Security Risk Management and Ethics Chapter 3 PDF

Security Risk Management and Ehics Chapter Three: Security Risk Assessment Mohammed Amin Almaiah Associate Professor, Dep. Of Computer Science University of Jordan Chapter3: Topics This chapter covers the following topics and concepts: What risk assessment is What the critical components of a risk assessment are What types of risk assessments are available Which risk assessment challenges you should address What best practices for risk assessment are Chapter3: Goals When you complete this chapter, you will be able to: Define risk assessment Describe the importance of risk assessment Explain when a risk assessment should be performed Explain the purpose of a risk assessment and a risk assessment scope Explain what’s meant by identifying critical areas for a risk assessment Identify the main types of risk assessments Chapter3: Goals When you complete this chapter, you will be able to: Describe the elements of a quantitative risk assessment and a qualitative risk assessment Identify the differences between quantitative and qualitative risk assessments Identify the benefits and limitations of quantitative risk assessments and qualitative risk assessments List the challenges with risks assessments Risk Assessment A risk assessment (RA), also referred to as “risk analysis,” is a process used to identify and evaluate risks. Risks are then quantified based on their importance or impact severity. These risks are then prioritized. Risk assessments are a major part of an overall risk management program. They help identify which risks are most important. A major difference between a risk assessment and a risk management program is that the risk assessment is created at a moment in time, while a risk management program is a continuous process. Risk Assessment Cont., An RA is used to help identify which safeguards to implement. Safeguards are also known as controls. They are used to control or reduce risk. A control may reduce a vulnerability or it may reduce the impact from a threat. Either way, the risk is reduced. A RISK ASSESSMENT IS PERFORMED to identify the most serious risks. The risk assessment allows you to prioritize the risks. You manage the high-priority risks and accept the low-priority risks. Importance of Risk Assessments Risk assessments are an important part of the risk management process. Without an RA, it becomes difficult to determine which systems should be protected. It also remains unclear how to protect them. However, an RA will help you identify the most important systems to protect. It will also give you insight into what controls will provide the most value. Importance of Risk Assessments Cont., An RA should be completed: When evaluating risk—Risk assessments are a part of the overall risk management process. Risk assessments are useful any time risk management is being used. This is especially true if the risks need to be prioritized. When evaluating a control—You can use an RA to evaluate the usefulness of a control. Management can’t approve all controls. They will approve some controls and not others. An RA helps management decide which controls to adopt. Importance of Risk Assessments Cont., Periodically after a control has been implemented—An RA is a point-in-time document. However, risks don’t stand still. Attackers are constantly upgrading their techniques and tactics. You should schedule RAs on a regular basis after a control has been implemented. The goal is to determine if the control is still useful. Purpose of a Risk Assessment Risk assessments are important tools to assist management. They help management quantify risks. They also help management identify controls and evaluate the effectiveness of these controls. Risk assessments tend to: (1) Support decision making—The RA prioritizes risks. This helps decision makers determine which risks should be reduced. As a reminder, not all risks have to be reduced. Risks can be avoided, transferred, mitigated, or accepted. High-priority risks should be mitigated. Lower priority risks may be accepted. Purpose of a Risk Assessment Cont., (2) Evaluate control effectiveness—You implement controls to reduce a risk. The RA gives insight into how effective specific controls will be for specific risks. An RA involves many steps. It isn’t a task that you can complete in a single sitting, a single day, or even a single week. When done properly, it involves the input of several key players. Steps involved in the RA include: Risk Assessment Steps (1) Identify threats and vulnerabilities—When a threat exploits a vulnerability, a risk occurs. Threats and vulnerabilities are identified as risks. (2) Identify the likelihood that a risk will occur—This can be based on historical data or opinions. For example, imagine a risk occurred an average of four times in the past three years. If no steps are taken to reduce the risk, it will probably occur four times next year. If historical data isn’t available, experts can provide opinions on the likelihood of the risk occurring. Risk Assessment Steps Cont., (3) Identify asset values—The value of assets helps to determine the impact of a risk. The assets can be hardware assets, software assets, or data. Some risks can affect all three. (4) Determine the impact of a risk—This can also be based on historical data or opinions. Imagine a risk resulted in losses averaging $20,000 a year in the past three years. If no steps are taken to reduce the risk, it will probably result in a loss of about $20,000 next year. If historical data isn’t available, experts can provide opinions on the impact of the risk occurring. Risk Assessment Steps Cont., (5) Determine the usefulness of a safeguard or control— Safeguards or controls are used to reduce the risk or reduce the impact. Some controls will be more effective than others. The RA helps determine which ones to implement. The RA identifies threats and vulnerabilities against the current system. It assumes