Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 4

Risk Management

Abstract

Security is unattainable. What security programs are trying to achieve is risk management. In other words, they are trying to cost effectively control the potential loss. Risk is a combination of value, threat, vulnerability, and countermeasures. Traditionally, a security program strives to implement countermeasures that primarily mitigate the vulnerabilities that, if exploited, will create a loss of value.

This chapter categorizes the factors that contribute to, and mitigate, risk. The goal is not to get rid of all risk, as that is not practical, but to optimize the risk, given the potential loss and available resources.

Keywords

Countermeasures; Malicious; Malignant; Risk; Threat; Vulnerability; Value

Security is about risk management. Security itself is unattainable. The actual definition of security is being free from risk. You can never be free from risk. If you have anything of value, there is always risk.

There is always a risk of value being compromised. As described in an earlier example, even if you bury a computer in a hole, it means that the data and computer are unavailable, so you have lost all your value. In this case, the loss is self-inflicted. However, frequently the loss is neither complete nor self-inflicted.

Death by 1000 Cuts

When you think of loss, you think catastrophic losses. You think of a total loss that costs hundreds of millions of dollars, like the infamous Target and Sony attacks. The reality is that most losses are small and individually inconsequential. However, when considered in the aggregate, they can be more devastating than a single loss of the nature of the Sony attack.

It is the philosophy of Death by 1000 Cuts. The analogy goes that an individual cut is inconsequential and maybe slightly painful. However, when you have 1000 cuts, it is 1000 times more painful and the blood loss becomes critical. This is representative of the losses experienced by most security programs.

A virus incident. A lost USB drive. A file accidentally sent to the wrong person. A power outage that takes down an operations center for a few hours. All these experiences are common and frequent. Unfortunately, most organizations see these losses as something to deal with, but do not consider them a major problem worthy of significant efforts.

Several decades ago, there was the principle of total quality management, which revolved around the concept that when a small defect percentage in each phase of a process, although seemingly inconsequential, is aggregated over many phases of the process, it creates a significant defect rate. So, for example, if there was a 1% defect rate at each of the 10 phases of a manufacturing process, it results in a 10% overall defect rate, which is significant. Security programs and their resulting losses are similar in nature.

So as we start discussing risk management, it is important to understand that a security program has to account for small losses as much as the large losses.

Understanding Risk

You need to understand the components of risk, so that you know how to manage those components and therefore risk as a whole. Although there are many ways to describe and quantify risk, we use the simple formula that uses value, threat, vulnerabilities, and countermeasures as the components of risk.

The following formula represents those components mathematically. Although a formula implies that there can be a quantifiable number or dollar figure representing loss, this is not the purpose of this book. There are specific disciplines that attempt to quantify risk, such as actuarial science, for business purposes. It would, however, behoove the reader to look further into being able to quantify risk.

$R i s k = (\frac{T h r e a t * V u l n e r a b i l i t y}{C o u n t e r m e a s u r e}) * V a l u e$ $R i s k = (\frac{T h r e a t * V u l n e r a b i l i t y}{C o u n t e r m e a s u r e}) * V a l u e$

Consider value as the entire value of an organization that is at risk. The combination of threat, vulnerability, and countermeasures represents the probability that the value can be lost. Threat and vulnerability add to the probability of loss, whereas countermeasures decrease the probability of loss. So essentially, how much you have at risk is a function of how well you mitigate your vulnerability and threat.

Value

Value is left outside the base equation because it represents the maximum loss. The other factors are only relevant in that they either increase or decrease the risk to your overall value. Either way, value is what you have to lose. Value can take many forms, and you need to consider all forms of value when you consider the risk that you need to address.

Each form of value creates a different type of loss and can be compromised by different types of vulnerabilities. For example, monetary value can be compromised by physical vulnerabilities, whereas reputation value can be compromised by lack of computer availability. For the purpose of this book, we are not going to go into detail on all forms of value. However, it is important to be aware of the general principle of where loss can originate and to truly understand business concerns.

