■ Federal Emergency Management Agency www.fema.gov/index.shtm ■ Hazards Research Lab at University of South Carolina http://go2.cla.sc.edu/hazard/db_registration ■ Natural Disaster Hotspots: A Global Risk Analysis http://sedac.ciesin.columbia.edu/hazards/hotspots/synthesisreport.pdf ■ Natural Disaster Reference Database http://ndrd.gsfc.nasa.gov/ ■ National Geophysical Data Center Natural Hazards Data www.ngdc.noaa.gov/seg/hazard/hazards.shtml ■ Natural Hazards Center: All Hazards www.colorado.edu/hazards/resources/web/all.html#indices ■ National Oceanic and Atmospheric Administration Central Library www.lib.noaa.gov/ Qualitative Risk Assessment When you use relative concepts to determine risk exposure, you are using qualitative risk analysis. Relative classification systems compare one compo- nent to another, allowing you to rank a classification as high, medium, or low. It’s useful to rank risk exposures caused by vulnerabilities so you can more easily make decisions on what to do about them. You can use the same qualitative risk exposure matrix listed in Table 14.4. A more simplified version of that table is shown in Table 17.1. Once you have established what the vulnerabilities are, you need to determine their likeli- hood of being exploited, and the severity of the loss.You determine the risk exposure by multiplying the severity of the loss by the likelihood. As a reminder: Risk Exposure = Likelihood x Impact R ( E ) = P ( L ) x S ( L ) P ( L ) = Probability of loss (likelihood) S (L) = Severity of loss (impact) www.syngress.com 282 Chapter 17 • Performing a System Risk Assessment 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 282 Table 17.1 Qualitative Risk Exposure Determination Table Impact Values S (L) Likelihood P (L) Low Medium High High Low Medium High Medium Low Medium Medium Low Low Low Low (Table 17.1 is very similar to Table 3.6 in the NIST Special Publication 800- 30, Risk Management Guide for Information Technology Systems, July 2002.) Quantitative Risk Assessment Quantitative risk assessment associates loss with a financial value.The goal of understanding financial loss is to give you more information in making deci- sions about the procurement and implementation of safeguards. Quantitative risk assessment is essential if you want to perform cost benefit analysis to figure out if implementing a particular safeguard is financially worth the cost. If the anticipated annual loss is less than the annualized cost of the safeguard, then it is usually not worth it to implement the safeguard. I will use a natural disaster example to show you how to figure out finan- cial loss based on quantitative risk assessment methods. If you look at Figure 17.4, you will see that in Florida alone there are different probabilities throughout the state for hurricanes with wind speeds greater than 100 knots. To calculate the risk of a hurricane occurring in Miami, Florida, you need to understand the likelihood of one occurring each year. If a hurricane occurs once every 20 years (1 out of 20), then it has a 5 percent chance of occurring yearly since 1/20 = .05, which equals 5 percent. www.syngress.com Performing a System Risk Assessment • Chapter 17 283 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 283 Figure 17.4 Probabilities of Hurricanes in Florida Localities Source: U.S. Geological Survey The frequency of Florida hurricanes with wind speeds greater than or equal to 100 knots is mapped in terms of the probability of occurrence during a 20-year exposure window.These probabilistic estimates, based on 1006 years of observations, illustrate that hurricanes with 100 knot winds occur more frequently in southern Florida, and gradually decrease in fre- quency towards northern Florida. 1 The threat frequency (or likelihood) for natural disasters can be calculated by using an Annualized Rate of Occurrence (ARO).An ARO is a constant number that tells you how often a threat might occur each year. AROs can be broken down into subvalues known as Standard Annual Frequency Estimates (SAFE) and Local Annual Frequency Estimates (LAFE).The SAFE value is the number of times a specific threat is expected to occur annually in a large geographic region such as North America.The LAFE value is the number of times a specific threat can be expected to occur annually in a smaller, local geographic region such as Miami, Florida. For the purpose of C&A, it is more appropriate to use LAFE values. (If we were going to C&A all the systems in www.syngress.com 284 Chapter 17 • Performing a System Risk Assessment 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 284 North America in one C&A package, we might use SAFE values for that. Such a C&A package of course would be a Sisyphean exercise.) ARO values (SAFE and LAFE) typically are represented as rational num- bers, or as a decimal value as shown in Table 17.2. (A rational number is a number that can be expressed equivalently as a fraction.) Table 17.2 Threat Values for Annualized Rates of Occurrence ARO (LAFE) Values