Activity 3: Risk Management

Risk management activity focuses on identifying and measuring risks related to the assets, as well as identifying essential controls for mitigating the risks. The Security Analyst performs this activity. Based on the assets identified in the previous task, all possible threats that could negatively impact the assets are profiled in a register. However, effective identification and control of threats require an understanding of threat sources, adversary behaviour, capability and intent (Workman et al., 2008). Only through an understanding of threat landscape can an organization have enough knowledge about the nature of threats they face and the control measures to implement. In other words, a holistic understanding of threats enables a more effective prioritization of control actions and decision making. This is possible when categorization is used to allow an organization to understand and create a threat profile expansively. Because of these considerations, the thesis has created two steps for risk management involving: (i) the determination of threat profile; and (ii) creation of a risk register.

6.3.3.1 Step 1: Determine Threats Profile

Determining the threat profile is vital because it allows the identification and understanding of threat characteristics. The determination of threats requires a structured representation of threat information that is expressive and all-encompassing due to the dynamicity of the cloud environment. A Security Analyst must use a sound approach that enables the gathering of valuable insights based on the analysis of situational and contextual threats that can be tailored to the organisation-specific threat landscape. A method that could be used is Microsoft’s models for the threat model called STRIDE (Swiderski and Snyder, 2004) and impact rating called DREAD (Shostack, 2008).

STRIDE is an acronym formed from the first letter of Spoofing Identity, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege that is used for describing known threats according to the type of exploits that are used. In addition, DREAD stands for Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability. By using DREAD model, the impact rating for a given threat can be determined.

Hence, the Security Analyst could explore publicly available sources of threat information. For example, we recommend that threat information approved by ENISA (ENISA, 2009) and CSA (Top Threats Working Group, 2017) be followed because there are several threats identified in these two sources. Moreover, using the STRIDE and DREAD models, actors use the following procedure to create a comprehensive threat profile:

 Identify Threats: the potential threats of assets that a threat agent may leverage to attack an

asset. The Security Analyst needs to back up his claim with a solid foundation of Information sources.

 _{Categorize Threats: after threats and vulnerabilities have been identified, the STRIDE}

85

purposes of the attacks. By using this classification of threats, the Security Analyst can determine the category of a threat. This will provide the ability to create an impact rating for threats. STRIDE consists of the following categories:

o Spoofing (S): attackers masquerade as a legitimate user, system or application element. o Tampering (T): attackers modify or tamper assets in transit or in-store.

o Repudiation (R): attackers perform actions that cannot be traced.

o Information Disclosure (I): breach or unauthorized access to a critical asset. o Denial of Service (D): attackers disrupt or interrupt normal operations of the asset. o Elevation (E): attackers obtaining access privilege to an asset without legitimate

authority.

 Target Asset: targets systems include software, applications or configurations that are targeted

and subject to exploitation by a threat.

 Determine the Severity of Threat: after threats are categorized according to STRIDE, the

threats are rated using the DREAD model. DREAD provides a set of questions that can be applied to a scoring scheme to quantify the severity presented by threats. The questions include:

o Damage Potential (D): how extensive is the damage potential?

o Reproducibility (R): how easy it is for the threat to be repeated or reoccur? o Exploitability (E): how easy is it to launch the threat?

o Affected Users (A): what is the estimate of users that will be affected? o Discoverability (D): how easy is it to discover the threat?

The Security Analyst can use the above questions to rate the severity of each threat. The questions can also be extended to meet an organization’s need. To apply the DREAD model, a rating table is used with corresponding values of 3, 2 and 1 to represent (3) high, (2) medium and (1) low respectively. Table 4.4 shows the rating values that can be used by the Security Analyst when determining the severity of threats. The values (between 1 and 3) are counted for each threat. The result falls within the range of 5 – 15. The threats with the overall ratings of 12-15 can be treated as having ‘High Severity’, 8-11 as ‘Medium Severity’, and 5-7 as ‘Low Severity’.

Table 6.7: Threat Severity

Rating 3 (High) 2 (Medium) 1 (Low)

Damage Potential (D) The threat agent can

compromise the security of an asset

Exposure to a critical asset Minor exposure to the critical asset

Reproducibility (R) A threat can be

reproduced at any time to compromise an asset

The threat can be reproduced, but only when the

opportunity is presented to compromise an asset

The threat is very unlikely to be replicated.

Exploitability (E) A novice threat agent can

easily compromise the asset within a short time.

A skilled threat agent can compromise the asset, and can easily repeat the steps

The attack requires a highly skilled threat agent, with in- depth knowledge and resources

86

Affected Users (A) All users within the

organisation and other customers

Some users and customers A tiny proportion of users, and it is unlikely customers will be affected

Discoverability (D) Vulnerabilities in the asset are very noticeable and can be easily exploited

Weaknesses in the assets are

rarely discovered. Vulnerabilities are hardly present and rarely discovered.

87

Table 6.8: Threat Profile Threat

ID Threat Name Description S T R I D E Threat Category Target Assets D R E A D Threat Severity

127

6.3.3.2 Step 2: Create a Risk Register

The output of threat profiling provides a list of potential security threats and the impact on assets. The threat register serves to help a Security Analyst to orchestrate the creation of a risk register and focus on the most potent threats. A risk register is an important document that provides a tentative record of potential risks in line with threat profile, assets and security goals. It will also enable the determination of how those risks are likely to occur, the severity of the risks, the steps to be taken for controlling or managing the risks, etc. (Höne and Eloff, 2002). Essentially, the Security Analyst defines an approach that makes it possible to identify, accurately estimate risks and make an informed decision about risk control actions. This will help in ensuring that minor risks are not prioritized while more severe risks are overlooked.

To ensure consistency and relevance of risks and their impact, we recommend that the Security Analyst use the OWASP risk methodology (Open Web Application Security Project, 2014) for creating the risk register. OWASP methodology is recommended for use because it estimates risks from business process and technical perspectives, highly adaptable and applicable to most organizations of all size. Six simple phases that include the factors that make up the likelihood and impact of each risk is included. The Security Analyst can then be able to use 5 phases of OWASP model to determine the severity of each risk. The phases for creating the risk register are provided as: