MANAGING MORE COMPLEX RISKS

Part of the value in taking a formal and deterministic risk management approach lies in the ability it gives security practitioners to put forward consistent and understandable recommendations to senior decision-makers regarding the management of risk, regard-less of how complex, complicated, integrated, new, or diverse. Often, it may be a simple case of reiterating the regulatory or policy requirements for complying with relevant and appropriate best practices. This compliance, however, should not be interpreted as leading to effective or appropriate security in the larger sense, since compliance with baselines is the lowest form or protection; there will typically be peculiar threats and vulnerabilities that are not addressed adequately by general baselines. These are identi-fied and assessed in a threat risk assessment, so additional safeguards would be based on that same TRA. This is the essence of threat-risk-based security. Baselines may provide overprotection in some cases, but in many more cases provide underprotection.

It is in analyzing the delta of protection requirements and proposing risk-based safe-guards that the AP&S practitioner provides the real value added to a protection posture.

Compliance with baselines as a risk management approach is safe and defensible by security managers (“I was just following policy”), but does not provide the value added, or expected, by accountable senior management. It may demonstrate “insti-tutional” due care for assets, but in most cases not appropriate due care given the diverse threats and vulnerabilities in many systems and enterprises. While the line manager may escape scrutiny with this argument, the senior managers will not.

Although a rules-based compliance approach to AP&S addresses known and set questions and then applies predictable, sound, proven generic controls to address known and generic (if not current or emerging) threats and vulnerabilities, in many contexts this approach would itself constitute a vulnerability because it introduces a gap in analysis. It does not allow for the identification and analysis of new missions, assets, threats, or vulnerabilities that can lead to risks. And since compliance-based

* This is perhaps most prevalent in NCIs, with multiple ownership, operational responsibilities, distances involved, and complexity of architectures.

safeguards are typically open-source industry best practices, they will be well-known by an adversary, who can study and analyze them to determine the best threat vectors (routes to the asset), strategies for vulnerability exploitation, and specific targets of an asset in terms of AIC, for example destruction of a produc-tion line, denial of service attack on a SCADA system, corrupproduc-tion of data through masquerading, or stealing company secrets. It also leads to an attacker being able to engineer his or her way through the existing baseline safeguards— understanding that attacks need not always be technical since social engineering may have a greater potential for attack success if baselines are employed only. Security aware-ness programs mandated by baseline are typically not current, not taken seriously, nor is it assured that all employees participate if a threat-risk-based approach is not implemented, because there will be little new or captivating threat or vulnerabil-ity information to peak their interest. If it is relatively certain that a company has not implemented threat-risk-based safeguards above baselines, then that company increases its susceptibility to attack, since it is seen as a weak link.

Complex risks may be described as those that feature the following:

• Emerging technology as the attack vector or as the target.

• Multiple and diverse threat sources, for example a physical, social engineer-ing, and concurrent cyber attack, or a distributed denial of service attack.

• Extreme motivation and disregard for collateral damage on behalf of the threat agent, for example a terrorist, criminal, the deranged, state- sponsored actors, or the excessively greedy. These risks could result in extensive property damage, contamination,

• Multiple and diverse assets targeted, perhaps concurrently.

• Multiple offices or production facilities targeted, perhaps concurrently.

Complex risks require complex analysis by well-trained and capable AP&S analysts, preferably those who have the trust and authority of their senior management to conduct extensive, often intrusive, and normally time-consuming analysis. Complex risk analysis also typically requires extensive coordination and liaison among stake-holders at all levels; this will require authority from senior management to “sidestep”

routine (and bureaucratically inefficient) chains of command or reporting relation-ships. Trust by senior management in the technical, operational, and corporate capa-bility of the risk analysts is essential for complex risks to be addressed adequately.

Both AP&S practitioners and line managers can collaborate and actually break the chain of events that lead up to complex risks.

Consider a basic cyber attack on a discrete (unconnected) computer network such as a traditional SCADA system. This attack may be broken down into a series of steps, much like the processes used by the organization’s own operations, and might include the following mental analysis on the part of the adversary:

• I must be able to identify where the system is housed and gain some level of access to it.