It is also important to consider that value can be lost in multiple categories from a single incident. For example, when an airline computer system goes down, planes can be grounded, incurring a monetary loss. However, the airline will also take a reputational hit, as people will associate decreased reliability with the airline.

Monetary Value

Monetary value is the simplest to understand. It is the clear loss of money in one form or another. Monetary loss equates to a clear and immediate loss of money. For example, if you lose cash, you lose the value of the cash. If the computer network goes down and you cannot charge people for the services provided by the network, you lose the money you would have made from the network being up.

When a tangible loss can be potentially attributed to a security-related incident, it is considered monetary loss. When you think of risk as a whole, it is easy to say that the potential monetary losses can justify a security budget. For example, if you are protecting $1,000,000 in a safe, you can justify a reasonable amount to invest in the safe. It is therefore to a security program’s advantage to determine all potential monetary values being protected it to justify the maximum potential security budget.

Reputation Value

Reputation value, sometimes referred to as brand value, is the perceived value of a brand or organization. Brands such as Tylenol, IBM, Coke, and Apple have very significant value. When Tylenol was the victim of product tampering, there was actually an insignificant monetary loss. However, the damage to the reputation of the brand almost created a complete loss of $100,000,000 per year revenue stream for Johnson & Johnson.

In this case, in 1982, someone went into the stores and placed Tylenol packages on the shelves with legitimate packages. The tampered packages contained Tylenol doses laced with cyanide. To protect the brand, Tylenol spent millions to recall all products on the shelves around the United States. They spent more to redesign their packaging to protect future tampering. They likewise spent millions of dollars to publicize everything they were doing. So for not having actually experienced a direct loss to any of their own assets, there was almost a loss of billions of dollars.

When consumers or others place trust in a company, the potential for the trust to be lost must be a consideration in risk planning. It is admittedly difficult, if not impossible, to predict all potential areas or incidents where trust or reputation can be lost. Tylenol would have never predicted exactly how the product tampering would have occurred, as such incidents never happened before. Subway would have never predicted that its spokesperson, Jared Fogle, would have been arrested for something as heinous as child sexual abuse. However, you do need to at least consider and brainstorm as many areas as possible. But remember, just because there is a potential risk to the value, it does not necessarily mean that you need to account for the risk. You should at least attempt to consider it.

Sometimes there is dilution of reputation or trust, where another party misappropriates your brand. Counterfeit parts are a significant problem in the manufacturing field, with fake chips and other computer parts making their way into a legitimate supply chain. The counterfeit chips can result in revenue loss, and they are also less reliable and can cause the breakdown of systems.

Counterfeits with inferior quality plague many industries. Pharmaceutical companies face revenue loss as well as potential liability because of counterfeit drugs. Even Beachbody, a company that produces widely successful DVD-based exercise programs such as P90X and Insanity, is subject to reputational damage, because many counterfeit DVDs are of inferior quality, and the purchasers of counterfeit DVDs blame Beachbody, because the counterfeit DVDs frequently do not play properly.

Reputation value can take many forms and you need to attempt to determine how the value can be compromised in the design of your security program.

Opportunity Value

When considering value, you need to consider the value of opportunities that could be gained or lost. For example, if you make a choice that you are not going to allow the use of personal devices in a corporate network, you are missing the potential productivity value obtained by having the extra ability to communicate with employees, or you need to decide that you will pay for the employees' devices.

If you fail to enter a market, because you cannot provide the appropriate security, you are losing value. For example, many companies delayed e-commerce activities, because they were afraid that they could not handle online attacks. Some organizations cannot be compliant with the Payment Card Industry (PCI) Data Security Standard or other standards, so they cannot go into different lines of business.

Although there are clearly many different opportunities to be gained or lost, it is critical to determine if security can provide additional value or if the lack of security can inhibit value. In some cases, such value is clear. More frequently, it does take some creativity to examine the different potential areas where value can be created or lost by security controls.

