101: Risk Management Basics – Risk Response Options

Risk management is the process of identifying, analyzing, prioritizing and responding to risks. There are five standard risk response options:

Avoidance

Risk may be avoided by eliminating the cause of the risk, such as eliminating business processes or shutting down systems that can’t be secured. Avoidance is used when organizations are unwilling to accept, transfer, mitigate, or deter the risk. While certainly the most effective way of reducing risk, it is not always practical.

Transference

The burden of risk (i.e., the loss) can be transferred to another entity. Most often, this is done by purchasing insurance, but outsourcing can also be a way of transferring risk. When outsourcing, it is important to remember that you can transfer the burden of risk, but not legal responsibility. Transference is sometimes referred to as risk sharing.

Examples of IT-Related Insurance:

  • Computer Crime – covers loss of property, including monetary and intellectual property incurred due to computer crime.
  • Software Design Errors and Omissions – professional liability coverage covering loss due to design errors.
  • Property – covers loss of property (i.e., buildings and contents, including computing equipment) due to theft, fire, or other covered events.

Acceptance

Prior to acceptance of the risk, the organization must acknowledge and understand the impact (i.e., consequences). This may be the appropriate response when the cost of mitigation is greater than the loss incurred. Each organization has a level of risk it is willing to accept, referred to as risk appetite or risk tolerance. It is important to note that some risks cannot be accepted due to law or regulation (e.g., HIPAA, GLBA, FISMA).

Risk response options other than avoidance usually result in some risk remaining. The organization is typically forced to accept this residual risk.

Mitigation

Risk mitigation involves applying controls that limits impact (consequences) or reduces likelihood. Examples include applying security patches and hotfixes and installing/updating anti-malware software. Risk analysis must be performed to ensure that the cost of the mitigation does not exceed the impact from loss.

Deterrence

Risk can be deterred by applying controls that discourage threats from occurring. Examples of controls include security policies and procedures, physical security controls and accountability controls such as individual user accounts and audit logs.

Both deterrent and mitigation techniques are needed to reduce overall risk.

101: Threat Assessment vs Vulnerability Assessment

Threat assessments and vulnerability assessments are both integral parts of the risk assessment process. Together, they are used to prioritize targets based on the greatest risk, so the organization will know where to focus its efforts with regard to security controls and risk mitigation.

Threat Assessments

A threat assessment consists of a threat definition and a subsequent analysis. Threat definition is basically a three-step process.

Step 1: Identify Adversaries

Adversaries are generally characterized into categories such as insiders, outsiders or outsiders with the assistance of insiders

Within each category, adversaries can be further broken down into classes such as terrorists, criminals, activists, and hackers (outsiders). If individual adversaries have been identified, these should be included as well.

Step 2: Characterize the Adversaries

Characterization involves identifying the motivations, goals, tactics and capabilities of adversaries. This information can be gathered from intelligence sources including past incidents, crime studies, government reports, and other published literature.

Step 3: Evaluate Targets from the Perspective of the Adversary

Targets, such as assets, are then evaluated from the perspective of the adversary in order to determine the likelihood and possible actions (e.g., theft, sabotage, collusion) that could be taken. After the threats are defined, they can then be analyzed in order to determine the likelihood and impact of adversary actions against particular targets.

Vulnerability Assessments

A vulnerability assessment uses information from the threat assessment, so it cannot be conducted until the threat assessment has been completed. A vulnerability assessment is also a three step process:

Step 1: Identify and evaluate the potential actions of an adversary against a target

Scenarios can be used in order to describe the potential actions that can be taken against a facility or individual targets within the facility, or assets can simply be listed and evaluated.

Step 2: Identify and evaluate the existing security measures

Each security control applied to a target should be identified and evaluated for effectiveness. This can be a daunting task for the first assessment.

Step 3: Identify and analyze the potential vulnerabilities discovered in steps 1 and 2

Worksheets play a major role in vulnerability assessments. Items on the worksheet are rated from Very Low (1) to Very High (5) in order to perform a more quantitative analysis on the data. Rated items include the severity of the consequences, the threat level, the attractiveness of the asset, and the severity of the vulnerability. New countermeasures can be recommended at this point, based on the vulnerabilities discovered in step 3.

101: Types of Security Controls

Risk can be mitigated or deterred by the application of security controls. Security controls can generally be categorized as technical, management or operational.

