CHAPTER 6 Managing Risk 79 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. S ecurity is about managing risk. Without an understanding of the security risks to an organization’s information assets, too many or not enough resources might be used or used in the wrong way. Risk management also provides a basis for valuing of information assets. By identifying risk, you learn the value of particular types of informa - tion and the value of the systems that contain that information. WHAT IS RISK? Risk is the underlying concept that forms the basis for what we call “security.” Risk is the potential for loss that requires protection. If there is no risk, there is no need for security. And yet risk is a concept that is barely understood by many who work in the security industry. Risk is much better understood in the insurance industry. A person purchases insur - ance because a danger or peril is felt. The person may have a car accident that requires sig - nificant repair work. Insurance reduces the risk that the money for the repair may not be available. The insurance company sets the premiums for the person based on how much the car repair is likely to cost and the likelihood that the person will be in an accident. If we look closely at this example, we see the two components of risk. First is the money needed for the repair. The insurance company needs to pay this amount if an acci- dent occurs. This is the vulnerability of the insurance company. The second component is the likelihood of the person to get into an accident. This is the threat that will cause the vulnerability to be exploited (the payment of the cost of repair). When risk is examined, we therefore must understand the vulnerabilities and the threats to an organization. Together, these two components form the basis for risk. Figure 6-1 shows the relationship between vulnerability and threat. As you can see from the figure, if there is no threat, there is no risk. Likewise, if there is no vulnerabil - ity, there is no risk. Vulnerability A vulnerability is a potential avenue of attack. Vulnerabilities may exist in computer sys - tems and networks (allowing the system to be open to a technical attack) or in administra - tive procedures (allowing the environment to be open to a non-technical or social engineering attack). A vulnerability is characterized by the difficulty and the level of technical skill that is required to exploit it. The result of the exploitation should also be taken into account. For instance, a vulnerability that is easy to exploit (due to the existence of a script to perform the attack) and that allows the attacker to gain complete control over a system is a high-value vulnerability. On the other hand, a vulnerability that would require the attacker to invest significant resources for equipment and people and would only allow the attacker to gain access to information that was not considered particularly sensitive would be considered a low-value vulnerability. 80 Network Security: A Beginner’s Guide TEAMFLY Team-Fly ® Vulnerabilities are not just related to computer systems and networks. Physical site security, employee issues, and the security of information in transit must all be examined. Threat A threat is an action or event that might violate the security of an information systems environment. There are three components of threat: ▼ Targets The aspect of security that might be attacked. ■ Agents The people or organizations originating the threat. ▲ Events The type of action that poses the threat. To completely understand the threats to an organization, all three components must be examined. Targets The targets of threat or attack are generally the security services that were defined in Chapter 3: confidentiality, integrity, availability, and accountability. These targets corre - spond to the actual reason or motivation behind the threat. Confidentiality is targeted when the disclosure of information to unauthorized individuals or organizations is the motivation. In this case, the attacker wishes to know something that Chapter 6: Managing Risk 81 Figure 6-1. The relationship between vulnerability and threat would normally be kept from him, such as classified government information. However, information that is normally kept private within commercial organizations, such as salary information or medical histories, can also be a target. Integrity is the target when the threat wishes to change information. The attacker in this case is seeking to gain from modifying some information about him or another—for example, making a change to a bank account balance to increase the amount of money in the account. Others may choose to attack the transaction log and remove a transaction that would have lowered the balance. Another example might be the modification of some data in an important database to cast a doubt on the correctness of the data overall. Companies that do DNA research might be targeted in such a manner. Availability is targeted through the performance of a denial-of-service attack. Such attacks can target the availability of information, applications, systems, or infrastructure. Threats to availability can be short-term or long-term as well. Accountability is rarely targeted as an end unto itself. When