You can go a long way with a smile. You can go a lot farther with a smile and a gun.
—Attributed to Al Capone
Risk and threat assessment is something humans are notoriously bad at. Examples abound: try asking 10 of your coworkers whether it’s more dangerous to fly or drive from Seattle to Denver and see how many of them correctly identify air travel as less risky. Then ask the same group whether the risk of dying in a commercial airline crash is greater or less than the risk of being struck by lightning. Sometimes our inability to properly assess risks is based on a lack of solid objective data about what the risks are, and sometimes the cause is an unwillingness to fully evaluate the threat and the corresponding risks.
This chapter helps you begin to understand the process of threat and risk assessment. This is normally the domain of skilled security practitioners, and you won’t necessarily be able to completely evaluate your messaging system risks when you’re done reading this book. However, you will be much better prepared to understand what risks you actually face (as opposed to the ones you think will give you trouble), and you’ll have a better understanding of how to go about mitigating them.
First, a brief vocabulary lesson. A threat is something bad that can happen. Common threats include virus attacks, internal or external network penetrations, theft of data, eavesdropping, and server failure. A risk is the product of two things: the likelihood that a particular threat will occur and the expected damage if it does. For example, my car might be stolen from the airport parking lot. That’s a threat. My personal risk is low, though, because my auto insurance will replace the car if it’s stolen; I’ve essentially transferred that risk to someone else. On the other hand, the risk that I’ll have to wash my car when I return home is high. The threat (mostly posed by bird droppings) is likely to occur (that is, birds are very likely to fly around and over the car), and the expected effect (that is, bird droppings on the sunroof) is predictable. Professional risk assessors also factor in the frequency of the threat; something that is guaranteed to happen every year and causes moderate damage might be a bigger risk than something that might only happen every 50 years but causes more damage. For a real-world perspective on risks and frequency, consider mudslides and earthquakes in California, hurricanes in the Carolinas or Florida, and tornadoes in Kansas and northern Alabama.
Although statistical risk assessment is a rigorous process that requires a disciplined approach, you can do your own risk assessments. For every risk you identify, you need to do one of four things:
Avoid the risk. This is the simplest (and often the least feasible) approach. If something seems risky, don’t do it. If you’re worried about e-mail-borne viruses, you can disconnect your servers from the Internet—a measure that would give you pretty good protection, if not good communications. If you’re concerned about hackers attacking your factory-floor control systems through your Internet connection, you might choose to isolate them on a self-contained internal network with no direct or indirect connectivity to other networks.
Mitigate the risk. You can do this by either reducing the associated loss or blocking the associated threat. Installing a good-quality antivirus product on your workstations and servers would mitigate the risk of a virus infection; using covered parking at the airport would mitigate the risk of a bird-dropping attack.
Transfer the risk to someone else. That’s what insurance does: you pay someone to assume the risk of loss for you. You generally can’t buy computer-security insurance, but you can use a variety of outsourced services that assume some degree of operational or security risk if you feel it worthwhile.
Accept the risk. Some risks are either so unlikely, or so hard to avoid, mitigate, or transfer, that you’re stuck with them. Most of us accept some risks by default. For example, we generally don’t insist on riding around in armored cars, even though that would drastically lessen the risk of bodily injury in a car crash; we might choose to mitigate the risk by choosing safer vehicles or by driving less, but ultimately most of us accept some degree of this particular risk. Once you’ve done everything you can to reduce, remove, or redirect the risk, you have to accept the degree of risk that’s left over. You must be very careful to ensure that you have explicitly identified the risks that you’re accepting as part of your messaging security environment.