Chapter 3. Risk Evaluation And Loss Analysis
At A Glance
This chapter covers security risk evaluation and loss analysis in a business context. We consider a range of security threats, their potential origin and action, and consider the severity of their effects on our day-to-day operations. We outline the cornerstones of a sound security policy and explain the basic principles of loss analysis, should a real security incident take place.
Technology Development: New Frontiers
All businesses, whether they are large or small, are operating in an increasingly global environment. Advances in communications and transportation networks in the last century have brought customers and markets closer together and it is now possible, at relatively minimal cost, to ship products to buyers in all corners of the world. In this international context, executive and managers must consider the range of threats to their enterprises. Since the late 1990s, there has been an increase in violent attacks all over the world, including the World Trade Center attack in 2001. In response, there has been a heightened awareness of physical security needs – the need to police the space around buildings, to control access to buildings, to design sound policies for evacuation in the event of a disaster, and to develop stronger points of contact with the local and federal authorities.
On the technological front, there is a corresponding need to survey the threats to computing equipment (hardware), the applications and databases that reside on that equipment (software), and the networks that connect groups, both internally and with the outside world. In a business environment, raw data such as customer records or credit card information are valuable to competitors and computer criminals and require special attention. In addition, for more advanced enterprises, intellectual property including scientific research or unique business processes have high value and also require special security measures. As the world becomes an increasingly competitive place, the theft of both raw data and intellectual property assets via computer is on the rise. A combination of preventive maintenance supported in attitude and investment by the executive team, employee training and vigilance, and clear communications throughout the organization will help reduce the threats of physical and cyber-security breaches.
Knowing Ourselves
Although there are common themes and procedures for securing buildings and computer systems, it is important to have a complete picture of what the organization is and what it does in order to develop an appropriate, cost-effective security plan. A company that handles hazardous waste or biological materials will require a different set of policies and procedures than one that produces electronic devices. As the management begins the process of identifying potential security risks, it will be helpful to answer the following five questions:
1. What is the main product or service offered by the organization? If there are multiple answers, try to prioritize the elements of each answer.
2. What are the main sources of revenue and growth for the organization?
3. How is the organization structured: what are the different departments and what are their main functions? How do these units operate, communicate, and fit together as a whole?
4. What information assets are the most critical to each department and what types of technology does the organization use to store and disseminate this information internally and externally (when applicable)?
5. Who are the customers, partners, and vendors for the organization and how do they interact?
The information needed to answer these questions will be found through conversations with employees (especially the IT staff), managers, and executives of the company. It will be useful to evaluate customer and supplier feedback on other issues as this may lead to revelations on security issues. Finally, the team gathering the information should be familiar with media reports about the company. Public perceptions may also be instructive, especially if the company is involved in a controversial industry, is located near a hot spot of activity, or has appeared in prominent publications on a regular basis.
Knowing the Enemy: Internal and External Threats
Once the company has assessed its structure and functions, it will be in a better position to develop a profile of its potential strengths and weakness in the area of security. Initially, it should focus on general threats present to any organization. Once these threats are understood, an evaluation of the level of internal and external threats posed to its operations will be possible.
General threats to any company or formal organization include:
Physical threats- Disasters (fire, earthquake, major storms, flooding)
Theft
Vandalism
Physical Interference with or Destruction of Networks
Corporate Spying
Software threats- Penetration of Firewalls
Malicious code (Viruses, Trojans, Logic Bombs, Worms)
Unauthorized dissemination or destruction of data
Corporate Spying via Digital Means
Of the threats that are posed by human actions, the company should assess both internal and external perpetrators. In some cases, internal security breaches may stem from human error: simple ignorance, inattention, or inadequate training on the part of employees. In other areas, especially corporate spying, social engineering may be used to gain access to facilities, confidential business data, or knowledgeable individuals within a firm. An appropriate set of policies established by the security department, in conjunction with the personnel department, may help to alleviate such threats; Security and Personnel may also work together on employee hiring and termination procedures. The motivations behind malicious computer activities are varied and deserve some explanation, though in some cases, a clear motive is very hard to define. It is tempting, though misleading, to stereotype the types of people who hack computers. However, there are some general comments to be made on the severity of the threat and the forms of damage that come from each paradigm.
Casual, or “summertime” hackers are employees of an organization with some familiarity with network protocols. They are typically not intent on damaging data or company property, they are merely curious and tempted by the challenge of attempting to access resources that they are not authorized to use. However, they may not fully understand the hacking tools they are using and may damage systems through improper use. Further, if they have downloaded tools from the Internet, they may be downloaded program that contain backdoors and Trojan horses for other attackers to use. This is a serious threat and is one reason why casual hacking should be forbidden in an enterprise.
