Explain Risk-Related Concepts
- Control types
- False positives
- Importance of policies in reducing risk
- Risk calculation
- Quantitative versus qualitative
- Risk-avoidance, transference, acceptance, mitigation, deterrence
- Risks associated to cloud computing and virtualization
Risk Responses
Risk management deals with the alignment of five potential responses with an identified risk:
- Acceptance: Recognizing a risk, identifying it, and then accepting that it is sufficiently unlikely or of such limited impact that corrective controls are not warranted. Risk acceptance must be a conscious choice, documented, approved by senior administration, and regularly reviewed.
- Avoidance: Elimination of the vulnerability that gives rise to a particular risk so that it is avoided altogether. This is the most effective solution, but often not possible due to organizational requirements. Eliminating email to avoid the risk of email-borne viruses is an effective solution but not likely to be a realistic approach in the modern enterprise.
- Mitigation/Deterrence: Risk mitigation involves the reduction in likelihood or impact of a risk’s exposure. Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated. Most risk management decisions focus on mitigation and deterrence, balancing costs and resources against the level of risk and mitigation that will result.
- Transference: A risk or the effect of its exposure may be transferred by moving to hosted providers who assume the responsibility for recovery and restoration or by acquiring insurance to cover the costs emerging from equipment theft or data exposure.
Types of Controls
You can apply three general types of controls to mitigate risks, typically by layering defensive controls to protect data with multiple control types when possible. This technique is called a layered defensive strategy or “defense in depth.”
The three types of controls include the following:
- Management: Management or administrative controls include business and organizational processes and procedures, such as security policies and procedures, personnel background checks, security awareness training, and formal change-management procedures.
- Technical: Technical controls include logical access control systems, security systems, encryption, and data classification solutions.
- Operational: Operational controls include organizational culture as well as physical controls that form the outer line of defense against direct access to data, such as protection of backup media; securing output and mobile file storage devices; and facility design details including layout, doors, guards, locks, and surveillance systems.
Identifying Vulnerabilities
Many risks to enterprise networks relate to vulnerabilities present in system and service configurations and to network and user logon weaknesses. For the exam, you should be familiar with some of the more common tools used to conduct vulnerability assessments, including the following:
- Port scanners: This software utility scans a single machine or a range of IP addresses, checking for a response on service ports. A response on port 80, for example, might reveal the operation of an HTTP host. Port scanners are useful in creating an inventory of services hosted on networked systems. When applied to test ports on a single system, this is termed a port scan, whereas a scan across multiple hosts is referred to as a port sweep.
- Vulnerability scanners: This software utility scans a range of IP addresses, testing for the presence of known vulnerabilities in software configuration and accessible services. Unlike port scanners, which only test for the availability of services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of vulnerability.
- Protocol analyzers: This software utility is used on a hub, a switch supervisory port, or in line with network connectivity to enable the analysis of network communications. Individual protocols, specific endpoints, or sequential access attempts can be identified using this utility, which is often referred to as a packet sniffer.
- Network mappers: Another software utility used to conduct network assessments over a range of IP addresses, the network mapper compiles a listing of all systems, devices, and network hardware present within a network segment. This information can be used to identify simple points of failure, to conduct a network inventory, and to create graphical details suitable for reporting on network configurations.
- Password crackers: This software utility allows direct testing of user logon password strength by conducting a brute-force password test using dictionary terms, specialized lexicons, or mandatory complexity guidelines. Password crackers should provide only the relative strength of a password, rather than the password itself, to avoid weakening logon responsibility under evidentiary discovery actions.
Identifying Risk
Risk is the possibility of loss or danger. Risk management is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level. Risk analysis helps align security objectives with business objectives. Here, we deal with how to calculate risk and return on investment. Risk comes in a variety of forms. Risk analysis identifies risks, estimates the effect of potential threats, and identifies ways to reduce the risk without the cost of the prevention outweighing the risk.
Measuring Risk
The annual cost of prevention against threats is compared to the expected cost of loss—a cost/benefit comparison. To calculate costs and return on investment, you must first identify your assets, the threats to your network, your vulnerabilities, and what risks result. For example, a virus is a threat; the vulnerability would be not having antivirus software; and the resulting risk would be the effects of a virus infection. All risks have loss potential. Because security resources will always be limited in some manner, it is important to determine what resources are present that may need securing. Then, you need to determine the threat level of exposure that each resource creates and plan your network defenses accordingly.