Threat

Threat is another element that adds to risk. Threats are essentially entities or events that can cause you harm given the opportunity. Although threat will be discussed in detail in Chapter 6, here it is important to understand how threat contributes to risk.

Threats require an opportunity to cause you harm, and you must consider that they are always there. Some threats are there because of who you are or what you do. These threats arise because of the value that you have innately or that you create. For example, a bank has money and criminals who want the money will attempt to steal it. An organization with personally identifiable information (PII) has information that an identity thief might want. Oil exploration companies have computer models that help them determine where oil reserves are and how large those reserves may be, which attracts the attention of governments wanting to obtain the best price for drilling rights, competitors who want to know the same information, and countless other parties.

Then there are threats that will always exist no matter who you are or what you do. For example, hurricanes, earthquakes, floods, and other natural disasters will always exist. They can potentially cause you harm, if you leave your assets vulnerable to their effects.

There are also categories of people or entities common to all organizations. For example, well-meaning employees will make mistakes and create damage of some sort. There are also malicious insiders, who are inevitable. These individuals will attempt to cause as much harm as possible, or in other words, ruin the value of your organization. The value they compromise is determined by what is available to be compromised.

The higher the probability of the existence of threats to exploit an organization, the higher the potential risk. To determine the overall Risk, it is important to determine which threats potentially exist.

Once you know they exist, you can then use that information to determine the methods and resources used to compromise an organization. For example, if you assume that there is a likelihood of power outages because of natural events, you can determine the potential need to install generators or uninterruptable power supplies. If you know that the Chinese government may target your organization, you know that they might expend unlimited resources and begin their attacks with phishing methods. Knowledge of the threats will help identify the potential countermeasures to be implemented.

Vulnerability

Vulnerabilities are essentially the weaknesses that allows threats to exploit an organization. Vulnerabilities are covered in Chapter 9 in detail, but regarding risk, it is important to understand that vulnerabilities enable risk. Threats will always exist, and an organization or other entity will innately have value, but vulnerabilities are those that create the inevitable compromise of value.

In short, a threat may exist, but if there are no vulnerabilities for the threat to exploit, then there would be no risk. For example, although there will always be hurricanes in Florida, if you do not have any facilities or critical assets in Florida, you are not susceptible to the damage a hurricane can cause. On the other hand, if you have a data center, a large number of employees, supplies being shipped through Miami, or other resources, you have left your organization extremely vulnerable to suffer loss. The vulnerabilities can be poor power supplies, poor connectivity and communications, supply chain issues, limited data availability, etc.

People are not necessarily considered a vulnerability, but poor awareness on the part of the users is. What is the difference? Such person is an actor who is neither good nor bad, and will always exist. However, the person's behavior is the vulnerability. If the person chooses a weak password, the password is the vulnerability. The person can choose to click on a phishing message or not. The action of the person can be either a countermeasure or a vulnerability. Poor awareness, a vulnerability, will cause the person to create a potential loss. Strong awareness, a countermeasure, will cause the user to report the message, or at least not take a harmful action.

However, not all vulnerabilities need to be mitigated. It might be too expensive to mitigate a vulnerability. For example, the potential loss might not justify the cost of mitigating the vulnerability. Likewise, although a vulnerability might exist, it might not be likely exploited or it might not yield a loss.

For example, if you have a forklift in the middle of a large warehouse in a secluded area, it is unlikely that leaving the keys in the forklift would result in damage or loss. It is unlikely to be stolen, and few people would take it for a joyride.

Categories of Vulnerability

Vulnerability can be divided into four different categories: physical, operational, personnel, and technical. Physical vulnerabilities are broadly vulnerabilities that require a physical presence to exploit. For example, locks that are not locked are a physical vulnerability. Computers left logged on and otherwise unprotected are physically vulnerable to compromise.

Operational vulnerabilities relate to how organizations do business. Excessive information posted on a website is an operational vulnerability. A weak process that allows for someone to change the password on an account is an operational vulnerability.

