the organization’s management, and within acceptable and affordable cost.
So, the Risk Management process requires:
- Studying all possible factors that may cause risk on the organization’s data and assets.
- Identifying possible solutions:
- How effective each solution is?
- The cost of implementing each solution.
- Defining the level of risk that the organization’s management could accept.
- Deciding whether it is feasible to implement a solution with certain cost to reduce / eliminate the risk on the asset, or not.
Before diving deeply into the details of the Risk Management process, there are several terms that we need to understand.
For an organization, an asset is anything that should be maintained and protected. Assets include (but are not limited to) :
- Clients desktop computers.
- Network shared folders.
- Word and PDF Documents.
- Paper Documents.
- Excel Sheets.
- Software Applications.
A threat is any possible incident that may lead to undesirable result(s) on organization’s asset(s), or on the organization itself.
The threat could be an action whose occurrence, or inaction whose absence, will cause damage, destruction, disclosure, tampering, loss of, or denying access to data and/or assets.
Volume and effect
- Minor with easy to contain impacts, or with no impact at all.
- Severe with serious impact(s).
In intent threats can be:
- Intentional. or
In terms of their source, threats can be:
- Man-made: either maliciously (on purpose), or unintentionally by carelessness.
- Natural: like floods, earthquakes, tornados, and volcanoes.
A threat agent is a party that intentionally exploits a weakness (vulnerability) to form a threat. A threat agent could be an external hacker or an insider.
A vulnerability is a weakness that if exploited may lead to a threat on an organization’s asset.
A vulnerability could be an absence or lack of protection of an asset, facility, building, server, or data. For example, a computer or server or file share that can be accessed with no authentication is a vulnerability.
A restricted area in a building with little or no video surveillance system is a vulnerability.
A weak or an easy to guess password is a vulnerability. A poorly written software program or script with bugs that may cause the system to crash or reboot is a vulnerability.
Insufficient input validation in a webpage that may lead to SQL injection attack is a vulnerability.
A building entrance with inadequate security guards and access control is a vulnerability. A careless employee in a critical job is a serious vulnerability.
The examples are so many to the extent that they may be uncountable!!
The Risk is the probability or potential that a threat would exploit a vulnerability to cause harm to an asset. Risk is said to be the threat multiplied by the vulnerability:
Risk = Threat x Vulnerability
By definition we understand that the risk equation depends on two factors: threat and vulnerability:
- The more severe the vulnerability is, the more the risk will be.
- The bigger the change that a threat will occur, the more the risk will be.
- Removing (eliminating) the vulnerability (i.e. vulnerability = 0) will reduce risk to zero.
- Reducing the vulnerability to minimum will reduce the risk to a minor level.
- Preventing a threat agent or threat event from exploiting a vulnerability will reduce the risk.
Any action that reduces or completely eliminates a vulnerability or protects assets against various threats is called a Security Control, Countermeasure, or Safeguard.
Note The three terms: Security Control, Safeguard, and Countermeasure all have the same meaning, and can be used interchangeably.
The examples for possible security controls are so many. They include (but are not limited to) :
- Hardening your server and stopping insecure services.
- Installing a security patch.
- Installing motion detectors in restricted areas.
- Access Control machines on building entrances.
- Creating and maintaining a Security Policy.
- Installing a Firewall to protect the internal network from outside threats.
- Employing Security Guards, or contracting with a security services company.
- Preparing and following Backup Policy.
- Having a DR (Disaster Recovery) site.
- Security Awareness Training for staff.
- Using Strong Encryption Algorithms.
- Installing Intrusion Prevention System IPS.
- Installing Antivirus software on servers, desktops, and laptops, and keeping the virus definitions up to date.
- Video Surveillance Systems.
- Job rotation and mandatory vacations.
- Enforcing strong Password Policy.
- Using one-time passwords OTP.
- Implementing High Availability.
- Enforcing strict Change Management process.
- Collecting logs and audit trails and sending them to a centralized log server.
- Guard Dogs.
- Background checks for candidates for open job vacancies.
- Separation of Duties.
- Signing strict Service Level Agreements (SLAs) and Non-disclosure Agreements (NDAs) with third parties.