Script kiddies are generally younger hackers (high school or college age) with reasonably good computer skills and too much time on their hands. On the whole, they are not focused on doing serious damage in the way that a targeting criminal is, but they are numerous and sometimes work in teams, posing a greater threat than they might as individuals. One of the tricky issues with script kiddies is that a successful hack, well publicized, will be a claim to fame; they are lured by the potential notoriety conferred by high profile intrusions and pranks. Due to the prevalence of this threat, security software makers have developed fairly effective tools against this form of hacking; firewalls and Intrusion Detection Systems (IDSs) are optimized for defending against young attackers.
Targeting criminals are focused, often skillful attackers with clear intent to steal information, corrupt, or destroy data and render systems useless for extended periods of time. Unlike casual hackers and script kiddies, targeting criminals generally have an incentive to hack systems. In some cases, they are looking for valuable information such as financial data (credit cards numbers, bank account details) or personal data that may be manipulated or exploited in some way ( identification numbers, academic records, customer files). This type of attacker is often well organized and will perform several intrusions to gather information prior to an actual attack. Fortunately the targeting criminal is less prevalent than other types of attackers. However, he or she is more difficult to contain and is more likely to do serious damage, once a penetration has occurred.
Employees and consultants may become deliberate or accidental security threats depending on the nature of their relationship with their managers and peers in the workplace. Due to their level of access inside the organization they are a serious concern from a security standpoint. Like the casual hacker, some may work from boredom or the attraction of a technical challenge. Some may be seeking information related to promotions, salaries of colleagues, or business data. Others may be disgruntled employees seeking to inflict pain on the organization by whatever means necessary, and others may be accidental threats, leaving systems unprotected through insufficient technical training or carelessness.
Each of these potential human threats to systems and information security poses a different level of danger and requires a different method of containment. Up-to-date Firewalls and IDSs may be adequate to keep out casual attackers or script kiddies. Vigilant systems administrators and managers will be needed to detect and stop targeting criminal, personnel policies and management attention will help in thwarting potential attackers inside the organization. However, no plan is completely foolproof and it is important for the organization to study its history and trends with regard to security breaches, continued surveillance of the security landscape will make the tasks of detection and prevention easier. In addition, clearly articulated policies on what should happen during and after an attack will help cushion the impact of an intrusion and guide the personnel responsible for attending to the damage and filing the appropriate reports with internal and external authorities when necessary.
Practical Security Assessment: Risk Evaluation and Loss Analysis
As we have seen, security breaches may stem from internal or external attacks and result in unauthorized access to systems and data that may or may not be used for unethical or illegal purposes. The first steps in forming a security policy are taken when the organization conducts a security assessment covering its internal processes, objectives, and current vulnerabilities. Once these elements have been analyzed, a security policy and procedures plan may be developed.
This plan should include information on these key areas:
• Knowing when you are under attack - through the deployment of Intrusion Detection Systems (IDSs) and internal vigilance.
• Preparing for the worst-case scenario – think about spill over effects for each form of security breach.
• Developing a written policy to deal with break-in plan to write up security incidents; a written record will help analyze individual events and assist in preventing successful attacks in the future.
• Hiring an expert if you need one – this may be on an incident-related basis, or a regular consulting arrangement. Beware of hiring self-proclaimed hackers. Security outsourcing will be covered later in this section.52
• Providing the necessary training to technical staff and other employees – many security breaches are caused or aided by insufficient knowledge of proper procedures regarding security issues. Everyone in the company should know how to implement security related procedures.
• Designating a point of contact – this person should have expertise in the area of IT security and may answer directly to members of the management team.
52 This recommendation would be most applicable to medium sized, or large enterprises. It would also apply to companies that are heavily dependent on technology for their operations and/or focused on the high tech market. In the latter case, potential customers may form some opinions about the company based on its technical appearance and smoothness of operation.
• Understanding and prioritizing your goals – these will include some or all of the following:
o Protect customer information
o Contain the attack
o Notify senior management
o Document the event
o Take a snapshot of the system
o Contact a Computer Security Incident Response Team
o Identify the intruder
o Know who is responsible for what
o Know whom you can trust
If an incident does occur, you should reexamine your exiting policies and procedures and tighten them up when logistically and financially possible. As with the organization evaluation, asking a series of questions will help to define the strengths and weakness in a security policy plan. A sample checklist focused on the ability to respond effectively to a break in would include:
Incident procedures, recovery plans, and funding:
o Do incident response procedures exits?
o Are procedures understandable and up-to-date?
o Are disaster recovery plans in place?
o Has adequate funding been allotted for developing and maintaining incident responses to break-ins?
Procedures, security experts, and management:
o Do the procedures include instructions for contacting a security expert 24-hours-a-day, 7-days-a-week?
o If the security expert does not respond, does a procedure exist for escalating the problem to management?
o Do procedures include notifying the Chief Information Officer (when applicable) immediately when any break-in occurs, and again when the break-in is resolved?
o Is there a procedure for determining when to contact outside help, and whom to contact?