Personnel vulnerabilities relate to the recruitment, hiring, and termination process. Although these are clearly operational issues in some ways, as organizations rely heavily on the trust they place in their employees, it is something to consider separately. There are also frequently legal and ethical questions that distinguish this category of vulnerabilities.

Technical vulnerabilities relate to a weakness that allows for an attack against computers, networks, and related technologies. These are generally related to how the technology is designed, configured, or maintained. For example, you can set up a computer to be accessible to the world. There are bugs in commercially available software and in custom-developed software that provide holes to attackers.

Again, all these vulnerabilities will be discussed in Chapter 9, so here they are introduced, so that you are aware of how vulnerabilities essentially create risk.

Countermeasures

Countermeasures are what you do to mitigate threats or vulnerabilities. In theory, you can reduce risk by mitigating the value. After all, if you have nothing of value, you have no risk. However, reducing value to reduce risk is basically destructive. Again, security programs want to optimize risk and retain value. Anyone who consciously attempts to reduce value should be removed from their position.

Regarding mitigating threat, the reality is that it is difficult to mitigate threat. For example, you can never mitigate the occurrence of a hurricane. Unless you are a government agency, you cannot really mitigate the existence of a terrorist group or even script kiddie hackers. Admittedly you can fire employees, but that is a single type of threat within your control. This implies one of the most critical issues for a countermeasure; it has to target something that is within your control.

Vulnerabilities are frequently within your control, and are more readily mitigated. For example, although you cannot mitigate a hurricane in Florida, you can reduce the critical assets that could be susceptible to the effects of a hurricane, such as you can avoid placing a computer operations center in the area that would be susceptible to flooding and power outages and be difficult for employees to get to the facility during the hurricane.

Although you cannot stop entities from targeting computer accounts, poor passwords, which are considered a technical vulnerability, can be prevented through various countermeasures. When the vulnerability is mitigated, it prevents the opportunity for any threat to exploit it. So, for example, if there is a bank account that has a bad password, any bad actor can attempt to exploit it. This includes hackers, foreign intelligence agencies, malicious insiders, or any other parties. Removing vulnerabilities removes the opportunity for the threats to cause harm.

Countermeasures can be categorized into the same four categories as vulnerabilities: physical, operational, personnel, and technical. Physical countermeasures involve putting physical controls in place. For example, locks and fences restrict access. Guards can stop people from entering buildings. Information in a locked desk is not readily available to people wandering the facilities.

Operational countermeasures are processes in place to mitigate vulnerabilities. Poor awareness can be addressed by awareness training. To ensure administrators cannot cause excessive damage, a process can be implemented to separate administrative functions between two people. Reviews of information releases is also an operational countermeasure.

Personnel countermeasures may resemble operational countermeasures, but they focus on personnel-related issues, such as hiring, human resources policies, and separation procedures. Background checks are considered a personnel countermeasure. Policies to ensure collection of information on employee separation is a personnel countermeasure.

Technical countermeasures are as broad as technology. We will go into these in detail; however, they include technologies for protection, detection, and reaction to attacks. Poor passwords are considered an operational vulnerability and they can be addressed by using password policies, which are an operational countermeasure. Token authentication is a technical countermeasure that can also mitigate poor passwords. Technical countermeasures will be discussed in more detail throughout the book.

As previously noted, it is important to realize that countermeasures do not have to be in the same category as the vulnerabilities that they address. Again, token-based authentication (a technical countermeasure) can mitigate an operational vulnerability of poor passwords. An operation process of regular data backups can mitigate the technical vulnerability of hard-drive crashes. It is therefore important that when you consider risk as a whole, you consider all forms of countermeasures in determining how to mitigate a vulnerability.

Possibly the most important consideration for countermeasures is that they are not expected to be perfect. There is no such thing as a perfect countermeasure. You must realize that all countermeasures will eventually fail.

