Risk management is a systematic approach to determine appropriate corporate security measures. How to
address security, where to address security, and the type and strength of security controls requires considerable thought.
Before the proliferation of computer networks, confidential data was kept under lock and key, and people were trusted to keep confidential documents in a safe place. In extremely secure environments of the past, such as where classified work for the Department of Defense (DoD) was carried out, your briefcase, purse, and so on were inspected every night on the way out the door. You could not leave the building with any magnetic media or classified computer printouts (the printers attached to secured machines used specially colored paper).
In today's environments, all those physical security checks are made obsolete by the computer network. Why try to smuggle a magnetic tape out of the building when you can encrypt it
and send it out in e-mail? Computer networks have created an environment in which data can
be accessed, moved, or destroyed electronically if there are no electronic lock-and-key mechanisms in place to safeguard the corporation's secrets. New avenues of risk are created and must be managed.
Risk Assessment
Risk assessment is a combination of identifying critical assets, placing a value on the asset,
and determining the likelihood of security breaches. When the critical resources have been identified and the likelihood and costs associated with the compromise, destruction, or unavailability of these critical resources have been assessed, a decision can be made as to what level of risk is acceptable to the company. The result of the risk assessment is unique to the organization because it depends on the business needs, trustworthiness of its users, and the location of critical assets.
Identify Network Assets
It is impossible to know who might be an organization's potential enemy. A better approach is for the organization to know itself. Companies must understand what they want to protect, what access is needed to those assets, and how these considerations work together. Companies should be more concerned about their assets and their associated value than about an attacker's motivation.
The corporation must identify the things that require protection. Table 5-1 lists some possible network assets to take into consideration.
Table 5-1: Network Assets
Hardware Workstations, personal computers, printers, routers, switches, modems, terminal servers, and firewalls
Software Source programs, object programs, utilities, diagnostic programs, operating systems, and communication programs
Data Data stored online and archived offline, backups, audit logs, databases, and data in transit over communication media
People Users, administrators, and hardware maintainers
Documentation Software programs, internal hardware and software evaluations, systems, and local administrative procedures
The inventory of the corporation's assets should be conducted globally to ensure consistent handling and evaluation of corporate assets.
Value of Assets
Placing values on corporate assets can be a very subjective process. For intangible assets---usually some form of software, data, or documentation---it can be useful to represent the value in terms of importance or criticality. In this way, the relative loss of the asset becomes more important than placing a "correct" value on it. The value of tangible assets can be based on replacement value and, as in the case of
intangible assets, the immediate impact of the loss and the consequences of a loss.
The replacement value can encompass the monetary cost of purchasing security hardware (such as firewalls and encrypting devices) and software (such as one-time password generators and audit tools) and the cost of retraining security personnel. For data loss, the immediate impact caused by inaccessible or corrupt data may be a missed presentation deadline that consequently results in the account being lost. Estimating the worth of data can be difficult in some situations---especially when an established research environment has to evolve to meet changing business needs. Business needs may place a higher value on some data because of its potential patent royalty or other monetary gains. Classifying data according to varying levels of criticality can be a preliminary step in establishing its value. A simple rating system of
high, medium, and low can be the starting point for evaluating the relative criticality of data. The data can
take many forms, including the following:
Administrative data. Correspondence and such information as property records and personnel
information that is generally available to the public. ●
Financial data. Budgeting and expenditure information relating to corporate operations.
●
Client data. Information relating to the client that is of a personal nature, or information developed
as a result of tests, observations, or counseling. ●
Research data. Information resulting from, or used to support, any corporate research activity.
Proprietary data. Information that cannot be released to the public without the permission of the
owner. ●
Table 5-2 shows an example of how you can classify different types of data and apply a criticality rating.
Table 5-2: Data Classification
Type of Data Classification Criticality
Clinical trial result Research High
Market trends Research Low
Pending patents Proprietary High Corporate memos Administrative Low Employee locator file Administrative Low New product features Proprietary Medium
Trade secrets Proprietary High
Acquisition data Financial High
Employee salaries Financial Medium
Note Some data is more critical because of its time sensitivity. For example, impending patent data and
new product data are highly sensitive either until the patent is applied for, or until the product is announced.
When the assets have been identified and valued, it is time to start looking at the likelihood of security breaches.
Threats and Vulnerability
After you have identified the network assets, you have to determine the possible threats to the assets and the likelihood that the asset is vulnerable to a given threat. A threat can be any person, object, or event that, if realized, can potentially cause damage to the network or networked device. Threats can be
a calculation or the accidental deletion of a file).
A vulnerability is a weakness in a network that can be exploited by a threat. For example, unauthorized access (the threat) to the network can occur by an outsider guessing an obvious password. The
vulnerability exploited is the poor password choice made by a user. Reducing or eliminating the
vulnerable aspects of the network can reduce or eliminate the risk of threats to the network. For example, a tool that can help users choose robust passwords may reduce the chance that users will select poor passwords and, thus, reduce the threat of unauthorized network access.
