Presented at the 30th Annual Minnesota Government IT Symposium on December 7, 2011, this talk by Matthew J. Harmon of IT Risk LTD., LLC lays out a structured approach for organizations to identify, analyze, and manage IT risks. Harmon draws on industry standards and real-world examples to demonstrate how a disciplined risk assessment process can both prevent loss and add strategic value.
About the Presenter
Matthew J. Harmon, Owner & Security Researcher at IT Risk LTD., LLC. Certifications: GSEC, GCIH, CISSP, CISA, ISO 27001 Lead Auditor. Roles included ISO JTC 1 / SC 31 / US TAG 7 “Security” Chairman, ISO JTC 1 / SC27 “IT Security Techniques” Liaison, and SANS Mentor Instructor. Contact: matthew@itriskltd.com.
What Is an IT Risk Assessment?
Two definitions frame the discussion:
“An analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities of the occurrence of those events. The purpose of a risk assessment is to determine if countermeasures (controls) are adequate to reduce the probability of loss or the impact of loss to an acceptable level.” – Department of the Navy (OPNAVINST 5239.1A), 1980.
“Overall process of risk identification, risk analysis, risk evaluation.” – ISO Guide 73:2009.
What Does an IT Risk Assessment Accomplish?
IT Risk Assessments identify areas of potential loss and their impact on the organization’s mission. They put an organization’s IT infrastructure into context with the organization’s objectives. They give senior management crucial information including threats, vulnerabilities, and where controls are lacking. IT Risk Assessments help prevent loss, increase value, and increase organizational resiliency.
Terms and Definitions
Threat (or threat agent): Anything that is capable of acting against an asset in a manner that can result in harm (FAIR). The means through which the ability or intent of a threat agent to adversely affect an automated system, facility, or operation can be manifest (NIATEC). A threat agent has Capability, Intent, and History (OWASP).
Vulnerability: A weakness that could be exploited by a threat. The presence of a vulnerability does not in itself cause harm (NIATEC).
Impact: To have an effect upon the confidentiality, integrity, or availability of an asset.
Risk: A function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization (NIST 800-30). Or as Harmon put it: “how long can you get away without patching before something bad happens.”
References: NIATEC (niatec.info), FAIR (fairwiki.riskmanagementinsight.com), OWASP (https://www.owasp.org/index.php/Category:Threat_Agent), FIPS 199 (2004, http://csrc.nist.gov/publications/fips), NIST SP 800-30 “Risk Management Guide for Information Technology Systems.”
Getting Into the Mindset
Risk assessments revolve around threats, vulnerabilities, likelihood, and controls. They should prevent loss and generate value. Risk assessments can be applied to anything and should be – every project, activity, product, and investment should have a risk assessment. It is a key component of decision making.
Popular Frameworks
- NIST 800-30: “Risk Management Guide for IT”
- ISO 27005: Security Techniques – Information Security Risk Management
- ISO 31010: Risk Management – Risk Assessment Techniques
- FAIR: “Factor Analysis of Information Risk”
- CERT at Carnegie Mellon University’s OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation
Risk Assessment Process (Plan-Do-Check-Act)
Following ISO/IEC 27001 and Julia H. Allen’s Software Engineering Institute guidance (https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/deployment/574-BSI.html):
- Plan: Establish context, perform risk assessment, develop risk treatment plan, risk acceptance
- Do: Implement the risk treatment plan
- Check: Monitor and review risks
- Act: Maintain and improve
Risk Assessment Plan
- Identify critical assets and business processes
- Identify threat agents and attack surface
- Identify vulnerabilities and exposure
- Identify scenarios where critical assets are vulnerable to threat agents and what would be necessary to stop the attacks
- How likely are the identified scenarios? Does the cost to stop the attack cost more than the loss?
- Compare what is necessary to the current state
The risk management process follows ISO/IEC 27005 “Information Security Risk Management” and NIST SP 800-30’s Risk Assessment Activities framework, incorporating data criticality and data sensitivity as part of data classification.