accountability is targeted by a threat, the purpose of such an attack is to prevent an organization from reconstruct - ing past events. Accountability may be targeted as a prelude to an attack against another target such as to prevent the identification of a database modification or to cast doubt on the security mechanisms actually in place within an organization. A threat may have multiple targets. For example, accountability may be the initial tar- get to prevent a record of the attacker’s actions from being recorded, followed by an attack against the confidentiality of critical organizational data. Agents The agents of threat are the people who may wish to do harm to an organization. To be a credible part of a threat, an agent must have three characteristics: ▼ Access The ability an agent has to get to the target. ■ Knowledge The level and type of information an agent has about the target. ▲ Motivation The reasons an agent might have for posing a threat to the target. Access An agent must have access to the system, network, facility, or information that is desired. This access may be direct (for example, the agent has an account on the system) or indirect (for example, the agent may be able to gain access to the facility through some other means). The access that an agent has directly affects the agent’s ability to perform the action necessary to exploit a vulnerability and therefore be a threat. A component of access is opportunity. Opportunity may exist in any facility or net - work just because an employee leaves a door propped open. Knowledge An agent must have some knowledge of the target. The knowledge that is useful for an agent includes ▼ User IDs ■ Passwords 82 Network Security: A Beginner’s Guide ■ Locations of files ■ Physical access procedures ■ Names of employees ■ Access phone numbers ■ Network addresses ▲ Security procedures The more familiar an agent is with the target, the more likely it is that the agent will have knowledge of existing vulnerabilities. Agents that have detailed knowledge of existing vulnerabilities will likely also be able to acquire the knowledge necessary to exploit those vulnerabilities. Motivation An agent requires motivation to act against the target. Motivation is usually the key characteristic to consider regarding an agent as it may also identify the primary target. Motivations to consider include ▼ Challenge A desire to see if something is possible and be able to brag about it. ■ Greed A desire for gain. This may be a desire for money, goods, services, or information. ▲ Malicious Intent A desire to do harm to an organization or individual. Agents to Consider A threat occurs when an agent with access and knowledge gains the motivation to take action. Based on the existence of all three factors, the following agents must be considered: ▼ Employees have the necessary access and knowledge to systems because of their jobs. The question with regard to employees is whether they have the motivation to do harm to the organization. This is not to say that all employees should be suspected of every event but employees should not be discounted when conducting a risk analysis. ■ Ex-employees have the necessary knowledge to systems due to the jobs that they held. Depending on how well the organization removes access once an employee leaves, the ex-employee may still have access to systems. Motivation may exist depending upon the circumstances of the separation, for example, if the ex-employee bears a grudge against the organization. ■ Hackers are always assumed to have a motivation to do harm to an organization. The hacker may or may not have detailed knowledge of an organization’s systems and networks. Access may be acquired if the appropriate vulnerabilities exist within the organization. ■ Commercial rivals should be assumed to have the motivation to learn confidential information about an organization. Commercial rivals may have a Chapter 6: Managing Risk 83 84 Network Security: A Beginner’s Guide motivation to do harm to another organization depending on the circumstances of the rivalry. Such rival organizations should be assumed to have some knowledge about an organization since they are in the same industry. Knowledge and access to specific systems may not be available but may be acquired if the appropriate vulnerabilities exist. ■ Terrorists are always assumed to have a motivation to do harm to an organization. Terrorists will generally target availability. Therefore, access to high-profile systems or sites can be assumed (the systems are likely on the Internet and the sites are likely open to some physical access). Specific motivation for targeting a particular organization is the important aspect of identifying terrorists as a probable threat to an organization. ■ Criminals are always assumed to have a motivation to do harm to an organization. More specifically, criminals tend to target items (both physical and virtual) of value. Access to items of value, such as portable computers, is a key aspect of identifying criminals as a probable threat to an organization. ■ The general public must always be considered as a possible source of threat. However, unless an organization has caused some general offense to civilization, motivation must be considered