Procedures and Personnel:
o Have all key personnel been trained in using the procedures?
o Have key personnel actually attended all requires training sessions?
o Have appropriate background check been conducted on key personnel?
o Are communications between and among the system administration and security groups flowing smoothly?
Procedures and Technical Resources:
o Are system logs enabled?
o Are system logs periodically reviewed?
o Are the tools needed to detect an intrusion installed and operational?
o Can the detection software installed on your net work detect unknown attacks?
o Can you detect and prevent attacks on the net work and the host, constituting a layered approach to detection?
o Are attacks easy to trace back on your network?
o Do all systems have adequate security controls as proven by formal audit results?
Steps in Risk Evaluation
The first step in improving the security of your system is to answer these basic questions:
• What am I trying to protect and how much is it worth to me?
• What do I need to protect against?
• How much time, effort, and money am I willing to expend to obtain adequate protection?
These questions form the basis of the process known as risk assessment. Risk assessment is a very important part of the computer security process. You cannot formulate protections if you do not know what you are protecting and what you are protecting those things against! After you know your risks, you can then plan the policies and techniques that you need to implement to reduce those risks.
For example, if there is a risk of a power failure and if availability of your equipment is important to you, you can reduce this risk by installing an uninterruptible power supply (UPS).
Risk assessments involves three key steps:
1. Identifying assets and their value
2. Identifying threats
3. Calculating risks
There are many ways to go about this process. One method with which we have had great success is a series of in-house workshops. Invite a broad cross-section of knowledgeable users, managers, and executives from throughout your organization. Over the course of a series of meetings, compose your lists of assets and threats. Not only does this process help to build a more complete set of lists, it also helps to increase awareness of security in everyone who attends.
An actuarial approach is more complex than necessary for protecting a home computer system or very small company. Likewise, the procedures that we present here are insufficient for a large company, a government agency, or a major university. In cases such as these, many companies turn to outside consulting firm with expertise in risk assessment, some of which use specialized software to do assessments.
Identifying assets
Draw up a list of items you need to protect. This list should be based on your business plan and common sense. The process may require knowledge of applicable law, a complete understanding of your facilities, and knowledge of your insurance coverage. Items to protect include tangibles (disk drives, monitors, network cables, backup media, manuals) and intangibles (ability to continue processing, your customer list, public image, reputation in your industry, access to your computer, your system’s root password). The list should include everything that you consider of value. To determine if something is valuable, consider what the loss or damage of the item might be in terms of lost revenue, lost time, or the cost of repair or replacement.
Some of the items that should probably be in your asset list include:
Tangibles:
• Computers
• Proprietary data
• Backups and archives
• Manuals, guides, books
• Printouts
• Commercial software distribution media
• Communications equipment and wiring
• Personnel records
• Audit records
Intangibles:
• Safety and health of personnel
• Privacy of users
• Personnel passwords
• Public image and reputation
• Customer/client goodwill
• Processing availability
• Configuration information
You should take a larger view of these and related items rather than simply considering the computer aspects. If you are concerned about someone reading your internal financial reports, you should be concerned regardless of whether they read them from a discarded printout or snoop on your e-mail.
Identifying threats
The next step is to determine a list of threats to your assets. Some of these threats will be environmental, and include fire, earthquake, explosion, and flood. They should also include very rare but possible events such as building structural failure, or discovery of asbestos in your computer room that requires you to vacate the building for a prolonged time. Other threats come from personnel, and from outsiders. We list some examples here:
• Illness of key people
• Simultaneous illness of many personnel (e.g., flu epidemic)
• Loss (resignation/termination/death) of key personnel
• Loss of phone/network services
• Loss of utilities (phone, water, electricity) for a short time
• Loss of utilities (phone, water, electricity) for a prolonged time
• Lightning strike
• Flood
• Theft of disks or tapes
• Theft of key person’s laptop computer
• Theft of key person’s home computer
• Introduction of a virus
• Bankruptcy of a key vendor or service provider
• Hardware failure
• Bugs in software
• Subverted employees
• Subverted third-party personnel (e.g., vendor maintenance)
• Labor unrest
• Political terrorism
• Random “attackers” getting into your machines
• Users posting inflammatory or proprietary information on the Web
• Commercial (corporate) spies
Review Your Risks
Risk assessment should not be done only once and then forgotten. Instead, you should update your assessment periodically, at least once a year, and any time there is a major change in personnel, systems, or the operating environment.53 In addition, the threat assessment portion should be redone whenever you have a significant change in operation or structure. Thus, if you reorganize, move to a new building, switch vendors, or undergo other major changes, you should reassess the threats and potential losses.