The Value of a Risk Assessment
Your best assurance and confidence booster is to actually implement the controls you identified as necessary during the assessment. Confidence in risk assessments comes from the knowledge that your findings result in actions that help support the organizational mission.
Establishing Context
Define scope and boundaries. Understand the organizational mission and values. Assemble your team: Senior Management, Chief Information Officer (CIO), Information Systems Security Officer (ISSO), Business and Functional Managers, IT Security Practitioners, and System and Information Owners.
How to Identify and Characterize Assets
Critical assets are those things which support the core mission. Data assets include names, identifiers, location, demographic, medical, employment, education, criminal history, trade secrets, deliberative process, and intellectual property. Ask: what processes would stop without IT? (Look at Disaster Recovery efforts.) Where does IT support business? (Look at Sarbanes-Oxley IT processes, workflows, and procedures.)
Reference: Ortwin Renn, “A Model for an Analytic-Deliberative Process in Risk Management,” Center of Technology Assessment, Stuttgart, Germany, 1999 (http://pubs.acs.org/doi/abs/10.1021/es981283m).
Threat Identification
Build scenarios around who, what, where, why, when, and how. Intel’s Threat Agent (TARA) Library provides 22 attributes organized around:
- Intent: Non-hostile (reckless behavior, untrained employee) or hostile (competitor, government spy, disgruntled employee, activist, thief, vandal, vendor)
- Access: Internal or external
- Outcome: Theft, business advantage, damage, embarrassment, technical advantage, etc.
- Capability: Resources, experience, and more
Reference: Intel’s “Threat Agent Library” (http://www.intel.com/it/pdf/threat-agent-library.pdf).
Threat categories include physical damage, natural events, loss of essential services, compromise of information, and technical failure. Real-world examples matter: a server dropped while being moved, tornado damage, extended power outages.
Vulnerability Identification
Vulnerabilities are exposed areas with ineffective controls to prevent damage by a threat agent. Examples: software vulnerabilities left unpatched allow bypassing computer controls; security badges left on a restaurant table allow bypassing single-factor physical security controls; building a data center in a flood plain allows environmental conditions to impact availability.
Vulnerability scanning tools:
- Nessus (by Tenable) for operating system vulnerabilities – tenable.com/products/nessus
- Nipper (by Titania) for firewall rules – titania-security.com/nipperstudio
- Netsparker (by Mavituna Security) for web applications – mavitunasecurity.com/netsparker/
Vulnerability databases:
- National Vulnerability Database: nvd.nist.gov
- Open Source Vulnerability Database: osvdb.org
Disclaimer: Never run security tools on a production network without appropriate permission and training.
Penetration tests simulate real attacks and should use a standard such as the Penetration Testing Execution Standard (www.pentest-standard.org).
IT Audit evaluates the effectiveness and coverage of process, procedure, and standards such as FISMA, Payment Card Industry (PCI), and DPA (Data Protection Act). References: FISMA Controls (csrc.nist.gov/groups/SMA/fisma/).
Start with a known good configuration such as the United States Government Configuration Baseline (USGCB) and then add features. Reference: usgcb.nist.gov.
Identifying Impact
Direct Impacts:
- Replacement cost and operationalizing an asset
- Cost of suspended operations
- A security breach
Indirect Impacts:
- Reallotment of resources (opportunity cost)
- Potential misuse of information (data) obtained
- Violations of regulatory obligations
Impact Analysis
What is harmed or lost?
- Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
- Integrity: Guarding against improper information modification or destruction, including ensuring information non-repudiation and authenticity
- Availability: Ensuring timely and reliable access to and use of information
- Other losses: life, income, property
Reference: FIPS 199, 2004 (http://csrc.nist.gov/publications/fips).