Asset Identification
Before you can determine which resources are most in need of protection, it is important to properly document all available resources. A resource can refer to a physical item (such as a server or piece of networking equipment), a logical object (such as a website or financial report), or even a business procedure (such as a distribution strategy or marketing scheme). Sales demographics, trade secrets, customer data, and even payroll information could be considered sensitive resources within an organization. When evaluating assets, consider the following factors:
- The original cost
- The replacement cost
- Its worth to the competition
- Its value to the organization
- Maintenance costs
- The amount it generates in profit
After you have identified and valued assets, an appropriate dollar amount can be spent to help protect those assets from loss.
The Risk and Threat Assessment
After assets have been identified, you must determine the assets’ order of importance and which assets pose significant security risks. During the process of risk assessment, it is necessary to review many areas, such as the following:
- Methods of access
- Authentication schemes
- Audit policies
- Hiring and release procedures
- Isolated and non-redundant systems and services that may provide a single point of failure or avenue of compromise
- Data or services requiring special backup or automatic failover support
Risk assessment should include planning against both external and internal threats. An insider familiar with an organization’s procedures can pose a very dangerous risk to network security.
During a risk assessment, it is important to identify potential threats and document standard response policies for each. Threats may include the following:
- Direct access attempts
- Automated cracking agents
- Viral agents, including worms and Trojan horses
- Released or dissatisfied employees
- Denial-of-service (DoS) attacks or overloaded capacity on critical services
- Hardware or software failure, including facility-related issues such as power or plumbing failures
Likelihood
When examining threat assessment, you have to consider the likelihood that the threats you’ve identified might actually occur. To gauge the probability of an event occurring as accurately as possible, you can use a combination of estimation and historical data. Most risk analyses use a fiscal year to set a time limit of probability and confine proposed expenditures, budget, and depreciation.
The National Institute of Standards and Technology (NIST) 800.30 document suggests measuring likelihood as High, Medium, or Low based on the motivation and capability of the threat source, the nature of the vulnerability, and the existence and effectiveness of current controls to mitigate the threat. Often the three values are translated into numerical equivalents for use in quantitative analytical processes: High (1.0), Medium (0.5), Low (0.1).
Responses must be coupled to the likelihood determined in the risk analysis, such as identifying the need to put corrective measures in place as soon as possible for all High-level threats, whereas Medium-level threats might only require an action plan for implementation as soon as is reasonable, and Low-level threats might be dealt with as possible or simply accepted.
Calculating Risk
To calculate risk, use this formula:
Risk = Threat × Vulnerability
To help you understand this, let’s look at an example using DoS attacks. Firewall logs indicate that the organization was hit hard one time per month by a DoS attack in each of the past six months. You can use this historical data to estimate that it’s likely you will be hit 12 times per year. This information helps you calculate the single loss expectancy (SLE) and the annual loss expectancy (ALE).
SLE equals asset value multiplied by the threat exposure factor or probability. The formula looks like this:
Asset value × Probability = SLE
The exposure factor or probability is the percentage of loss that a realized threat could have on a certain asset. In the DoS example, let’s say that if a DoS were successful, 25% of business would be lost. The daily sales from the website are $100,000, so the SLE would be $25,000 (SLE = $100,000 × .25). The possibility of certain threats is greater than that of others. Historical data presents the best method of estimating these possibilities.
After you calculate the SLE, you can calculate the ALE. This gives you the probability of an event happening over a single year’s time. This is done by calculating the product of the SLE and the value of the asset. ALE equals the SLE times the ARO (annualized rate of occurrence):
SLE × ARO = ALE
The ARO is the estimated possibility of a specific threat taking place in a one-year time frame. When the probability that a DoS attack will occur is 50%, the ARO is 0.5. Going back to the example, if the SLE is estimated at $25,000 and the ARO is .5, our ALE is 12,500. ($25,000 × .5 = $12,500). Spending more than $12,500 might not be prudent because the cost would outweigh the risk.