The threats, as discussed in Chapter 4, "Threats in an Enterprise Network," are usually in the following forms:
Eavesdropping and information theft ●
Disabling access to network resources (DoS attacks) ●
Unauthorized access to resources ●
Data manipulation ●
If these threats are realized and networking devices or data is compromised, what are the immediate impacts and further consequences? Will it result in embarrassment or bankruptcy? The greater the possibility of bankruptcy, the more stringent the security measures should be.
Let's take a look at some corporate impacts and consequences in the event of data compromise, loss of data integrity, and unavailability of networked resources.
Data Compromise
Any information stored or transferred electronically can potentially be stolen. Data can be stolen if an intruder has unauthorized access to a system or can eavesdrop on confidential data exchanges.
Depending on the type of information disclosed, the results can range from inconsequential to
catastrophic. In financial institutions, monetary transactions can cause great loss to the institution itself or to customers who may represent loss of revenue if they take their business elsewhere.
You should create a priority list of the information that is most valuable to the corporation. Data
pertaining to customer accounts, personnel data, and data related to finances is almost always extremely sensitive and, therefore, valuable. The security policy should reflect where different classes of sensitive data are stored, how the data is stored, and who has access to the different classes of data.
Loss of Data Integrity
Loss of data integrity can be extremely costly to many corporations. Loss of integrity can result in
negative press and, therefore, loss of reputation---which translates into loss of customers and revenue. An obvious example is in the financial environment: A bank or other financial institution has a large
probability of bankruptcy if any account data were ever publicly known to be compromised. The public would be hard-pressed to place trust in that institution to reliably handle its financial business.
In addition to the losses incurred from a negative reputation, the costs are extremely high to investigate and restore the compromised data. The data has to be restored from a backup, if a backup exists, and an investigation must be performed to determine if, when, and how the data was compromised. The hours of work required to analyze and restore any compromised data can be quite numerous.
When determining possible security risks, the corporation should take into account all the ways that integrity can be compromised. Data integrity goes right to the heart of your operation:
How you perform backups ●
Where you store the backups ●
How you physically secure live data ●
Who has physical access to the media that contains your data ●
Insurance underwriters, for example, confirm that four out of five companies that lose files in a fire go out of business because they cannot recover from the loss. Because so many businesses are now running with all their "actual" data on magnetic media, imagine what someone could do to your business simply by noting that you don't make regular backups and that you leave your computers out in the open where he/she can crash your disks? The security policy should clearly state how to best preserve data integrity for its valuable assets.
Unavailability of Resources
When networked resources become unavailable, the resulting business losses can be catastrophic. In today's environment in which businesses rely more and more on business transactions over computer networks; if critical systems are inaccessible, losses can be tallied in the millions of dollars.
Businesses must estimate the costs of possible system downtime caused by equipment failure, acts of nature (such as flooding, fire, and lightning), or some DoS attack. Network resources can become unavailable because of system upgrades that introduced new software bugs, faulty configurations, or inadequate capacity planning. This area is closely coupled with system reliability and redundancy, which is why a security policy should be established while the network is being designed.
Evaluating Risk
For all possible threats, you must evaluate the risk. Many methodologies are available to measure risk. The common approaches are to define risk in quantitative terms, qualitative terms, or a combination of both. Quantitative risk evaluation uses empirical data and known probabilities and statistics. Qualitative risk analysis uses an intuitive assessment. Regardless
of the mechanism you use, the important aspect is that how you quantify the loss and the likelihood of the loss occurring should be consistent and meaningful to the people who make the decisions about how to guard against the risks.
Note Automatic risk analysis tools are available in many sophisticated spreadsheet software packages.
However, because of a lack of standards in how to perform risk analysis, the manner in which most losses and the likelihood of the losses are quantified and are represented should be clearly understood. If the methodology is fully understood and acceptable, an automatic risk analysis tool may be an adequate solution for evaluating risk.
Figure 5-1 shows a simple example of calculating risk by using the relative likelihood that the threat can occur and the value of the expected incurred loss.
Figure 5-1: A Simple Risk Calculation
A more specific example (taken from an existing LAN administration guide used at The National Institutes of Health) is given in Table 5-3. This table tries to determine: how critical security
considerations are for different LANs using a combination of network importance, the probability of a harmful occurrence, and the probability that a degradation of LAN performance will occur after the harmful occurrence is in effect.
Table 5-3: Relative Risk Calculation for LANs
LAN A1 I1 C1 NI2 PO3 PD4 RR5
Admin 2 3 1 6 Very Low 0.1 Low 0.3 3.8
Eng 2 3 2 8 Moderate 0.5 Moderate 0.5 2.0
Finance 2 3 3 18 Low 0.3 Low 0.3 8.8
1A = Availability, I = Integrity, and C = Confidentiality
2NI = Network Importance. NI is the value of A multiplied by the value of I multiplied by the value
of C.