Technical Controls
Technical controls are designed to secure networks, IT systems and data. Examples include:

  • Security software
  • Logical security controls
  • System architecture
  • Perimeter controls
  • Security appliances

Management Controls
These are high-level guidelines, standards and policies that align with the organization’s goals and provide a framework for operational procedures.

Operational Controls
These documented processes and procedures are used to reduce vulnerabilities in business functions. They are based on management controls and designed using technical controls.

101: The Human Factor in Security

History teaches us that men and nations behave wisely once they have exhausted all other alternatives. – Abba Eban

Information security controls that rely on technology alone are doomed to fail.

A system could require 14-character complex passwords that change every 30 days with a 30 minute lockout after 3 failed attempts; however, the user who writes his or her password on a post-it note and sticks it to the bottom of the keyboard has just potentially compromised the system. Information security controls design must involve people (the human factor) as well as technology in order to be truly effective. No technological method can stop someone from writing a password on a post-it, but effective education and policy can. (Not to mention a less draconian password policy, but that is something for another post.)

Sometimes people will do truly foolish things out of ignorance or in an effort to be helpful, which is why social engineering is so effective.

The following case illustrates how simple it is for human nature to compromise security.

In 2006, Secure Network Technologies (SNT) did security testing on a credit union that included some social engineering aspects. They put a Trojan horse on 20 random vendor-branded USB drives (the kind you get as giveaways at trade shows). The Trojan was designed to collect login and password information and email that information back to SNT. They left these USB drives in both internal and external locations, including the parking lot. Employees were observed to pick up the drives, take them into the facility and plug them into their computers. SNT was able to use the information collected from the Trojan to compromise other systems. (Read the article at darkREADING.)

After more than 15 years in Information Technology, I can tell you that no one should be surprised that a scheme like this was successful. It doesn’t matter if people were collecting and looking at the drives because they were curious, thought they had gotten free stuff, or were trying to find out whose drive it was so that it could be returned. All those motives, both good and bad, led to compromised systems the moment the drives were plugged into work computers.

But what could the credit union have done to prevent this, you ask?

There are two basic ways to attempt to defeat this specific type of attack. The first method involves turning off the USB ports on the computer; however, this is not the ideal method as it would mean users might not be able to effectively use PDAs or other necessary equipment without administrator assistance. The second method is preferred and involves a combination of policy and education.

The credit union should have had a policy that no personal or unapproved devices (including usb drives, cds, floppy disks, iPods, etc.) should be connected to bank equipment. The policy would then be communicated to all employees, along with basic education on why the policy exists. In addition, there must be repercussions for any incidents that involve security breaches due to an employee not adhering to the policy.

101: Social Engineering

Social engineering can be described as psychological hacking, through which attackers can gain information or unauthorized access by manipulating people. For example:

  • Impersonation is widely used, either by phone or in person. The attacker could pretend to be a repairman to gain access to a facility or the attacker could pretend to be an employee that has forgotten his password and in order to get the IT Help Desk to reset the account to a password the attacker knows. It should be noted that not all social engineering is low-tech.
  • Social engineers make use of phishing emails and trojan horses in order to gain personal information and/or login credentials. The psychological part of these technological attacks involves getting people to install the software or follow the instructions in the email.

Social engineering works because human nature is predictable.

  • People want to be helpful, so they give out too much information.
  • People are lazy or busy, so they do not take the time to thoroughly verify identification.
  • People are focused on what they are doing, so they do not notice someone tailgating them into a building.
  • People are afraid of getting in trouble, so they give information they should not to someone who appears to be in charge.

Because social engineering uses highly-successful psychological techniques, it is difficult to guard against. The most successful security measures that a company can take are creating security policies that take social engineering into account and educating all employees about both the policies and social engineering.

Security policies need to be tailored towards the individual company; however, there are some basic universal countermeasures that can be adopted.

  1. Sensitive information must never be provided to anyone whose identity is not verified.
  2. Passwords or other credentials must never be reset/reissued unless the employee can prove his or her identity.
  3. Anti-malware software must be installed on all computers to help prevent technologically-based social engineering attacks.
  4. Incident management procedures must be clearly documented so that security personnel can react appropriately if there is a successful or unsuccessful attack.
  5. Policies must very clearly state that employees are never to give their credentials (e.g., password, smart card, ID badge) to anyone for any reason.

Once the policies are in place, employees must be educated about the policies and the reasons behind them. They must also have clear instructions for reporting suspicious behavior or events. This training should be conducted regularly, to help keep employees alert and up to date on new procedures.