current controls are working as expected. Another way of saying this is that an RA is performed at a moment in time based on current conditions. This is unlike risk management as a whole. Risk management is a continuous process. RAs are not continuous. Critical Components of a Risk Assessment There are several components that you should consider when tasking and performing an RA. You should complete three critical steps early. These identify major components of the RA and will directly impact its success. These steps are: Identify scope. Identify critical areas. Identify team. Step One: Identify Scope The scope identifies the boundary of the RA. It’s important to identify the scope of a risk management plan to eliminate scope creep. It helps to keep the project on track. Similarly, the scope of the RA helps to keep the RA on track. For example, consider Figure 5-1. The figure shows a Web server configured in a network. The server hosts a Web site that is accessible from the Internet. Customers can access the Web site and make purchases. The Web server hosts the Web site application. Step One: Identify Scope Step One: Identify Scope Cont.., However, all the data is hosted on the back-end database server. You could set the scope to focus only on the Web server. Alternatively, the scope could include the Web server and the database server. It’s also possible to include both of the firewalls in the demilitarized zone (DMZ). Imagine that the Web server was attacked several times in the past year. Some of these attacks resulted in the Web site crashing or the Web server failing. However, existing controls protected the data on the database server. Data was not accessed inappropriately or lost. In this example, you may choose not to include the database server. It’s also possible to include the database server just to ensure the existing controls will protect against current risks. Step One: Identifying Threats Cont.., There’s no right or wrong choice for what’s included in the scope. Management can decide to include or exclude anything. The most important point is to make a choice. Step Two: Identify Critical Areas The RA also identifies critical areas that should be included. This helps the RA team focus only on what’s important. For example, a scope could include a Web server, a database server, and a firewall. The RA could identify the following critical areas: Web server—Address all elements of the Web server. This includes hardware, the operating system, and the Web site application. For hardware, focus on any single point of failure. Step Two: Identify Critical Areas Cont.…, A single point of failure (SPOF) is any single piece of hardware whose failure can take down the Web site. You should consider a process that regularly updates the operating system, in addition to applying best practices to prevent attacks on the Web site application. This includes buffer overflow and SQL injection attacks. Database server—The database server hosts about 20 databases. You should include in the RA only the databases accessed by the Web server through the firewall. You should definitely consider SQL injection attacks. However, you will implement the primary protection from SQL injection attacks in the Web site application. Step Two: Identify Critical Areas Cont.…, Internal firewall—The internal firewall controls all traffic to and from the internal network. You do not need to include all traffic in the RA. Address only the rules affecting communication between the Web server and database server. Therefore, when you identify critical areas, you should focus on areas that are most critical to the business. Profitability and survivability were mentioned previously in this chapter. It is good to keep these concepts in mind. Some data is critical, such as financial data and customer data. Other data, such as public data, doesn’t need the same level of protection. Similarly, some servers or IT services are critical. Other servers and services are less critical. Step Three: Identify Team Risk assessment team personnel should not be the same people who are responsible for correcting deficiencies. This helps avoid a conflict of interest. For example, imagine that an administrator is responsible for implementing controls on a Web server. His input may be slanted by his desire to implement the control. If disinterested parties provide the input, there is a better chance of getting accurate, objective data. Step Three: Identify Team Cont., This is not to say that you shouldn’t get input from the responsible department. Its staff probably has excellent insight into the problems and how to fix them. However, when prioritizing risks and determining the usefulness of controls, input from the people who correct deficiencies should not be the deciding factor. Types of Risk Assessments When considering an RA, you first need to identify what method to use. The two primary methods used in the IT field are: (1) Quantitative—This is an objective method. It uses numbers such as actual dollar values. A quantitative RA requires a significant amount of data. Gathering this data often takes time. If the data is available, this type of RA becomes a simple math problem with the use of formulas. Types of Risk Assessments Cont.., (2) Qualitative—This is a subjective method. It uses relative values based on opinions from experts. Experts provide their input on the probability and impact of a risk. A qualitative RA can be completed rather quickly. They both have benefits and limitations. However, one method sometimes works better than the other in specific situations. When you’re aware of the different options, it becomes easier to choose the right method for the right situation. Quantitative Risk Assessments A quantitative risk assessment uses numbers such as dollar values. You gather data and then enter it into standard formulas. The results can help you identify the priority of risks. You can also use the results to determine