Risk assessments are a long-standing tool used by risk professionals to identify what a company s risks are in a quantifiable manner. There are two types of risk assessments in popular use: qualitative and quantitative. A quantitative risk assessment uses or attempts to assign real costs to the implementation of risk aversion methods and the costs of the incident and then assigns a quantitative figure for the likelihood of an incident. This type of risk assessment is usually in-depth and takes a great deal of time to formulate and create. It s generally not for those without prior experience in the risk assessment field, as incorrect data or assumptions can skew the results in an unexpected way, reducing the effectiveness of the security program. The benefit of this type of risk assessment is that there are hard numbers associated with risks and countermeasures. It can provide a solid ground for justifying expenditures in a way that management will understand immediately.
A qualitative risk assessment , on the other hand, involves subject matter experts to a greater degree, is more intuitive for the beginner, and is the predominant form of risk analysis in use today. A qualitative risk assessment involves first gathering subject matter experts in the processes within scope and then walking through possible risk scenarios. The team would then determine the degree of impact of the scenario and the possible outcome based on the degree of sensitivity of the assets used in the scenario. For the purposes of this book, we will focus on the qualitative risk assessment, due to its ease of use and quick results. If you have a disaster recovery, business continuity, or risk aversion report already completed for your business unit, you can draw heavily from the facts and figures they would have already calculated. Most disaster recovery teams will research some of the issues you will need to cover such as business downtime costs, remediation expenses, and so on.
In this chapter, we will be going over a very condensed version of what a true risk assessment is. Full-scale risk assessments often take a great deal of time and paperwork and have been the subject of entire books. You should reference some of the many risk assessment books available for further information on risk assessments.
The first step is to determine the scope of your risk assessment. Scope refers to what your risk assessment will cover ”in other words, what it encompasses. It is not feasible in most corporate situations to make the scope of a risk assessment encompass the entire organization and all processes. This approach would require the cooperation of people and groups that you may not have authority over. For your first risk assessment, you should cover the most critical aspects of the business for which you have authority. As an example, Robert works for a large telecommunications company as a system administrator for the support center s Linux servers and desktops. He is trying to gain management support and money to implement a firewall solution between the support computers and the Internet. In this case, Robert might have a scope statement of
The scope of this risk assessment is the support group s Linux server and all network connections for the server.
This simplistic scope statement explains the scope of what Robert wants to cover, allowing him to expand his scope as he progresses in his security upgrades. A scope statement of
The scope of this risk assessment is all of the support group s information processing systems.
as significantly broadened his scope, as these systems include desktops, servers, personal digital assistants (PDAs), and such.
Make your scope realistic and flexible to allow for increase if needed. Many first-time risk assessment teams try to be overly aggressive in terms of how big of a scope they should cover, only to realize halfway through the process that there is a need to scale it down.
The next step is to organize a team to determine the asset/information values (costs of equipment information to be protected) and the possible scenarios that may affect the in-scope processes, computers, and so on. If possible, try to convince management that you should select the team or at a minimum have some say in who is allowed on the team. The team should consist of subject matter experts or process owners for the in-scope processes or areas, as these people will be able to offer the most likely scenarios. The subject matter experts or process owners will also be able to provide the best resolutions to the vulnerabilities and risks covered in your risk assessment. In our previous example of Robert, the system administrator for the support desk, we would probably want to form a team consisting of the support manager, Robert (representing the system administrator), a networking staff member, a corporate security staff member, and possibly a member of the support staff. This team needs to brainstorm on the possible scenarios that could affect business processes from an information security standpoint.
This team should gather the possible issues and determine the following:
The impact of the threat (on a scale of 1 “5, with 5 being highest impact)
The probability of the threat (on a scale of 1 “5, with 5 being the most likely)
The impact of the threat means what would happen if the threat occurred. This could be cost, loss of prestige, civil and criminal penalties, and so on. The probability of the threat is what the chances are that this would happen (use prior year information if available). The numbers for the impact and vulnerability should come from a group consensus, based on the best-guess perception of the group using the severity scale. The last step is to determine what countermeasures could effectively mitigate the risk and costs of those countermeasures. A sample page of our condensed risk assessment, using Robert s situation as an example, would be as follows :
An attack from the Internet through unblocked/unpatched service.