The real test of a countermeasure is whether it mitigated more loss than the cost of implementing it. For example, if you spend $100,000 on implementing an awareness program and there are an estimated six incidents prevented, with each incident estimated at costing $50,000, the awareness program created a net savings of $200,000. Countermeasures are not expected to be perfect, but to be less expensive than the losses incurred.

Although a failure in a countermeasure and the resulting loss is not desired, the reality is that every failure and loss has to be looked at in perspective to the other incidents prevented. There are admittedly many cases where an organization grossly underestimates the potential loss. For example, the Sony CIO was quoted years ago as saying that he did not want to spend $10,000,000 to prevent a $1,000,000 loss, and that makes complete sense. However, the loss from the hack by North Korea, with all the residual effects, is estimated at well above $100,000,000. The countermeasures in question would have likely cost well under $10,000,000. Clearly, if you are making grand claims, you need to ensure that there is a legitimate examination of the real potential costs and the real losses.

Risk Optimization Versus Risk Minimization

When people hear about risk management, they assume that it means to get rid of as much risk as possible. In other words, they assume the goal is to minimize potential loss or risk, but this is not the case.

The goal is to optimize risk.

Minimizing risk implies that you will try to reduce every potential loss. You will implement every possible countermeasure that you can think of. The cost to protect against a loss can outweigh the potential loss. In an extreme example, you might want to protect a piece of jewelry from theft. You can theoretically hire a team of guards to guard the jewelry 24 hours a day. If you are talking about a $500 necklace, you would be wasting money. There might be some sentimental value tied to the necklace, so it might be worth some extra protections; however, it is likely not justification for the expense of hiring guards.

Risk optimization requires making a conscious decision about what is the appropriate balance between loss and the level of effort you are willing to put into mitigating the loss. Ideally, you find the optimum balance.

Fig. 4.1 depicts the relationship between countermeasures and vulnerabilities. When there are no countermeasures, both vulnerabilities and potential loss are at their maximum. The area below the vulnerabilities curve represents potential loss or value at risk.

As countermeasures are implemented, and the assumption is that the countermeasures are relevant, vulnerabilities are mitigated and potential loss is reduced. Generally, a significant amount of risk can be mitigated with simple and basic countermeasures. For that reason, the potential loss quickly decreases.

There is the 80/20 rule that implies that 80% of problems can be solved with 20% of effort. With security, it is much more like the 95/5 rule, where 95% of problems can be solved with 5% of effort. Although this does not intend to imply that you ignore the 5%, it does imply that the appropriate countermeasures can quickly mitigate a substantial amount of loss.

Figure 4.1 Vulnerabilities versus countermeasures.

If the goal of a security program is risk minimization, the implication is that they would want to go as far to the right on Fig. 4.1 as possible. That would theoretically reduce potential loss to near zero. The graph specifically implies loss will never be zero. However, when you look at the countermeasure line, you see that the cost of countermeasures is significantly more than the potential loss. Your security program is therefore costing your organization more money than it would save. So risk minimization is not a reasonable goal.

An obvious point on the graph that represents the appropriate balance between countermeasures and vulnerabilities is where they both intersect, which is not ideal. In other words, you are investing as much on your security program as you can possibly lose. The reality is that except on very rare occasions, an organization will not lose complete value. So even at the point of intersection, you are spending more money on security than you are likely to lose.

Fig. 4.2 highlights the concept of risk optimization, where you are making a conscious determination of the appropriate level of risk you are willing to accept and determine the cost of the security program that will get you there. It is important to note that the level of potential loss is greater than the cost of the countermeasures being implemented. There should be a notable difference between these entities, as a complete loss is not likely.

You must first determine the amount of loss you are willing to accept. Currently, it is typical that a security program is provided with a random budget, sometimes a specific percentage in the overall information technology (IT) budget, without regard to the losses the security programs are expected to prevent. There is, therefore, no relationship between the security program's budget and the actual requirements that the security program is supposed to satisfy. This is important to understand, as it is a critical issue that will lead to the failure of the security program.