lacking. Likewise, access to and knowledge about the specifics of an organization is considered minimal. ■ Companies that supply services to an organization may have detailed knowledge and access to the organization’s systems. Business partners may have network connections. Consultants may have people on site performing development or administration functions. Motivation is generally lacking for one organization to attack another but given the extensive access and knowledge that may be held by the suppliers of services, they must be considered a possible source of threat. ■ Customers of an organization may have access to the organization’s systems and some knowledge of how the organization works. Motivation is generally lacking for one organization to attack another but given the potential access that customers may have, they must be considered a possible source of threat. ■ Visitors have access to an organization by virtue of the fact that they are visiting the organization. This access may allow a visitor to gain information or admission to a system. Visitors must therefore be considered a possible source of threat. ▲ Disasters such as earthquakes, tornadoes, or floods do not require motivation or knowledge. Access is generally assumed. Disasters must always be considered possible sources of threat. Chapter 6: Managing Risk 85 When considering these agents, you must make a rational decision as to whether each agent will have the necessary access to target an organization. Consider potential ave - nues of attack in light of the vulnerabilities previously identified. Events Events are the ways in which an agent of threat may cause the harm to an organization. For example, a hacker may cause harm by maliciously altering an organization’s Web site. Another way of looking at the events is to consider what harm could possibly be done if the agent gained access. Events that should be considered include ▼ Misuse of authorized access to information, systems, or sites ■ Malicious alteration of information ■ Accidental alteration of information ■ Unauthorized access to information, systems, or sites ■ Malicious destruction of information, systems, or sites ■ Accidental destruction of information, systems, or sites ■ Malicious physical interference with systems or operations ■ Accidental physical interference with systems or operations ■ Natural physical events that may interfere with systems or operations ■ Introduction of malicious software (intentional or not) to systems ■ Disruption of internal or external communications ■ Passive eavesdropping of internal or external communications ▲ Theft of hardware Threat + Vulnerability = Risk Risk is the combination of threat and vulnerability. Threats without vulnerabilities pose no risk. Likewise, vulnerabilities without threats pose no risk. The measurement of risk is an attempt to identify the likelihood that a detrimental event will occur. Risk can be quali - tatively defined in three levels: ▼ Low The vulnerability poses a level of risk to the organization, however, it is unlikely to occur. Action to remove the vulnerability should be taken if possible but the cost of this action should be weighed against the small reduction in risk. ■ Medium The vulnerability poses a significant level of risk to the confidentiality, integrity, availability, and/or accountability of the organization’s information, 86 Network Security: A Beginner’s Guide systems, or physical sites. There is a real possibility that this may occur. Action to remove the vulnerability is advisable. ▲ High The vulnerability poses a real danger to the confidentiality, integrity, availability, and/or accountability of the organization’s information, systems, or physical sites. Action should be taken immediately to remove this vulnerability. When available, the ramification of a successful exploitation of a vulnerability by a threat must be taken into account. If the cost estimates are available, they should be applied to the risk level to better determine the feasibility of taking corrective action. IDENTIFYING THE RISK TO AN ORGANIZATION The identification of risk is straightforward. All you need to do is to identify the vulnera - bilities and the threat and you are done. How do these identified risks relate to the actual risk to an organization? The short answer is: not very well. The identification of risks to an organization must be tailored to the organization. Figure 6-2 shows the components of an organizational risk assessment. As you can see from the figure, I’ve added another com- ponent to the risk calculation—existing countermeasures. Figure 6-2. Components of an organizational risk assessment . provides a basis for valuing of information assets. By identifying risk, you learn the value of particular types of informa - tion and the value of the systems that contain that information. WHAT. people and would only allow the attacker to gain access to information that was not considered particularly sensitive would be considered a low-value vulnerability. 80 Network Security: A Beginner’s. data. Agents The agents of threat are the people who may wish to do harm to an organization. To be a credible part of a threat, an agent must have three characteristics: ▼ Access The ability an agent has to