the effectiveness of controls. Quantitative Risk Assessments Cont.., Some of the key terms associated with quantitative risk assessments are: Single loss expectancy (SLE)—The total loss expected from a single incident. An incident occurs when a threat exploits a vulnerability. The loss is expressed as a dollar value such as $5,000. It includes the value of hardware, software, and data. Annual rate of occurrence (ARO)—The number of times an incident is expected to occur in a year. If an incident occurred once a month in the past year, the ARO is 12. Assuming nothing changes, it’s likely that it will occur 12 times next year. Quantitative Risk Assessments Cont.., Annual loss expectancy (ALE)—The expected loss for a year. ALE is calculated by multiplying SLE X ARO. Because SLE is a given in a dollar value, ALE is given as a dollar value. For example, if the SLE is $5,000 and the ARO is 12, the ALE is $60,000. Safeguard value—This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software could have an average cost of $50 for each computer. If you have 100 computers, the safeguard value is $5,000. Benefits of Quantitative Risk Assessments (1) One of the primary benefits of a quantitative RA is that it becomes a simple math problem. This is especially true if you use tools that automate the assessment. For example, applications are available that allow you to plug in values for SLE, ARO, and safeguard value. The application then calculates the results and provides a recommendation. Because the application performs the calculations, the data is often more accurate. (2) Another big benefit of a quantitative RA is that it provides a cost-benefit analysis (CBA). When you have accurate values for the SLE, ARO, and safeguard value, you can also calculate the CBA. You saw this in the previous section. Benefits of Quantitative Risk Assessments Cont.., (3) Management is often familiar with quantitative assessment terminology. For example, a quantitative assessment uses dollar terms to express losses. Because of this, it becomes easy for management to grasp the details of the assessment and its recommendations. (4) Last, the formulas use verifiable and objective measurements. If a Web site makes $2,000 in revenue an hour, it will lose that revenue if it is down for one hour. This isn’t a debatable opinion; it’s a verifiable fact. Qualitative Risk Assessments A qualitative risk assessment doesn’t assign dollar values. Instead, it determines the level of risk based on the probability and impact of a risk. You determine these values by gathering the opinions of experts. Probability and impact are defined as: Probability—The likelihood that a threat will exploit a vulnerability. The risk occurs when a threat exploits a vulnerability. You can use a scale to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. You can then assign percentage values to these words. For example, you could assign a value of 10 percent to a low probability. You could assign 100 percent to a high probability. Qualitative Risk Assessments cont.., Impact—The negative result if a risk occurs. Impact is used to identify the magnitude of a risk. The risk results in some type of loss. However, instead of quantifying the loss as a dollar amount, an impact assessment could use words such as Low, Medium, or High. You may also use these categories to identify probabilities. However, where a probability is expressed as a percentage, impact is expressed as a relative value. For example, Low could be 10. Medium could be 50. High could be 100. You can calculate the risk level with the following formula: Risk level= Probability * Impact Qualitative Risk Assessments cont.., NOTE: An important point to realize about the qualitative RA is that you must define the scale. However, there is no single standard. One company may use three values of Low, Medium, and High. Another company may use five values of Slight, Slightly Moderate, Moderate, Moderately Severe, and Severe. As long as you define the scale in the RA, any scale can be used. Tables 5-1 and 5-2 show one way you could define the scales in an RA. You would assign the values for each of these scales based on current known threats and vulnerabilities, as well as current controls. Qualitative Risk Assessments cont.., Qualitative Risk Assessments cont.., Qualitative Risk Assessments cont.., A qualitative analysis can be divided into two sections: (1) The first section attempts to prioritize the risk. (2) The second section evaluates the effectiveness of controls. It is possible to perform both sections at the same time. (1) Prioritizing the Risk The goal of this part of the RA is to identify which risks are most important. You do this by assigning probability and impact values to known risks. For example, your company Web site sells company products. Due to some recent outages, you are trying to identify the most important risks to the Web site. Based on feedback from several experts, you have come up with a list. You now want to prioritize these risks. (1) Prioritizing the Risk Cont.., The risk categories are: DoS attack—Any denial of service (DoS) or distributed DoS (DDoS) attack that results in an outage. Web defacing—Modification of the Web site by unauthorized parties. Loss of data from unauthorized access—Any loss of confidentiality. This could be from an attacker accessing customer data. It could also be from an attacker accessing any internal private data. It does not include the loss of public data that is freely available. (1) Prioritizing the Risk Cont.., Loss of Web site data due to hardware failure—This indicates the loss of any Web site data. This can include any data used to show the Web pages to customers. It can also include the Web site application used to retrieve and format the data into Web pages. Example of Prioritizing the Risk The Web site is protected in a demilitarized zone (DMZ). It also has antivirus (AV) software installed. You could distribute the survey on the next page to key experts to determine risks. You can conduct these surveys in several ways: via surveys that are filled out independently, by interviewing experts, or within a meeting but without discussion. Consider what can happen if there is discussion: If the boss says “Clearly, loss of data will have a high impact,”. After you gather data from the experts, you compile and summarize it. If you assign numerical values to Low, Medium, and High, such as 10, 50, and 100, you can calculate the averages. Form of Survey for Determining Risks Form of Survey for Determining Risks Table 5-3 shows how the results could look. The average probabilities and impacts have been summarized and entered into each box. For example, for the DoS attack, the average probability was determined to be 100 and the impact was also determined to be 100. This was calculated by averaging each of the inputs by the different experts. You determine the risk level by multiplying the Probability * the Impact. Form of Survey for Determining Risks Form of Survey for Determining Risks You can present this data graphically in many ways. The risk matrix in Figure 5-2 shows one method. Form of Survey for Determining Risks At this point, it’s clear that the highest risk is from a DoS attack. It has a risk level of 100. The lowest risk level is 3 for the loss of data from unauthorized access. Loss of data sounds as if it would be very important. However, if existing controls and practices have removed most of the risk, the impact is reduced. For example, all non-public data could already have been removed from the Web site. While someone may try to hack into the Web site to get the data, the impact is Low since the site holds only public data. Form of Survey for Determining Risks On the other hand, the risk of a DoS attack clearly rises to the top as the biggest risk. Based on the current controls, the experts agree that the system will be attacked. When it is attacked, they also agree that the impact will be high. The list of risks from most important to least important is: Priority 1—DoS attack, with a value of 100 Priority 2—Web defacing, with a value of 45 Priority 3—Loss of Web site data due to hardware failure, with a value of 27 Priority 4—Loss of data from unauthorized access, with a value of 3. (2) Evaluating the Effectiveness of Controls A this point, you could determine which safeguards or controls to apply for high-impact risks. A survey could help here also. For example, you could use the following survey. Notice that “Loss of data from unauthorized access” is not included in the survey table. Because the experts have agreed that it doesn’t present a risk, there is no need to mitigate it. Said another way, management in this case has decided to accept the risk. (2) Evaluating the Effectiveness of Controls (2) Evaluating the Effectiveness of Controls Just as you can summarize the risks, you can also summarize the effectiveness of the controls. Table 5-4 shows the presumed results of the survey. As in other surveys, high has a value of 100. Medium has a value of 50. Low has a value of 10. RAID is an acronym for redundant array of independent disks. It is also called “redundant array of inexpensive disks.” Different RAID configurations allow a system to continue to run even if a disk drive fails. Sophisticated RAIDs allow a system to operate even if more than one disk drive fails. RAID provides fault tolerance. A fault can occur and the disk subsystem can tolerate it. It will continue to operate. “IDS” stands for intrusion detection system. (2) Evaluating the Effectiveness of Controls Cont.. (2) Evaluating the Effectiveness of Controls Cont.. From Table 5-4 you can see that placing the server in the DMZ will provide the best protection from a DoS attack. Additionally, an IDS will also provide a high level of protection. The table helps to match up the best controls for the individual risks as follows: DoS attack—Protect with DMZ and/or IDS. Web defacing—Protect with DMZ. Loss of Web site data due to hardware failure— Protect with RAID and backup plan. Benefits of Qualitative Assessment A qualitative assessment has several primary benefits: Uses the opinions of the experts Is easy to complete Uses words that are easy to express and understand Data is gathered from the experts. These people know the systems the best. Their combined system knowledge and experience allows them to identify the source of problems quickly. As long as you have access to the experts, the RA is easy to complete. You don’t even need to have them meet together. You can interview them separately. You can provide the experts with surveys and have them complete the surveys at their own pace. Benefits of Qualitative Assessment Cont.. The qualitative risk assessment uses scales. These scales can easily be adapted to the culture of the organization. They allow individuals to understand what the values are, and they can be expressed in words they use every day. This also makes it easier to involve people who may be expert in their field, but not an expert on security or computers. Performing an Assessment with the Delphi Method One way that is commonly used to perform a qualitative assessment is the Delphi Method. This can be used to gather data and help create or identify a consensus. A primary benefit of the Delphi Method is that it allows individuals to freely share their opinions without pressure. Instead of all the participants talking through an issue in a meeting, responses are gathered independently. The Delphi Method can be accomplished in several ways. One way is to work through the following steps: Performing an Assessment with the Delphi Method Cont… 1. Identify a problem. This can be a single IT system or a group of servers. The problem should be within the knowledge of experts you’ll add to the team. For example, the problem could be related to the Web site failures. It could be stated as: Web Server1 has suffered four failures in the past year resulting in losses. 