It is important to understand that the IT budget, a traditional indicator of a security budget, should be irrelevant to the funding of a security program. If you run the security program of a bank, you need to understand that you are not protecting the computers, but the money that flows through your computers. If a bank has a $100,000,000 IT budget, it is of course substantial. However, those computers are likely handling hundreds of billions of dollars of transactions a year, which the bank needs to protect and budget accordingly.

Clearly, the bank should not invest that much money into their security program. However, basing it on the IT budget is ludicrous.

Practical Implementation

Although it would admittedly be outstanding for all organizations to reengineer their security programs and budgets, it is unlikely to imminently happen. It is easier to execute risk optimization and budget justification on a vulnerability-by-vulnerability basis. For example, if you know the Chinese are likely to attack you, and can use a phishing campaign, you might want to implement multifactor authentication to mitigate the damage caused by a user divulging their password. Multifactor authentication prevents a wide variety of social engineering attacks, and also mitigates a large number of requests for password resets.

You can then estimate the cost for the multifactor authentication, such as token authentication, which might be $1,000,000. You then need to estimate the cost of likely incidents, as well as the costs associated with password resets. So, from the previously described Sony hack, the cost of a single incident was in excess of $100,000,000. There are also more regular small-scale incidents to include. You then have a business case, where the investment of $1,000,000 can mitigate potentially more than $100,000,000 of damage.

Getting the Budget You Need, Not the Budget You Deserve

Finally, we need to discuss the problem with many security managers who typically complain that they are not provided with enough of a budget to implement what they believe are adequate security programs. Our response tends to be sympathetic, but we advise them that they get the budgets they deserve, not the budgets they need.

Although this is clearly a bit of a Pollyanna statement, we believe that, in general, security managers can get a sufficient budget, if they can make a good business case. Typically, security managers are asked to prepare a budget, and they put a budget together based on what they have and what they want. Barring any significant incidents, they will usually get their current budget and maybe a more specific percentage. This makes sense because security is typically considered an operational expense without a return on investment.

As we previously described, organizations have to look logically at all the values that are at risk. They can look at the vulnerabilities that place that value at risk and begin to prioritize the vulnerabilities that need to be mitigated. Simultaneously, they need to consider the threat. Although threat cannot be mitigated for the most part, it tells you the likely methods of attack, as well as the resources that will be invested in the attack.

If you know that China is a likely threat to your organization, you can assume that a large amount of resources will be invested in targeting your organization. You know that it will likely attempt to begin an attack with spear phishing messages and that it will plant malware in the network, and likely compromise critical servers, such as the email and other communications servers.

This information also helps to prioritize which vulnerabilities should be mitigated, as you know the likely vulnerabilities to be targeted and how to potentially detect attempted and successful attacks.

Using the previous example justifying the cost of multifactor authentication, you can see that there is a tangible benefit in implementing the countermeasure.

In this way, you are making a case for your budget. You are deserving of your budget. If you do not get the budget, then you have at least made the best case and your management is assuming the responsibility for any loss.

You need to be able to go to your management for each and every countermeasure and say, “I would like $XX,XXX, so I can specifically purchase this countermeasure. With that countermeasure, I will save $YYY,YYY,YYY.” At that point, you are making a business case to have your budget raised. This puts your management on notice that they are making decisions that will either save or cost money for the organization.

If, however, you cannot make your case, you should not buy the countermeasure in question, as it is a waste of money.

So when we describe that people get the budgets they deserve, and not the budgets they need, they are doing an insufficient job making the business case for what they need the budget for.

You may not always get the budget you deserve, but the goal is to deserve more. When you receive the budget that you actually need, you know you are successfully deserving the budget you need.

At the time of this writing, cybersecurity is one of the top concerns for organizations in all industries. There is a perceived need for better security, so make sure you take advantage of that by being deserving of the budget you need.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 4. Risk Management

Create new playlist

Sign In

Sign Up