Calculating Reduced Risk on Investment
Return on investment is the ratio of money realized or unrealized on an investment relative to the amount of money invested. Because there are so many vulnerabilities to consider and so many different technologies available, calculating the ROI for security spending can prove difficult. The formulas present too many unknowns. Many organizations don’t know how many actual security incidents have occurred, nor have they tracked the cost associated with them.
One method that might be helpful in this area is called reduced risk on investment (RROI). This method enables you to rank security investments based on the amount of risk they reduce. Risk is calculated by multiplying potential loss by the probability of an incident happening and dividing the result by the total expense:
RROI = Potential loss × (Probability without expense – Probability with expense) / Total expense
By using this formula, you can base alternative security investments on their projected business value.
Another approach is to look at security as loss prevention. It can be equated to loss prevention in that attacks can be prevented. ROI is calculated using the following formula:
ROI = Loss prevented – Cost of solution
If the result of this formula is a negative number, you spent more than the loss prevented.
Qualitative versus Quantitative Measures
Quantitative measures allow for the clearest measure of relative risk and expected return on investment or risk reduction on investment. Not all risk can be measured quantitatively, though, requiring qualitative risk assessment strategies. The culture of an organization greatly affects whether its risk assessments can be performed via quantitative (numerical) or qualitative (subjective/relative) measures.
Qualitative risk assessment can involve brainstorming, focus groups, surveys, and other similar processes to determine asset worth and valuation to the organization. Uncertainty is also estimated, allowing for a relative projection of qualitative risk for each threat based on its position in a risk matrix plotting the Probability (Low to High) and Impact (Low to High) of each. It is possible to assign numerical values to each state (Very Low = 1, Low = 2, Moderate = 3, and so on) so that a quasi-quantitative analysis can be performed, but because the categories are subjectively assigned, the result remains a qualitative measure.
Quantitative measures tend to be more difficult for management to understand, require very intensive labor to gather all related measurements, and are more time consuming to determine. Qualitative measures tend to be less precise, more subjective, and difficult to assign direct costs for measuring ROI/RROI.
Risk Reduction Policies
To ensure that proper risk management and incident response planning is coordinated, updated, communicated, and maintained, it is important to establish clear and detailed security policies that are ratified by an organization’s management and brought to the attention of its users through regular security-awareness training. Policies of which the users have no knowledge are rarely effective, and those that lack management support can prove to be unenforceable.
A number of policies support risk-management practices within the enterprise, including the following:
- Privacy
- Acceptable use
- Storage and retention
- Secure disposal
- Account provisioning
- Least privilege
- Separation of duties
- Mandatory vacations
- Job rotation
Privacy
Privacy-sensitive information is referred to as personally identifiable information (PII). This is any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. Examples of PII are name, address, phone number, fax number, email address, financial profiles, Social Security number, and credit card information. For many organizations, privacy policies are mandatory, have detailed requirements, and carry significant legal penalties (for example, entities covered under the Health Insurance Privacy and Portability Act).
To be considered PII, information must be specifically associated with an individual person. Information provided either anonymously or not associated with its owner before collection is not considered PII. Unique information, such as a personal profile, unique identifier, biometric information, and IP address that is associated with PII, can also be considered PII.
The California Online Privacy Protection Act of 2003 (OPPA), which became effective on July 1, 2004, requires owners of commercial websites or online services to post a privacy policy. OPPA requires that each operator of a commercial website conspicuously post a privacy policy on its website. The privacy policy itself must contain the following features:
- A list of the categories of PII the operator collects
- A list of the categories of third parties with whom the operator might share such PII
- A description of the process by which the consumer can review and request changes to his or her PII collected by the operator
- A description of the process by which the operator notifies consumers of material changes to the operator’s privacy policy
- The effective date of the privacy policy
Other federal and state laws might apply to PII. In addition, other countries have laws as to what information can be collected and stored by organizations. As with most of the information in this chapter, it is imperative that you know the regulations that govern the digital terrain in which your organization operates. The organization then has an obligation to put proper policies and procedures in place.
Acceptable Use
An organization’s acceptable use policy must provide details that specify what users may do with their network access. This includes email and instant messaging usage for personal purposes, limitations on access times, and the storage space available to each user. It is important to provide users the least possible access rights while allowing them to fulfill legitimate actions.