Expressed as Expressed as Expressed as a Frequency of a percent a decimal fraction Occurrence 1% .01 1/100 Once every 100 years 2% .02 1/50 Once every 50 years 5% .05 1/20 Once every 20 years 10% .10 1/10 Once every 10 years 20% .2 1/5 Once every 5 years 100% 1 1/1 Once a year 1000% 10 10/1 10 times a year 10,000% 20 20/1 20 times a year The reduction in value of an information system from one threat (or inci- dent) is referred to as a Single Loss Expectancy (SLE). If one of the systems in your hardware and software inventory is valued at $100,000, and a hurricane destroys 90 percent of it, the value of the system has been reduced by $90,000, which is the SLE. SLE = Original Total Cost – Remaining Value SLE $90,000 = $100,000 – $10,000 It is possible that instead of a hurricane, a hacker might destroy 90% of the system and the same SLE formula would apply. Once you know the SLE, you can determine an Annual Loss Expectancy (ALE). ALE is a risk exposure stan- dard that is computed by multiplying the probability of a loss from a threat (or incident) by the reduction in value of the information system. . www.syngress.com Performing a System Risk Assessment • Chapter 17 285 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 285 NOTE ALE is a metric that was developed by the National Bureau of Standards in 1979. In the mid-1980s, the National Bureau of Standards became part of the National Institute of Standards and Technology. ALE values are useful to perform cost benefit analysis so you can figure out if spending money on a particular safeguard is worth it or not. ALE values can be determined for any type of threat whether it is a threat launched by a cyber criminal, or a natural disaster.To determine the ALE for this same $100,000 system, use the formula: ALE = LAFE x SLE R (E) = P (L) x S (L) The LAFE value is the probability of potential loss, or P (L).The SLE, or the loss from a one-time occurrence of the incident, is the severity of the loss, S (L). If the system is located in Miami, Florida and hurricanes have a 5% chance of occurring yearly: ALE = .05 x $90,000 = $4,500 Every year, the one information system located in Miami, Florida is being exposed to an annual loss expectancy of $4,500 from hurricanes alone. If there are 1000 systems at this facility in Miami, all with the same ALE, that would come to a whopping cumulative ALE of $4,500,000. Even if moving the facility to a different location costs $1,000,000, in this case it would be worth it since the safeguard (e.g., the move) would be far less expensive than the Annual Loss Expectancy. An additional resource that explains quantitative risk assessment is an article titled “Security Scanning is not Risk Analysis” in the Intranet Journal (www.intranetjournal.com/articles/200207/se_07_14_02a.html). www.syngress.com 286 Chapter 17 • Performing a System Risk Assessment 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 286 Qualitative versus Quantitative Risk Assessment When you use ALE values to determine cost benefit analysis, you are per- forming quantitative risk analysis. When you use high, moderate, and low rankings that are relative to each other, you are performing qualitative risk analysis. Whether the threat is a hurricane or a hacker, you can use either method to determine risk exposure.There are advantages and disadvantages to both methods of determining risk. Whether you use qualitative or quantitative methods to determine your risk exposure, you should state in your System Risk Assessment which method- ology you are using and why.Your reasons for selecting one methodology over the other might be straightforward and simple. Perhaps you decided to use qualitative risk assessment because that’s what your agency requires.To use quantitative risk assessment effectively, you need to know the current dollar value of an asset. If your agency does not track that kind of information, quantitative risk assessment presents many challenges. If you are able to use quantitative risk assessment, it is an indispensable tool for determining whether an expensive safeguard is worth purchasing or not. Qualitative risk assessment has the following attributes: ■ A faster process ■ Emphasizes descriptions ■ Findings are simple and expressed in relative terms ■ Values are perceived values, not actual values ■ Requires less training Quantitative risk assessment has the following attributes: ■ Very time intensive ■ Yields results that are financial in nature ■ Used for cost benefit analysis ■ Good for justifying the procurement of safeguards ■ Requires tracking the financial value of assets www.syngress.com Performing a System Risk Assessment • Chapter 17 287 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 287 Today, most C&A packages use qualitative risk assessment methods simply because it’s usually faster to perform than quantitative methods. However, as C&A programs evolve over time, it is likely that quantitative methods will gain more traction.The more expensive the safeguards are