• I must determine if the assets that I want or those that I want to impact are actually there, and if the attack will meet my objectives.

• I must confirm the level of protection that is afforded those assets and if that level of protection changes with time or other factors.

• I must be able to pass through the perimeter controls, typically comprising a fence and a guard post, perhaps with some closed circuit video equipment.

• I must be able to get into the building, hopefully without alerting anyone.

• I must be able to get past the receptionist (perhaps using social engineering).

• I must be able to gain access to the restricted area in such a way that I remain undetected for 15 minutes, which I estimate is required to launch the attack.

• I must be able to turn on one of the workstations.

• I must be able to use my cracking tools on the workstation to escalate my privileges and gain access to the files that I want to steal or corrupt to the operating systems or applications that I want to infect or change.

• I must be able to locate the files.

• I must be able to download the files without being detected or that provides me with 10 minutes before a response is made so that I can escape.

• I must be able to leave the restricted area with my USB key without being detained.

• I must be able to leave the facility.

• I must be able to download the file from my own computer.

• I must be able to break through any encryption placed on it.

• I must be able to exploit this information for my own purposes.

In thinking like an adversary and decomposing an attack into individual threat vectors, the AP&S risk analyst can isolate

• The business processes that could be affected

• Intermediate or final assets targeted

• Types of complementary or contributing threats that could be brought to bear

• Different vulnerabilities that may be exploited in isolation, concurrently, or in succession to bring the attacker closer to the targeted assets

This case study is not intended to be an in-depth coverage of safeguards, but rather an illustration of how risk management processes can be effective if utilized by capa-ble practitioners in a deterministic manner. From this decomposition, there emerge several points along the threat vector where the attack can be disrupted. For example, the attacker may have to pass through physical access control points at various stages of a layered defense that would prevent him or her from ever reaching the computer terminal. Similarly, even if the adversary makes it to the terminal, the USB ports can be disabled as part of workstation hardening to prevent the use of removable media.

The terminal might involve technical controls such as strong identification/authenti-cation procedures that do not allow a terminal to operate unless the username and a complex, routinely changed password are entered. There may be a program of ran-dom searches of the person to prevent the unauthorized removal of media. And the list goes on. By fully understanding how the attack is likely to take place given the

nature of the threat, the next step is reducing vulnerabilities through the manipula-tion of means, opportunity, and motive or intent for the threat agent to act. The orga-nization may also seek to manipulate the adversary’s perception of the asset value through implementing stringent safeguards, for example requiring highly sensitive documents to be stored onsite only on hard media, copied to prevent destruction, and stored offsite in secure locations after being strongly encrypted and requiring special software to open. By manipulating the values of assets, threats, and vulnerabilities, risk analysts can either break the attack chain or reduce the impacts associated with an attack to acceptable levels.

This decomposition approach for complex risks also allows for a degree of efficiency to be realized. By comparing various threat models and vectors, analysts can identify overlaps that could allow the organization to apply a single safeguard that mitigates a number of different threat vectors. Some care must be taken to ensure that there is an appropriate balance of redundancy and resiliency (key ele-ments in establishing layers of defense) in the security controls, on the one hand, and efficiency and minimization of inconvenience, on the other hand. In essence, the security practitioner must be able to work across the various communities in his or her organization to balance not only an appropriate number and type of controls but also an appropriate level of operational impact within the organization. What is important is that doing nothing is not a preferred option when the mission is impor-tant and when valued assets are involved. Regardless of whether the threat is natural, deliberate, or accidental, action is preferred. This also applies to deterioration as a threat. Monitoring of deterioration of a facility or infrastructure and assessment of its extent drives one of three management decisions: do nothing, rehabilitate, or replace (Morcous, Lounis, and Mirza, 2003). Maintaining current inventories, infrastructure condition databases, and maintenance data, along with trained inspectors follow-ing inspection intervals consistent with projected deterioration rates, are essential to addressing deterioration. These can all be considered programmatic activities, and are indicative of the components of an effective risk management program.