Identifying Controls
Control groups include:
- People: Policies and procedures, training and awareness, physical security
- Technology: Firewalls, intrusion detection systems, configuration management
- Operations: Security policies, system certification and accreditation
Five major types of controls exist (a control may include multiple types):
| Type | Purpose | Example |
|---|---|---|
| Directive | Provides guidance | Policies and procedures, login banner warnings |
| Preventive | Discourage or pre-empt errors | Configuration management, encrypting data, backups |
| Detective | Uncover undesirable actions | Intrusion detection, reporting account lockouts |
| Compensating | Makes up for a missing control elsewhere | “Creative controls” |
| Corrective | Corrects problems after discovery | Training, restoring from backups, account lockouts |
References: Carolyn L. Lousteau and Mark E. Reid, The CPA Journal, 2006 (http://www.nysscpa.org/cpajournal/2003/0103/features/f013603.htm). David Hoelzer, SANS IT Audit Blog (http://it-audit.sans.org/blog/2009/09/15/fundamental-it-audit-controls/comment-page-1/).
The 20 Critical Security Controls
Industry and government experts identified 20 Critical Security Controls every organization should deploy, broken into four areas:
- Quick Wins: Fundamental aspects of information security
- Improved Visibility: Sub-controls focusing on improving monitoring
- Hardened Configuration / Hygiene: Reducing the attack surface
- Advanced: Further improving IT above and beyond
The first 15 controls:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Maintenance, Monitoring, and Analysis of Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based on the Need to Know
- Continuous Vulnerability Assessment and Remediation
- Account Monitoring and Control
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Wireless Device Control
- Data Loss Prevention
All 20 map back to NIST 800-53 (FISMA). Reference: http://www.sans.org/critical-security-controls/guidelines.php.
Measuring Risk
The constants are threats, vulnerabilities, and controls. Two common formulas:
- Risk = Threat x Vulnerability x Cost (or Impact)
- Risk = Threat x Vulnerability x Data Classification
The field is still coming out of alchemy and into science. The formulas frequently described are not meant to be used literally but instead to describe multipliers. It is assumed that data classification has taken care of both the cost and impact values. Some industries – insurance, environmental, credit, and fraud – have a significantly more matured approach to risk management.
Quantitative Risk Analysis
Uses numerical values for both consequence and likelihood. Assumes everything can be measured. Risks are treated because of their value and need of a sound basis for decisions. Data points and historical data is limited but growing; historical breach data is not as extensive as finance, insurance, and fraud.
The core formula: ARO (Annualized Rate of Occurrence) x SLE (Single Loss Expectancy) = ALE (Annualized Loss Expectancy). The Society of Actuaries have many advanced formulas for calculating risk.
Don’t use numbers when assigning risk where you don’t have solid data. Use good sources such as DataLossDB.org, OpenSecurityFoundation.org, US-CERT.gov, Multi-State Information Sharing & Analysis Center (http://msisac.cisecurity.org/), and the Verizon Business Breach Investigations Report (http://www.verizonbusiness.com/go/2011dbir).
Reference: “How to Measure Anything: Finding the Value of Intangibles in Business” by Douglas W. Hubbard, ISBN 0470539399 (howtomeasureanything.com).
Qualitative Risk Analysis
Prioritization and ranking of risks based on qualifying attributes to describe magnitude: Low, Medium, High. Frequently, risks are treated because of the imperative to accomplish a mission. Factual data should be used where available. May build into a quantitative analysis where numerical data or resources are available.
Likelihood Scale
| Rating | Definition |
|---|---|
| Low | 0-24% chance of threat agent exploiting a given vulnerability in a year |
| Moderate | 25-74% chance of threat agent exploiting a given vulnerability in a year |
| High | 75-100% chance of threat agent exploiting a given vulnerability in a year |
Potential Impact Scale
| Rating | Definition | Effect |
|---|---|---|
| Low | Loss of C, I, or A could have a limited adverse effect on organizational operations, assets, or individuals | Causes degradation; effectiveness is noticeably reduced |
| Moderate | Loss of C, I, or A could have a serious adverse effect on organizational operations, assets, or individuals | Causes significant degradation; effectiveness is significantly reduced |
| High | Loss of C, I, or A could have a severe or catastrophic adverse effect on organizational operations, assets, or individuals | Causes severe degradation; effectiveness is severely reduced |
References: NIATEC (niatec.info), FIPS 199 (2004).