The malicious action that a threat agent exploits a vulnerability to cause a damage, destruction, loss, or denying access to an asset is called an attack.
The Risk Management Project
Risk Management is not a simple one-shot task; it is a big project.
The sponsor of the Risk Management project is the organization’s top management. As part of proving due care & due diligence, and their commitment to achieving information security, the top management support the risk analysis and risk assessment efforts.
- The scope of work for the risk management project.
- The purpose of the project.
- The team in charge of the project.
- The acceptable level of residual risk.
- When they get the output from the risk analysis/assessment team, with the recommendations, they make the final decisions for each case whether a certain risk could be accepted or not.
Preparing Lists of Assets, Threats & Vulnerabilities
An organization should prepare and keep updated several lists:
- Asset List: a list of all assets owned by the organization and should be kept protected.
- Threat List: the list of all possible threats that may target the organization’s assets causing any form of undesirable impacts.
- Vulnerabilities List: the list of identified weaknesses in the existing assets/environment.
To help prepare complete and accurate lists, a team consisting of members from different divisions with various technical and/or business backgrounds should be formed and assigned the task of preparing the above lists.
After preparing the required lists, each threat on a specific asset should be studied in detail, and the associated risk should be evaluated (risk assessment).
Risk assessment can be either Quantitative, Qualitative, or a hybrid mix of both.
Quantitative Risk Assessment
In this approach, the output comes in the form of numbers. It should contain exact precise figures for:
- Asset values AV.
- Amount of probable loss.
- Cost of purchasing / implementing the necessary security control.
- Percentage of efficiency of a security control.
The Quantitative risk assessment process consists of the following steps:
- Preparing an asset list or inventory, with monetary value of each asset.
- Studying the possible threats on each asset.
- Calculating the probability of occurrence of each threat.
- Calculating the amount of loss resulting from each threat.
- Studying the available security controls to mitigate each threat, and the effect of each control if applied.
- Finally, come out with the cost/benefit analysis for each security control for each threat on each asset.
- For each threat on each asset, come out with a recommendation on how to manipulate such threat.
For Quantitative risk assessment, we need to understand then calculate some components:
Exposure Factor EF: The percentage loss in an asset value due to a specific threat.
Single Loss Expectancy SLE: The amount of loss (in USD, Euros, etc.) due to a specific threat occurrence on a certain asset.
SLE = AV x EF
Annual Rate of Occurrence ARO: How many times a specific threat may occur per year.
Annual Loss Expectancy ALE: The total amount of loss per year due to all occurrences of specific threat on a certain asset.
ALE = SLE x ARO
Now, the above calculations should be repeated assuming a certain security control was implemented to mitigate that threat.
The Exposure Factor EF may decrease after implementing the security control, or remain the same as it was before implementing the security control.
Implementing a countermeasure aims also to reduce the possibility of threat occurrence, and hence the frequency of its occurrence. As a result, the ARO should decrease.
The ideal case is that the countermeasure will prevent the threat completely (ARO=0).
But this is just theoretical. The practical experience tells us that no countermeasure can prevent a threat 100%. There will be always a probability that the threat will succeed to defeat the safeguard and cause some damage.
So, in most case the ARO will decrease, but not to zero.
Consequently, the ALE will decrease.
The cost of implementing the security control is also needed. That cost should never exceed the value of the asset to be protected.
It will not be reasonable to buy a lock whose price is 30 dollars to protect something that is worth 15 dollars!!!
Now, the final and most important value to calculate: the Cost/Benefit Analysis.
Cost/Benefit Analysis =
ALE (before Safeguard) – ALE (After) – Annual Cost of Safeguard
If the Cost/Benefit Analysis evaluates to a positive value, then it would be feasible to implement this security control to mitigate that threat on a certain asset. If negative, it will not be feasible.
This analysis process should be repeated for each proposed security control mitigating a specific threat on a certain asset. The one with the greatest positive Cost/Benefit Analysis value should be the best choice for the organization.
In this Article, we started talking about Risk Management. In the next article, we will have a practical example on the Quantitative Risk Analysis. We will also discuss the second method of risk analysis: the Qualitative Risk Analysis.