An acceptable use policy should contain these main components:
- Clear, specific language
- Detailed standards of behavior
- Detailed enforcement guidelines and standards
- Outline of acceptable and not acceptable uses
- Consent forms
- Privacy statement
- Disclaimer of liability
The organization should be sure the acceptable use policy complies with current state and federal legislation and does not create unnecessary business risk to the company by employee misuse of resources. Upon logon, show a statement to the effect that network access is granted under certain conditions and that all activities may be monitored. This way you can be sure that any legal ramifications are covered.
Storage and Retention
Retention and storage documentation should outline the standards for storing each classification level of data. Take, for example, the military levels of data classification used in their mandatory access control strategy (MAC). Here, documentation would include directions and requirements for handling and storing the following types of data:
- Unclassified
- Sensitive
- Confidential
- Secret
- Top secret
Policies for data should include how to classify, handle, store, and destroy it. The important point to remember here is to document your security objectives. Then, change and adjust that policy when and as needed. There might be a reason to make new classifications as business goals change, but make sure this gets into your documentation. This is an ongoing, ever-changing process.
Log files, physical records, security evaluations, and other operational documentation should be managed within an organization’s retention and disposal policies. These should include specifications for access authorization, term of retention, and requirements for disposal. Depending on the relative level of data sensitivity, retention and disposal requirements can become extensive and detailed.
The organization should have a legal hold policy in place, have an understanding of statutory and regulatory document retention requirements, understand the varying statutes of limitations, and maintain a records-retention and destruction schedule.
Secure Disposal
ISO 17799, particularly sections 7 and 8, has established standards for dealing with the proper disposal of obsolete hardware. Standards dictate that equipment owned or used by the organization should be disposed of only in accordance with approved procedures, including independent verification that the relevant security risks have been mitigated. This policy addresses issues that you should consider when disposing of old computer hardware, for recycle, disposal, donation, or resale.
The most prominent example of a security risk involved is that the hard disk inside the computer has not been completely or properly wiped. There are some concerns about data erasure sufficiency in new solid-state drives (SSDs) that might require organizations to totally destroy drivers rather than simply erasing them for normal disposal channels.
When implementing a policy on the secure disposal of outdated equipment, you need to consider a wide range of scenarios, such as the following:
- Breaches of health and safety requirements.
- Inadequate disposal planning results in severe business loss.
- Remnants of legacy data from old systems might still be accessible.
- Disposal of old equipment that is necessary to read archived data.
- Theft of equipment in use during clean-up of unwanted equipment.
Besides properly disposing of old hardware, removable media disposal is just as important. There is a proper way to handle removable media when either the data should be overwritten or is no longer useful or pertinent to the organization.
The following methods are acceptable to use for some forms of media sanitation:
- Declassification: A formal process of assessing the risk involved in discarding particular information.
- Sanitization: The process of removing the contents from the media as fully as possible, making it extremely difficult to restore.
- Degaussing: This method uses an electrical device to reduce the magnetic flux density of the storage media to zero.
- Overwriting: This method is applicable to magnetic storage devices.
- Destruction: The process of physically destroying the media and the information stored on it. For flash drives and other solid-state non-ferric removable storage, this might prove to be the only solution acceptable under certain controls and legal mandates.
Data Labeling, Handling, and Disposal
An organization’s information sensitivity policy defines requirements for the classification and security of data and hardware resources based on their relative level of sensitivity. Some resources, such as hard drives, might require very extensive preparations before they can be discarded. Data labeling and cataloguing of information stored on each storage device, tape, or removable storage system becomes critical to identifying valuable and sensitive information requiring special handling.
Organizational data assets might also fall under legal discovery mandates, so a careful accounting is vital to ensure that data can be located if requested and is protected against destruction or recycling if it must be provided at a later time. Proper labeling also ensures that data storage media can be properly processed for reuse or disposal, where special requirements for sensitive data might require outright destruction of the storage device and logging of its destruction in the inventory catalog.
Account Provisioning
Human resources (HR) policies and practices should reduce the risk of theft, fraud, or misuse of information facilities by employees, contractors, and third-party users. The primary legal and HR representatives should review all policies, especially privacy issues, legal issues, and HR enforcement language. Legal and HR review of policies is required in many, if not most, organizations.
