Relational Security Assessment Model: Risks

The Relational Security Assessment Model is composed of several components. Every component is related to a series of other components that all work together to derive a level of risk and a degree of control. While the structure is universal, all components of this process can and should be modified to fit the specifics of the organization being assessed. The basic components of a Relational Security Risk Assessment are:

  • Risk levels

  • Risk factors

Risk Levels

A risk level is the degree of risk an object represents within an environment. A different set of risk levels could be defined for each organization performing an assessment. The goal of a risk level is to qualify and quantify, on an enterprise-wide scale, a weighted risk value for each object. Table 8.4 shows a common set of risk levels:

Table 8.4. Sample Risk Levels

Risk Level

Description

None

This object and its services are inconsequential to the environment. If the object was compromised or disabled without warning, there would be no noticeable effects.

Low

This object plays some minor role within the environment. If the object was compromised or disabled without warning, there would be minimal effects to the organization.

Medium

This object plays a significant role within the environment. If the object was compromised or disabled without warning, there would be noticeable effects on the organization.

High

This object plays a very important role within the environment. If the object was compromised or disabled without warning, the effects would be quite harmful to the organization.

Extreme

This object is essential to the continued operation of the organization. If the object was compromised or disabled without warning, there could be disastrous effects on the organization.

Important Tips for Defining Risk Levels

  • Risk levels should remain universal to the entire organization.

  • Risk levels should be quantified with some sample data, such as cost or recovery.

  • Only a handful of risk levels should be defined, ideally no more than six.

Within each organization, the interpretation of each level will be somewhat different. Therefore, it is useful to associate some form of real-world data to each risk level. For example, consider the data in Table 8.5.

Risk Factors

It would be a bad practice to simply take each risk level and assign it to a different object without any other consideration. During audit process, it is necessary to talk to end-users, managers, and other employees, polling their insight into the risk of each object. This is similar to the qualitative process, only much simpler, more consistant, and more efficient.

Table 8.5. Sample Real-World Data for Risk Levels

Risk Level

Company X

Company Y

Medium

Cost up to $3,000 in repairs, lost productivity, fines, or lawsuits, or the loss of 5 10 customers or a partnership

Cost up to $50,000 in repairs, lost productivity, fines, or lawsuits, or the loss of 100 200 customers

Extreme

Cost up to $10,000 in repairs, lost productivity, fines, or lawsuits, or the loss of 30 50 customers or a partnership

Cost over $500,000 in repairs, lost productivity, fines, or lawsuits, or the loss of 500 1,000 customers or several partnerships

Since risk levels require a high level of understanding, we cannot simply ask individuals, "Is this system high-, medium-, or low-risk?" Doing so would make our results greatly skewed by their opinions, rendering our assessment useless. As such, it is important to interview individuals using basic facts, rather than universal risk levels.

A risk factor is an individual detail about an object in relation to an organization. Each factor has a related risk level that correlates the specific detail to the more universal levels we just developed. Most objects will have several risk factors associated with them.

The goal of defining risk factors is to introduce a method by which we can derive the risk level of any given object though a series of simple facts, not opinions. Rather than asking an administrator to say, "Choose a level of risk for the object," we will present that individual with a group of factors to choose from. Based on the chosen factors, we will then derive the higher risk level.

Table 8.6 contains some example risk factors:

Table 8.6. Example Risk Factors

Example Risk Factor

Factor Value

Risk Level

If this object was unavailable for a day, how much employee downtime could result?

0 5 hours

6 10 hours

11 20 hours

21 35 hours

36 + hours

None

Low

Medium

High

Extreme

How many customers use the object in a day (if this object was unavailable for a day, how many customers could be affected)?

0 10

11 30

31 50

51 100

100 +

None

Low

Medium

High

Extreme

Are there any legal, contractual, or social obligations to maintain high availability?

No

Yes

None

High

Of course, the more variations of risk factors we consider, the more accurate our assessment of the object will be. Organizations will need to determine their own risk factors as related to their defined levels of risk. Table 8.7 contains some other common types of risk factors to consider.

Tips for Creating Risk Factors

Here are some general tips for considering risk factors within your own environment:

  • Try to form each risk factor into a simple, non-subjective statement Remove opinion from the process as much as possible.