3PO= Prevent an Occurence. PO is determined by considering the number of users, previous
accreditation, frequency of backups, and compliance with mandatory safeguards requirements.
4PD = Prevent Degradation. The capability to PD of A, I, and C for a LAN in the event of a harmful
occurrence is determined using the relative need to protect the LAN's availability, integrity, and confidentiality with regard to the sensitivity of data and the criticality of the data-processing capability.
5RR = Relative Risk. RR equals NI multiplied by (1-PO) multiplied by (1-PD).
Establishing network importance is significant to managers because doing so facilitates the allocation of resources (to implement additional security services) to protect the assets that are part of the LAN. In terms of potential vulnerability, the more important a network is to a corporation, the greater the percentage of available resources that should be devoted to its protection.
Network importance is a term used to describe the relative importance of a LAN with regard to other
RR = NI * [(1-PO) * (1-PD)]
In this expression, NI is network importance, (1-PO) is proportional to the probability of a harmful occurrence, and (1-PD) is proportional to the probability that a degradation in LAN performance will result after an occurrence has been initiated.
The importance of the RR calculation is that it provides management with the information required to rank the risk associated with the various corporate networks relative to one another. This ranking of network importance can facilitate the allocation of resources for the implementation of additional safeguards.
In Table 5-3, the left column identifies the evaluated LANs. The next three columns record the ratings for availability, integrity, and confidentiality. The NI column is completed by multiplying the values in the previous three columns. This number establishes the relative importance of each LAN based on the need to protect the LAN. The numbers recorded under both the PO and PD columns are determined using those qualitative ratings (very low, low, moderate, high, very high) and the following scale:
very low 0.1 low 0.3 moderate 0.5 high 0.7 very high 0.9
The RR column is calculated using the following equation: RR = NI * [(1-PO) * (1-PD)]
It should be noted that the magnitude of the difference in RR between the various LANs is not important. What is important is the relative value. The number reflected in the right column of Table 5-3 represents relative risk such that the higher the number, the greater the relative risk. Thus, the LAN with the highest number represents the greatest relative risk to the corporation.
For the LANs listed in Table 5-3, the financial LAN has the most risk and the engineering LAN has the least risk. Under normal circumstances, the higher the position of the LAN on the relative scale, the higher its priority should be for allocation of protection resources to implement additional safeguards. In some cases, however, resources are not available to implement all the needed upgrades. So, a balance must be achieved in which the resources available are applied to achieve the greatest risk reduction.
Risk Mitigation and the Cost of Security
When all the risks have been assessed, the corporation must determine how much risk it is willing to accept and to what degree the assets should be protected. Risk mitigation is the process of selecting appropriate controls to reduce risk to an acceptable level. The level of acceptable risk is determined by comparing the risk of security hole exposure to the cost of implementing and enforcing the security policy. If some threats are highly unlikely, it may not be worth the cost of creating a tight security policy to protect the assets. A good rule to follow is to assess the cost of certain losses and not to spend more to
protect something than it is actually worth.
To develop an acceptable security policy, you must consider a number of costs to ensure that the policy is enforceable. There are performance costs to be considered because both encryption and decryption take time and processing power. An offhand decision to encrypt all traffic may result in severely degraded performance everywhere; that policy may have to be reevaluated. There are also opportunity costs to be considered. What are the lost opportunities if your company moves more slowly than the competition because of hampered communication and the increased overhead that security
procedures---not to mention security audits---impose?
The costs of implementing and managing security procedures must be weighed against the cost of potential benefits. It must be understood that security measures do not make it impossible for an
unauthorized user to access information and perform unauthorized tasks to a network computer system; security measures can only make it harder for unauthorized access to occur. A very simplistic example is that of packet filters. Even if the corporation simply implemented packet filters to accept outside data traffic from specified networks, the intruder must first find out which IP network addresses were accepted before attempting to gain access to the internal corporate network through those addresses. Perhaps, this may not be very difficult, but it can be a deterrent to some random, bored intruders looking for something to do in their spare time.
A more sophisticated example is that of trying to crack encrypted traffic. Even a weak algorithm and a short key can stop some attackers from gaining access to valued information. A stronger algorithm and a longer key takes more sophisticated machines and more time to break. The point is to slow down the attack and increase the cost of the attack until it becomes too expensive to be worthwhile for the intruder. Need-to-Know Policy
Consider the costs associated with the need-to-know policy that are common in the military and defense industries. In these cases, you are given only the information required to accomplish your job. You don't get to see the "big picture" unless you are a project leader or a higher-level manager in the company working on the project in question.
Highly secret facts, issues, and details are compartmentalized so that the left hand literally doesn't know what the right hand is doing. Although this level of classification and compart-mentalization certainly increases security, it also results in some huge cost overruns on projects: Consider the situation in which one engineer finally sees his design mated with the results of another engineer, and they both realize that a little communication two years ago would have eliminated some obvious incompatibilities and resulted