that your agency is taking into consideration, the more valuable quantitative risk assessment can be. Present the Risks In order to make decisions on risks, you need to present the risks in an easy to follow table. For a qualitative risk assessment, create columns for the fol- lowing fields: ■ ID number ■ Vulnerability name ■ Description ■ Likelihood ■ Impact ■ Risk Exposure ■ Recommendation Some risk assessments also include columns for security control identifiers, policy and oversight citations, threat descriptions, CVE numbers (see http://cve.mitre.org), and other related information. Find out if your agency already has a template that they’d like you to use for your risk table. For a quantitative risk assessment, you should also create a column for ALE.Table 17.3 shows an example of an easy-to-follow format to present your risks. www.syngress.com 288 Chapter 17 • Performing a System Risk Assessment 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 288 Table 17.3 Risks to Systems and Recommendations Vulnerability Risk ID No. Name Description Likelihood Impact Exposure Recommendation 1 SSH Vuln on Due to a buffer Medium High Medium Mitigate the risk by erp02 host overflow vulnerabilities disabling SSH1. Since and design flaws in we now use SSH1, an attacker Connect:Direct for could gain root shell security file transfers, access to erp02 on nobody uses SSH1 the network 5. anymore anyway. 2 NetBIOS Vuln Due to a NetBIOS High High High Mitigate this risk by on account vulnerability, a brute advising users to change belonging to force attack enabled a passwords, and imple- James Smith, penetration tester to ment a password Martha Doyle, obtain logins and complexity requirement and Will Jones passwords for 3 that requires complex different users passwords with 10 char- acters, including 1 numeric and 1 upper- case letter. Implement password aging. Disable NetBIOS. www.syngress.com Performing a System Risk Assessment • Chapter 17 289 Continued 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 289 Table 17.3 continued Risks to Systems and Recommendations Vulnerability Risk ID No. Name Description Likelihood Impact Exposure Recommendation 3 Administration There is no database Medium Medium Medium Mitigate the risk by of User Provi- administrator’s guide. developing a database sioning If our database admin- administration guide Database istrator becomes ill that includes informa- or ends his tion on how to perform employment, it will all database administra- be difficult to tion functions. Include understand how to information on administer the database. database configuration in the guide. 4 No separation One of the users at Low Low Low Accept the risk. Office 2 of duties Office 2 has admin is a small office with access to all systems only 2 users. It doesn’t in Office 2. make sense to hire a systems administrator for 2 people. www.syngress.com 290 Chapter 17 • Performing a System Risk Assessment 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 290 Make Decisions Once you have gathered the pertinent facts about the risk exposure to your systems, you are armed with all the right information to formulate decisions. One of the objectives of the decisions that you make will be to balance the impact of threats with safeguards. Safeguards mitigate risk; however, there is a cost involved in applying safeguards.The cost of safeguards should not only include the up-front cost of procuring the safeguard, but also the yearly main- tenance costs of implementing it. For example, a set of firewalls may cost $30,000 to purchase and install, but it also requires the hiring of a full time firewall administrator. Be sure to consider these hourly costs in labor rates as well as in the cost of a product. Mitigating risks means reducing them to acceptable levels, which of course is different than mitigating risks at all costs. Most information tech- nology risks can be reduced. Sometimes a high risk item can be reduced by simply checking a box in a GUI to enable a particular security feature. Other times, reducing a risk can be complex, very involved, and very expensive. Since there is usually a price to pay for mitigating risks, the price is some- thing that perceptive IT managers will want to take into consideration. Sometimes that price might be only an hour of a systems administrator’s time. Other times it could be hundreds of hours of many systems administrators’ time, or it may mean purchasing an enterprise product that costs several mil- lion dollars. When it comes to reducing risks, one of the first questions your business owner and ISSO should be asking is,“What will it cost?” Consistent with the options in Chapter 14, your options are either to accept the risk, transfer the risk, or mitigate the risk. Generally speaking, high risk items that don’t cost much should always be mitigated. Moderate risk items that don’t cost much should also be mitigated. Low risk items may not be worth reducing at all, particularly if it costs a lot to do so. Checklist Upon completion of the System Risk Assessment, use the following checklist to make sure you haven’t forgotten anything: ■ Have you explained your risk assessment methodology? www.syngress.com Performing a System Risk Assessment • Chapter 17 291 409_Cert_Accred_17.qxd 11/3/06 2:58 PM Page 291 [...]