2. Gather input from experts. Send the problem to the group of experts and ask them to respond. For the Web server failure, you could ask them to identify primary risks. If you have an idea of the causes, you can then ask them to identify the probability and risk. If you know the highest risks, you can repeat the process to identify the best solutions. Performing an Assessment with the Delphi Method Cont… 3. Collate the responses. The responses will be in different forms for different phases. For example, the responses could just be a list of risks. They could be a prioritized list of risks. Or they could be a list of controls to mitigate the risk. 4. Share the results. This will also look different depending on the phase you’re in. If you’ve just collated a list of risks, you can now ask the team to identify the probability and impact of each risk. When you start working on the controls, you can repeat the process. Ask for a list of controls to mitigate the risk. You can then ask the team to identify the effectiveness of the different controls for specific risks. 5. Repeat as necessary. Repeat the process until all the data is gathered. Sample Risk Assessment Report A risk assessment ends with a report. This report can then be used by management to decide what controls to implement. The following is a list of topics that are commonly included in a risk assessment report: Introduction—The introduction provides the purpose and scope of the risk assessment. It includes descriptions about the components, users, and locations for the system considered in the RA. Risk assessment approach—This section identifies the approach used to complete the RA. It includes details on how the data was collected and who was involved. If a qualitative approach is used it will describe the risk scale. Sample Risk Assessment Report Cont.. System characterization— This section provides more details on the system. It could include details on the hardware, software, or network connections. It may include diagrams to graphically show the assessed system. Threat statement—This section lists potential threats, threat sources, and threat actions. For example, one threat may be an attacker launching a denial of service (DoS) attack on an Internet facing server. Sample Risk Assessment Report Cont.. Risk assessment results—Results can be listed as vulnerability/threat pairs representing a risk. The risk is described with existing security controls. The likelihood of the risk occurring with current controls is listed. How the risks are described depends on which analysis is used. A quantitative method uses terms such as SLE, ARO, and ALE. A qualitative method identifies probability and impact based on a defined scale. All of this data is supported with discussions identifying how the result was obtained. Control recommendations—A list of recommended safeguards or controls is provided. This list can include comments on the effectiveness of the controls. A quantitative method will often be accompanied by a CBA for each control. qualitative method will often rank the effectiveness of the control. Sample Risk Assessment Report Cont.. Summary—The summary can be in one or more tables that summarize the results. This format makes it easy for management to see the highest risks based on the risk rating. It also makes it easy to approve any of the recommendations. Best Practices for Risk Assessment The following list identifies several best practices for risk assessment approaches: Start with clear goals and a defined scope—Ensure that you know what you want to achieve with the assessment. A risk assessment should include a scope statement. The scope statement helps keep the assessment on track and prevents scope creep. Ensure senior management support—Senior management needs to be committed to the RA. Without support, the RA loses value. When RA teams realize the RA isn’t valued, they put less time and effort into it. An assessment without senior management support is almost doomed from the outset. Best Practices for Risk Assessment Cont.. Build a strong RA team—The value of the RA is based on the competence and expertise of the RA team. Team members should have expertise in the system. For example, imagine that you are using a qualitative analysis. If you are gathering data from personnel who aren’t experts, their opinions aren’t as valuable. Team members should also understand the methodology used for the RA. Best Practices for Risk Assessment Cont.. Repeat the RA regularly—Threats, risks, and vulnerabilities are constantly evolving. An RA should be repeated on a regular basis. Some federal agencies require RAs to be repeated at least every three years. Many organizations create a risk assessment policy. The policy identifies what the organization is expected to do on a recurring basis. It can also be used to define generic goals for any risk assessments. Best Practices for Risk Assessment Cont.. Define a methodology to use—If you consistently use the same methodology, people become better at it. For example, your company could decide to use qualitative risk assessments on a regular basis. If this is the case, you should also define scales that should be used. When assessments are done the same way, they are easier to accomplish and tend to provide higher quality results. Best Practices for Risk Assessment Cont.. Provide a report of clear risks and clear recommendations—Every risk assessment should end with a report that identifies the findings. These findings should be clearly stated. It’s important to ensure that the risks are clearly defined. It’s even more important to ensure that recommendations are clear. The whole purpose of the RA is ultimately to mitigate risks with recommended controls. If the recommendations aren’t clear, the report loses a significant amount of value. End

Security Risk Management and Ethics Chapter 3 PDF

Document Details

Tags

Related

Summary

Full Transcript