  • Cover a good range of topics Choose a wide variety of risk factors, covering the key events that could affect your environment.

  • Continually refer to the bigger picture Put some thought into each risk factor and how it relates to the bigger picture. Make sure each risk factor corresponds to the appropriate risk level.

  • Be sure to compare different risk factors to each other Since each risk factor correlates to a universal risk level, factors with similar levels should make sense. Is losing 40 employee hours (critical) really as important as affecting 60 customers (also critical)?

Deriving Risk Levels from Risk Factors

By using risk factors, it now becomes very easy to assign a consistent and objective risk value to anything within the organization (see Table 8.8). For any given object, begin by choosing all the risk factors that relate to it. Once all related risk factors have been determined, it is simply a matter of choosing the highest risk level of all the related factors. The factor with the highest level of risk represents the greatest level of risk that an object poses to the environment. A system that results in no hours of employee downtime (none) but affects 101 customers (critical) is a critical risk just the same as a router that causes 50 hours of downtime (critical) but affects only 5 customers (none).

Table 8.7. Common Types of Risk Factors

Example Risk Factor Type

Considerations in Scoring

What would be the effect if the object were defaced or vandalized?

Take into consideration the effects of vandalism on any front-end, if any front-end exists for this device. This is of great importance to any Web server visible to clients, partners, and employees.

What would be the effect if the object's data were erased, corrupted, or modified?

Think about the need, use, and general value of the data on the system. If all data was lost forever, would it have a severe impact on the organization?

What would be the effect if the object's data was stolen?

Consider the effect on the organization if this information was stolen. Does this device relate at all to sensitive financial records, strategic business information, employee records, or any other sensitive information? Are there any legal, contractual, or social obligations for protecting this data? Think of the effects if the data was stolen. Could the company be sued? Are you storing protected health information or customer credit cards on this system?

What is the position of this object within the environment?

Is this system accessible by more than one zone? If so, would it be possible for someone breaking into this system to use it to attack other systems in a more sensitive zone?

Table 8.8. Determining Risk Level

Object

Risk Factor

Overall Risk to Organization

Server X

Would cause 10 hours of employee downtime (low)

Critical

Could affect 200 customers (critical)

WAN Link Y

Would cause 30 hours of employee downtime (high)

High

Would not affect any customers (none)

Application Z

Could cause 10 hours of employee downtime (low)

Medium

Could affect 40 customers (medium)

Our Risk Assessment Thus Far

So far, we have performed the first steps of the Relational Security Risk Assessment. We have:

  1. Defined universal risk levels for the organization

  2. Defined risk factors, each relating to a risk level

  3. Assigned risk factors to objects we want to assess

  4. Determined the highest risk level assigned to an object

By performing these simple steps, we now have mechanisms by which to assess and compare the risks of individual objects, as shown in Table 8.9. Once the risk levels of our objects are defined, it becomes easier to recognize where risks exist and which objects may not be adequately protected. We can also start seeing correlations between different objects, helping to prioritize which objects are more important to secure first and which require more controls.

Table 8.9. Object-Weighted Risk Levels

Firewall A

Critical

Server X

High

Server Y

High

WAN Link X

High

Server Z

Medium

Wan Link Z

Low

Deriving Relational Risks for Containers

During the audit process, it should become evident that not all objects have direct risks. For example, the risk of a room can only be assessed by looking at the objects that are within the room. Similarly, the risk of a router is completely dependent on the networks it is connecting. These objects are called container objects because their risks completely depend on the risks of the objects contained within them. Since we have already determined the risks of our servers, WANS, and the like, we can use this information to evaluate relational risks (see Table 8.10).

Table 8.10. Determining Container Risk Levels

Container Object

Objects Inside

Overall Risk to Organization

Server Room A

Server X (critical)

Critical

Server Z (low)

Router Y (high)

Router Y

WAN Link A (high)

High

WAN Link B (none)



Inside the Security Mind(c) Making the Tough Decisions
Inside the Security Mind: Making the Tough Decisions
ISBN: 0131118293
EAN: 2147483647
Year: 2006
Pages: 119
Authors: Kevin Day

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net