Risk Determination
Regardless of the formula, there are constants: threat agents and vulnerabilities exist, controls should be effective at preventing damage and losses.
| Minimal | Moderate | Significant | |
|---|---|---|---|
| Unlikely | Low | Low | Mod |
| Possible | Low | Mod | High |
| Likely | Mod | High | High |
Risk Treatment Plan
Engage senior management and align threats identified with strategic organization objectives. Focus efforts on the threats most likely and recommend controls to counteract those threats. Low complexity to remediate and large attack surface? Low hanging fruit – quick wins. High complexity to remediate and high asset value? Consider the motivated attackers. Some residual risk will always exist.
Making Strategic Decisions
- Accept the risk? Low value of asset, low probability of occurrence, low impact/damage prediction
- Mitigate the risk? Apply appropriate controls and fix the flaw
- Transfer the risk? Buy insurance or outsource – reduces impact
- Avoid the risk. Remove the risk or find alternatives
Making Tactical Decisions
If risk is accepted, increase directive and detective controls. When mitigating a risk with a preventive or corrective control, test the vulnerability before and after applying the control to ensure effectiveness. When transferring a risk, remember there is no complete transfer – outsourcing causes control to be limited to contractual agreements and enforcement can be challenging. Risk avoidance is frequently the best bet.
Risk Matrix Example
The presentation included a worked example: workstations not regularly patched and vulnerable to malicious software, with organized crime as the threat agent using malicious code to exfiltrate confidential data and spread through systems where users browse with local administrator rights. Impact rated High for confidentiality and integrity, Medium for availability. Likelihood rated High based on vulnerabilities exploited by malicious code (per ISC). Treatment: install anti-virus, patch systems, harden workstation configuration, and conduct training. Residual risk after treatment: Low.
Plan of Action & Milestones Example
The risk matrix feeds into a concrete Plan of Action & Milestones (POA&M): license acquisition and deployment schedule, software inventory and patch identification, apply USGCB controls to template image (tweak as needed, test with business units, deploy), and admin training via SANS. Resources estimated at $50,000 licensing, 12 desktop staff weeks, 1000 hours for configuration, and 8 hours/week for 30 staff for 2 months of training.
Template: http://csrc.nist.gov/groups/SMA/fasp/documents/c&a/POAM_template_01052007.xls.
Key Takeaways
- Risk assessments are crucial to decision making
- Focus on threats and controls
- Use good data
- Regardless of how you measure it, risk assessments identify weaknesses that can impact organizational resiliency that should be acted on
Presenter Background
Matthew J. Harmon served as SANS Mentor Instructor for SEC 504 “Hacker Techniques, Exploits and Incident Handling” (GCIH), SEC 464 “Hacker Detection for Systems Administrators,” and SEC 401 “Security Essentials” (GSEC). He chaired ISO JTC 1 / SC 31 / US TAG 7 “Security for Item Identification” and served as ISO JTC 1 / SC27 “IT Security Techniques” Liaison from SC 31. He was a member of the ISO Technical Management Board Steering Committee for Privacy, an elected Board Member for the Whittier Alliance and Whittier Business Association, and author of “Plugging the Gaps in RFID Security” (ISO Focus+, April 2010). Certifications: GSEC, GCIH, CISSP, CISA, ISO 27001 Auditor.
Contact and Resources
IT Risk LTD., LLC – matthew@itriskltd.com
This presentation can be downloaded from https://github.com/itriskltd/ or http://itriskltd.com/MNGTS2011-ITRisk.pdf. Licensed under the Creative Commons Attribution-NonCommercial 3.0 Unported License (http://creativecommons.org/licenses/by-nc/3.0/).