... and Management John Wiley & Sons, January 2006 ISBN: 0 471 648329 Jones, Andy, and Debi Ashenden Risk Management for Computer Security Butterworth-Heinemann, March 15, 2005 ISBN: 075 0 677 953 Landoll, Douglas J., CRC The Security Risk Assessment Handbook December 12, 2005 ISBN: 0849329981 Long, Johnny and Chris Hurley, with Mark Wolfgang and Mike Petruzzi Penetration Tester’s Open Source Toolkit Rockland,... Management Roles and Responsibilities Role Responsibilities Configuration Manager Coordinator (CM Coordinator) Develops and maintain CM plans, policies, and procedures for operating systems and applications Oversees generation of functional and product baselines Coordinates release of product components (hardware, software, interfaces, and documentation) Maintains records, databases, and libraries (repositories)... systems settings, and application configurations, are known and tracked.The settings and configurations that are known and tracked should include the technical security controls.The Configuration Management Plan is a living document and should be updated through the life cycle of the systems that it references Some agencies may have one global Configuration Management Plan for the entire agency, and other agencies... release engineering activities Maintains source code and version control Assists in software integration and bug fixing Manages the software build process and controls the migration of software throughout the lifecycle Maintain records, databases, and software libraries (repositories) Notifies developers and testers of configuration management status and policies Coordinates project configuration control... Rockland, MA: Syngress Publishing, December 1, 2005 ISBN: 15 974 90210 Long, Johnny and Ed Skoudis Google Hacking for Penetration Testers Rockland, MA: Syngress Publishing, 2005 ISBN: 1931836361 www.syngress.com 293 409_Cert_Accred_ 17. qxd 294 11/3/06 2:58 PM Page 294 Chapter 17 • Performing a System Risk Assessment McCumber, John Assessing and Managing Security Risk in IT Systems Auerbach, June 15, 2004... draw the line in the sand on what to include and not include in your system description takes some thought and various decisions will need to be made Many of these decisions were likely made when you put together the Hardware and Software Inventory However, since you have not yet submitted your C&A package for review, you do have the liberty to go back and revise your Hardware and Software Inventory... to agency Table 18.2 Configuration Management Roles and Responsibilities Role Responsibilities Director of Configuration Management (Director of CM) Develops and maintain CM plans, policies, and procedures Works with CM Analysts and CM Coordinators to ensure that configuration duties are understood Presides over Change Control Board (CCB) activities and meetings Designates a scribe to take notes or minutes... Fuller, Greg Miles, Matthew Hoagberg,Travis Schack,Ted Dykstra, and Bryan Cunningham Network Security Evaluation Rockland, MA: Syngress Publishing, August 2005 ISBN: 15 974 90350 Notes 1 Natural Disasters—Forecasting Economic and Life Losses U.S Department of the Interior U.S Geological Survey (http://pubs.usgs.gov/fs/natural-disasters/figures/fig7.html) www.syngress.com 409_Cert_Accred_18.qxd 11/3/06 2:48... vulnerabilities and making intelligent decisions about them shows more savvy than claiming that there are none Don’t forget to take into consideration natural disasters—particularly if your agency has offices and systems in areas that have a history of weather-related disasters Additional Resources Books that may help improve your understanding of System Risk Assessment are listed here: Bidgoli, Hossein Handbook. .. organization understands how to handle change, and can track all changes to your system including the settings for security controls An effective Configuration Management Plan provides audit trails and traceability as to why change has occurred.The baselines stored in the configuration management system enable your organization to understand what the given configuration of your systems and major applications are . 15, 2005. ISBN: 075 0 677 953. Landoll, Douglas J., CRC. The Security Risk Assessment Handbook. December 12, 2005. ISBN: 0849329981. Long, Johnny and Chris Hurley, with Mark Wolfgang and Mike Petruzzi Hossein. Handbook of Information Security,Volume 3,Threats, Vulnerabilities, Prevention, Detection, and Management. John Wiley & Sons, January 2006. ISBN: 0 471 648329. Jones, Andy, and Debi. Chapter 17 285 409_Cert_Accred_ 17. qxd 11/3/06 2:58 PM Page 285 NOTE ALE is a metric that was developed by the National Bureau of Standards in 1 979 . In the mid-1980s, the National Bureau of Standards