Loss Analysis
Determining the cost of losses can be very difficult. A simple cost calculation considers the cost of repairing or replacing a particular item. A more sophisticated cost calculation can consider the cost of having equipment out of service, the cost of added training, the cost of additional procedures resulting from a loss, the cost to a company’s reputation, and even the cost to a company’s clients. Generally speaking, including more factors in your cost calculation will increase your effort, but will also increase the accuracy of your calculations. For most purposes, you do not need to assign an exact value to each possible risk. Normally, assigning a cost range to each item is sufficient. Some items may actually fall into the category irreparable or irreplaceable; these could include loss of your entire accounts-due database, or the death of a key employee. You may want to assign these costs based on a finer scale of loss than simply “lost/not lost.” For instance, you might want to assign separate costs for each of the following categories:
• Non-availability over a short term (< 7–10 days)
• Non-availability over a medium term (1–2 weeks)
• Non-availability over a long term (more than 2 weeks)
• Permanent loss or destruction
• Accidental partial loss or damage
• Deliberate partial loss or damage
• Unauthorized disclosure within the organization
• Unauthorized disclosure to some outsiders
• Unauthorized full disclosure to outsiders, competitors, and the press
• Replacement or recovery cost
The Probability of a Loss
After you have identified the threats, you need to estimate the likelihood of each occurring. These threats may be easiest to estimate on a year-by-year basis. Quantifying the threat of a risk is hard work. You can obtain some estimates from third parties, such as insurance companies. If the event happens on a regular basis, you can estimate it based on your records. Industry organizations may have collected statistics or published reports. You can also base your estimates on educated guesses extrapolated from past experience. For instance:
• Your power company (and your past experience) can provide an estimate of the likelihood that your building would suffer a power outage during the next year. Officials may also be able to quantify the risk of an outage lasting a few seconds vs. the risk of an outage lasting minutes or hours.
• Your personnel records can be used to estimate the probability of key computing employees quitting.
• Past experience and best guess can be used to estimate the probability of a serious bug being discovered in your software during the next year (100% for some software platforms).
53 Changes in personnel include many new hires or layoffs, or a layoff of someone involved in your organization’s security plan. Changes in systems include installing a number of new systems (the sensitivity of the number depends on the size of your organization; if you have 100 computers and add one securely it does not require a risk assessment. However, if you have ten computers and add another ten, that expansion might merit a fresh look at your organization. Other relevant system changes would include establishing new internal or external networks, upgrading your systems, or altering your computing platform. Changes to the organization include rapid growth, linking to international suppliers or customers, and marketing campaigns that may make you a more visible presence (and a more visible target) in your locality and the world.
If you expect something to happen more than once per year, then record the number of times that you expect it to happen. Thus, you may expect a serious earthquake only once every 100 years (1% in your list), but you may expect three serious bugs in Microsoft’s Internet Information Server (IIS) to be discovered during the next month (3600%).
The Cost of Prevention
Finally, you need to calculate the cost of preventing each kind of loss. For instance, the cost to recover from a momentary power failure is probably only that of personnel “downtime” and the time necessary to reboot. However, the cost of prevention may be that of buying and installing a UPS system.
Costs need to be amortized over the expected lifetime of your approaches, as appropriate. Deriving these costs may reveal secondary costs and credits that should also be factored in. For instance, installing a better fire-suppression system may result in a yearly decrease in your fire insurance premiums and give you a tax benefit for capital depreciation. But spending money on a fire-suppression system means that the money is not available for other purposes, such as increased employee training or even investments.
Adding Up the Numbers
At the conclusion of this exercise, you should have a multidimensional table consisting of assets, risks, and possible losses. For each loss, you should know its probability, the predicted loss, and the amount of money required to defend against the loss. If you are very precise, you will also have a probability that your defense will prove inadequate. The process of determining if each defense should or should not be employed is now straightforward. You do this by multiplying each expected loss by the probability of its occurring as a result of each threat. Sort these in descending order, and compare each cost of occurrence to its cost of defense.
This comparison results in a prioritized list of things you should address. The list may be surprising. Your goal should be to avoid expensive, probable losses, before worrying about less likely, low-damage threats. In many environments, fire and loss of key personnel are much more likely to occur, and are more damaging than a breakin over the network. Surprisingly, however, it is break-ins that seem to occupy the attention and budget of most managers. This practice is simply not cost-effective, nor does it provide the highest levels of trust in your overall system. To figure out what you should do, take the figures that you have gathered for avoidance and recovery to determine how best to address your high-priority items. The way to do this is to add the cost of recovery to the expected average loss, and multiply that by the probability of occurrence. Then, compare the final product with the yearly cost of avoidance. If the cost of avoidance is lower than the risk you are defending against, you would be advised to invest in the avoidance strategy if you have sufficient financial resources. If the cost of avoidance is higher than the risk that you are defending against, then consider doing nothing until after other threats have been dealt with.
|