Description The support Linux server is directly connected to the Internet to allow customers to view open support tickets. This computer also allows SFTP from the support desk for customer patches. The only protection from outside FTP attempts is the username/password authentication provided in Linux.
Impact An attacker could attempt a brute force attack or other attack on the system directly from the Internet. An attacker could then deface the web server application, remove customer files or tickets, or use the machine to attack other computers in the network. This could cost the company up to $15,000 per day in lost revenue, and $2,200 in lost staff hours in repairs for each day the machine is not functioning.
Existing Safeguards The machine requires username and password for access.
Probability Known attacks have occurred in the past year from a disgruntled former employee. On February 15, 2004, the web server was attacked and all customer files removed, costing one day of downtime.
Countermeasure A firewall allowing only web traffic (port 80) at a cost of $3,000 between the support server and the Internet connection.
Use the blank template in Figure 15-1 to create your cursory risk assessment threats.
Let s take the following scenario and fill out a sample worksheet. Tracy is leading a risk assessment team, which includes Karen from the systems administration team and Sally from the network operations group. The team has created the following scope statement for their risk assessment: This risk assessment will cover the asset tracking web server (linux1) and network connections for the web server. The linux1 server is the only asset-tracking repository for the business unit and is used by offsite technicians to determine the location and configuration of equipment that is the core of the business. Due to frequent field hardware configuration changes, the documents are updated often and contain crucial information for the business to run normally. The team makes a list of threats and determines the top three are unpatched software, power outages, and weak passwords. They determine they will document unpatched software as the first risk worksheet because an incident based on unpatched software occurred in the last month and indirectly cost them many hours of downtime. Using this scenario, we will fill out the sample basic risk assessment worksheet shown in Figure 15-2.
After filling out a few of the risk assessment worksheets, go through them one more time with your risk assessment workgroup. This allows your group to ensure they didn t forget anything and to get a total view of the threats identified when compared to other ones noted in the risk assessments. One common result of this exercise is that the perceived highest threats may not be the ones requiring instant resolution because you may discover that other threats are far more important to mitigate.
As you populate your risk assessment with more threats, you should begin to prioritize the risks by adding the probability rating and the impact rating to get a total risk rating. This will allow you to focus on the most significant risks for presentation to management first. This has the side effect of enabling you to determine where your weaknesses are. The previous example listed the top three threats in the minds of the focus group as unpatched software, power outages, and weak passwords. The group created a sample risk assessment worksheet for each item and determined the rating for unpatched software as 7, power outages as 8, and weak passwords as 9. All the other threats except for denial of service fell below a rating of 5. With these ratings you can create a worksheet to show management what the experts think are the most significant risks to the organization. An example of this type of risk chart is shown in Table 15-1.
Overall Risk Rating
Denial of service
These worksheets will help you determine what the real threats are and which should be resolved first. The group had initially thought that resolving unpatched software would be the first priority, but as they progressed, they determined that weak passwords should be addressed based on the risk rating. As you work with your group to determine the threats to your organization, you might see that some of the threats can be addressed by a single countermeasure. This helps put more credence behind your findings for some countermeasures and allows you to get management support for the issues that are most important. By prioritizing your risks based on the cumulative input from the risk assessment group, you can get surprising results. As noted previously, the risks you may have considered the most significant may have a lower risk rating than risks that were considered routine. The risk rating allows you to determine which are the most important and work on resolution of those risks first.
Throughout the majority of the chapter, the qualitative risk assessment has been the primary focus. To show real costs and return on investment using specific numbers (as opposed to educated estimates), we ll discuss a quantitative risk assessment example. As its name implies, the quantitative risk assessment is based on hard numbers, but it still relies on some qualitative methods. Like the qualitative assessment, you need to assign a value (Asset Value or AV) to the asset or information (or impact to the organization). You must consider for example the costs to recover from the incident or loss, maintenance costs, developmental costs, and revenue loss.