Security planning must include procedures for the creation and authorization of accounts (provisioning) for newly hired personnel and the planned removal of privileges (de-provisioning) following employment termination. When termination involves power users with high-level access rights or knowledge of service administrator passwords, it is critical to institute password and security updates to exclude known avenues of access while also increasing security monitoring for possible reprisals against the organization.
The hiring process should also include provisions for making new employees aware of acceptable use and disposal policies and the sanctions that might be enacted if violations occur. An organization should also institute a formal code of ethics to which all employees should subscribe, particularly power users with broad administrative rights.
Least Privilege
Policies addressing access rights for user accounts must mandate that only the minimum permissions necessary to perform work should be assigned to a user. This protects against unauthorized internal review of information as well as protecting against inadvertently enacted viral agents running with elevated permissions.
Separation of Duties
Too much power can lead to corruption, whether it is in politics or network administration. Most governments and other organizations implement some type of a balance of power through a separation of duties. It is important to include a separation of duties when planning for security policy compliance. Without this separation, all areas of control and compliance may be left in the hands of a single individual. The idea of separation of duties hinges on the concept that multiple people conspiring to corrupt a system is less likely than a single person corrupting it. Often, you will find this in financial institutions, where to violate the security controls all the participants in the process have to agree to compromise the system.
Mandatory Vacations and Job Rotation
Users should be required to take mandatory vacations and rotate positions or functional duties as part of the organization’s security policy. These policies outline the manner in which a user is associated with necessary information and system resources and that access is rotated between individuals. There must be other employees who can do the job of each employee so that corruption does not occur, cross-checks can be validated, and the effect of personnel loss is minimized. It is imperative that all employees are adequately cross-trained and only have the level of access necessary to perform normal duties (least privilege).
Cram Quiz
Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
A risk has the following calculated values (SLE = $1,500, ARO = 5). What is the maximum amount that should be spent to fully mitigate the costs of this risk?
- A. $300
- B. $500
- C. $1,500
- D. $7,500
Regarding qualitative versus quantitative measures, which of the following statements is true?
- A. Quantitative measures evaluate risk based on a subjective assessment.
- B. Qualitative measures are less precise.
- C. Qualitative measures are easier to measure for ROI/RROI.
- D. Quantitative measures are always better than qualitative measures.
If a risk has the following measures (Asset value = $50, Probability = 10%, ARO = 100), and the mitigation costs $100 per year, what is the expected ROI?
- A. $400
- B. $500
- C. $600
- D. $700
- What is the likelihood of a risk requiring corrective actions planned for implementation in a reasonable period of time?
- A. Very High
- B. High
- C. Medium
- D. Low
Cram Quiz Answers
- D. The ALE = SLE ($1,500) × ARO (5) = $7,500. Spending more than $7,500 to mitigate the threat without other cause such as a regulatory or legal mandate would be without return. Answers A, B, and C present too low a figure and are all incorrect.
- B. Because qualitative measures are based on subjective values, they are less precise than quantitative measures. Answer A is incorrect because quantitative measures rely on numerical values rather than subjective ones. Answer C is incorrect because qualitative measures are harder to assign numerical values and so more difficult to determine ROI. Answer D is incorrect because each form of analysis has its own benefits and neither is always better in all situations than the other.
- A. The single loss expectancy (SLE) can be calculated as the product of the asset value ($50) times the probability of loss (.1) or SLE=$5/year. The annualized rate of occurrence (ARO) is 100 times per year, so the annualized loss expectancy (ALE) is SLE ($5) times the ARO (100) or ALE=$500/year. Because the cost of mitigation is $100 per year, the ROI is equal to the loss prevented (ALE = $500) less the cost of the solution ($100) or ROI = $400. Answers B, C, and D all present potential values higher than $400 and are incorrect.
- C. A Medium-level risk likelihood warrants implementation of controls as soon as is reasonable. Answer A is incorrect because variations between High and Very High are not based on recognized standards such as the NIST 800.30 and instead reflect categories assigned within an organization based on its own criteria. Answer B is incorrect because High-level threats should be corrected as soon as possible, whereas Low-level threats can be dealt with when time allows or be simply accepted, making answer D incorrect as well.