The factor to consider is the Single Loss Expectancy (SLE), which is the impact of a single incident. Before determining the SLE, you need to determine the Exposure Factor (EF) of the incident. The EF is what expected percentage of the asset would be lost in a given incident. For instance, if a fire were to occur in the primary server room, only 25 percent of the in scope system would be destroyed (as it is unlikely the entire system would be destroyed because of fire suppression systems). This would give you an exposure factor of .25. The asset value multiplied by the exposure factor results in the SLE:
AV EF = SLE
If we had a network operations center that had an asset value of $960,000 (considering loss of revenue, replacement costs, personnel costs, etc.) with an exposure factor of .25 to a fire incident, we can now derive the SLE:
$960,000 .25= $240,000
The next step is to consider the Annualized Rate of Occurrence (ARO) or, more simply put, the expected regularity of incident occurrence. This can be represented by 0.0 for something that will never occur to 365.0 for something that will occur every day. So, if we expected a fire every 25 years , we would have an ARO of 0.04. We can now determine our Annualized Loss Expectancy (ALE) using the following formula:
SLE ARO = ALE
Continuing with our previous example, we have an SLE of $240,000 and an ARO of 0.04, so our ALE would be
$240,000 0.04 = $9,600
You could now put that information in a chart for management showing them the costs of security programs and procedures. In order to show a positive Return on Investment (ROI), we would put this information in a chart comparing the costs of mitigation programs and compare that cost to the costs we calculated in our quantitative risk assessment. We wouldn t spend $1,000,000 a year in fire suppression mechanisms when the ALE was $9,600 a year. When considering these types of risks, you must also consider non- monetary issues such as personnel safety and regulatory requirements, so even though the ROI wouldn t necessarily directly compare with the mitigation mechanism costs, the other factors come into consideration as well.
The sample risk assessment provides management with a clear-cut view of what risk they are facing in monetary terms, and how much it would cost to remove that risk. For the final report, create a short one-page summary of your findings in what is typically called an executive overview. This allows management to get a quick overview of your findings, without having to dredge through the entire report. Make sure to emphasize your most important points and the most critical security issues, as this is your attention-getting page. The rest of the report is available for management review, but most managers will review the executive summary and trust the judgment of their staff on the needs, especially if you based your recommendations on hard facts. When management sees that the countermeasure costs less than the actual risk mitigated, the business need becomes evident. This allows you to request budget and management support in your effort to mitigate your shown risks to business goals. Executive summaries are by definition a very condensed version of the original report. You should remember to keep an executive summary to one page, or in extreme cases, it should not exceed ten percent of the overall page count of the report being summarized. In your executive summary, you need to first identify the scope, what threats were identified, and the countermeasures that are recommended. You should not try to include every threat your team discovered . Limit yourself to the top five or the most urgent issues noted and how they can be mitigated. Using the previous example with Tracy s group, here is a representative executive summary with all the elements listed above.
The asset-tracking web server, also known as linux1, is the only asset-tracking repository for the business unit and is used by the offsite technicians to determine the location and configuration of equipment. Due to frequent field hardware configuration changes, the documents are updated often and contain crucial information for the business to run normally.
The subject matter experts involved in the operation of the web server formed a risk assessment group and determined the top three threats to the normal operation of this machine:
Weak passwords User passwords have been found to be deficient based on previous experience and the amount of compromised accounts based on poor password selection by users.
Power outages Power outages occur frequently at the data center, causing the system to shut down forcefully , sometimes causing data corruption.
Unpatched software Software is currently patched once per year, leaving the systems vulnerable to known software weaknesses for up to one year after release of a patch.
To mitigate the possibility of these threats affecting the normal business operations of the organization, the following countermeasures were determined to be the most cost effective while adequately reducing the exposure to the threat:
User education Security newsletters should be sent every month and immediately after significant events. If possible, users should also attend security awareness training quarterly at which time password selection and strength will be emphasized .
Installation of uninterruptible power supplies (UPS) The installation of a UPS for the linux1 server will allow the system to shut down in a graceful manner, preventing data corruption.
Scheduled maintenance periods every quarter Scheduled downtime should be made available every quarter at a minimum to allow the system staff to patch vulnerable software. If business requirements allow, critical patches should be allowed more frequently.
The implementation of these countermeasures will alleviate the majority of problems currently encountered by the linux1 server, providing better availability to the end user.