Relational Security Assessment Model: Risks
The Relational Security Assessment Model is composed of several components. Every component is related to a series of other components that all work together to derive a level of risk and a degree of control. While the structure is universal, all components of this process can and should be modified to fit the specifics of the organization being assessed. The basic components of a Relational Security Risk Assessment are:
Risk levels
Risk factors
Risk Levels
A risk level is the degree of risk an object represents within an environment. A different set of risk levels could be defined for each organization performing an assessment. The goal of a risk level is to qualify and quantify, on an enterprise-wide scale, a weighted risk value for each object. Table 8.4 shows a common set of risk levels:
| Risk Level | Description |
|---|---|
| None | This object and its services are inconsequential to the environment. If the object was compromised or disabled without warning, there would be no noticeable effects. |
| Low | This object plays some minor role within the environment. If the object was compromised or disabled without warning, there would be minimal effects to the organization. |
| Medium | This object plays a significant role within the environment. If the object was compromised or disabled without warning, there would be noticeable effects on the organization. |
| High | This object plays a very important role within the environment. If the object was compromised or disabled without warning, the effects would be quite harmful to the organization. |
| Extreme | This object is essential to the continued operation of the organization. If the object was compromised or disabled without warning, there could be disastrous effects on the organization. |
Important Tips for Defining Risk Levels
Risk levels should remain universal to the entire organization.
Risk levels should be quantified with some sample data, such as cost or recovery.
Only a handful of risk levels should be defined, ideally no more than six.
Within each organization, the interpretation of each level will be somewhat different. Therefore, it is useful to associate some form of real-world data to each risk level. For example, consider the data in Table 8.5.
Risk Factors
It would be a bad practice to simply take each risk level and assign it to a different object without any other consideration. During audit process, it is necessary to talk to end-users, managers, and other employees, polling their insight into the risk of each object. This is similar to the qualitative process, only much simpler, more consistant, and more efficient.
| Risk Level | Company X | Company Y |
|---|---|---|
| Medium | Cost up to $3,000 in repairs, lost productivity, fines, or lawsuits, or the loss of 5–10 customers or a partnership | Cost up to $50,000 in repairs, lost productivity, fines, or lawsuits, or the loss of 100–200 customers |
| Extreme | Cost up to $10,000 in repairs, lost productivity, fines, or lawsuits, or the loss of 30–50 customers or a partnership | Cost over $500,000 in repairs, lost productivity, fines, or lawsuits, or the loss of 500–1,000 customers or several partnerships |
Since risk levels require a high level of understanding, we cannot simply ask individuals, “Is this system high-, medium-, or low-risk?” Doing so would make our results greatly skewed by their opinions, rendering our assessment useless. As such, it is important to interview individuals using basic facts, rather than universal risk levels.
A risk factor is an individual detail about an object in relation to an organization. Each factor has a related risk level that correlates the specific detail to the more universal levels we just developed. Most objects will have several risk factors associated with them.
The goal of defining risk factors is to introduce a method by which we can derive the risk level of any given object though a series of simple facts, not opinions. Rather than asking an administrator to say, “Choose a level of risk for the object,” we will present that individual with a group of factors to choose from. Based on the chosen factors, we will then derive the higher risk level.
Table 8.6 contains some example risk factors:
| Example Risk Factor | Factor Value | Risk Level |
|---|---|---|
| If this object was unavailable for a day, how much employee downtime could result? | 0 –5 hours
6 –10 hours 11– 20 hours 21– 35 hours 36 + hours | None
Low Medium High Extreme |
| How many customers use the object in a day (if this object was unavailable for a day, how many customers could be affected)? | 0 –10
11–30 31– 50 51–100 100 + | None
Low Medium High Extreme |
| Are there any legal, contractual, or social obligations to maintain high availability? | No Yes | None High |
Of course, the more variations of risk factors we consider, the more accurate our assessment of the object will be. Organizations will need to determine their own risk factors as related to their defined levels of risk. Table 8.7 contains some other common types of risk factors to consider.
Tips for Creating Risk Factors
Here are some general tips for considering risk factors within your own environment:
Try to form each risk factor into a simple, non-subjective statement— Remove opinion from the process as much as possible.
Cover a good range of topics— Choose a wide variety of risk factors, covering the key events that could affect your environment.
Continually refer to the bigger picture— Put some thought into each risk factor and how it relates to the bigger picture. Make sure each risk factor corresponds to the appropriate risk level.
Be sure to compare different risk factors to each other— Since each risk factor correlates to a universal risk level, factors with similar levels should make sense. Is losing 40 employee hours (critical) really as important as affecting 60 customers (also critical)?
Deriving Risk Levels from Risk Factors
By using risk factors, it now becomes very easy to assign a consistent and objective risk value to anything within the organization (see Table 8.8). For any given object, begin by choosing all the risk factors that relate to it. Once all related risk factors have been determined, it is simply a matter of choosing the highest risk level of all the related factors. The factor with the highest level of risk represents the greatest level of risk that an object poses to the environment. A system that results in no hours of employee downtime (none) but affects 101 customers (critical) is a critical risk just the same as a router that causes 50 hours of downtime (critical) but affects only 5 customers (none).
| Example Risk Factor Type | Considerations in Scoring |
|---|---|
| What would be the effect if the object were defaced or vandalized? | Take into consideration the effects of vandalism on any front-end, if any front-end exists for this device. This is of great importance to any Web server visible to clients, partners, and employees. |
| What would be the effect if the object's data were erased, corrupted, or modified? | Think about the need, use, and general value of the data on the system. If all data was lost forever, would it have a severe impact on the organization? |
| What would be the effect if the object's data was stolen? | Consider the effect on the organization if this information was stolen. Does this device relate at all to sensitive financial records, strategic business information, employee records, or any other sensitive information? Are there any legal, contractual, or social obligations for protecting this data? Think of the effects if the data was stolen. Could the company be sued? Are you storing protected health information or customer credit cards on this system? |
| What is the position of this object within the environment? | Is this system accessible by more than one zone? If so, would it be possible for someone breaking into this system to use it to attack other systems in a more sensitive zone? |
| Object | Risk Factor | Overall Risk to Organization |
|---|---|---|
| Server X | Would cause 10 hours of employee downtime (low) | Critical |
| Could affect 200 customers (critical) | ||
| WAN Link Y | Would cause 30 hours of employee downtime (high) | High |
| Would not affect any customers (none) | ||
| Application Z | Could cause 10 hours of employee downtime (low) | Medium |
| Could affect 40 customers (medium) |
Our Risk Assessment Thus Far
So far, we have performed the first steps of the Relational Security Risk Assessment. We have:
1. | Defined universal risk levels for the organization |
2. | Defined risk factors, each relating to a risk level |
3. | Assigned risk factors to objects we want to assess |
4. | Determined the highest risk level assigned to an object |
By performing these simple steps, we now have mechanisms by which to assess and compare the risks of individual objects, as shown in Table 8.9. Once the risk levels of our objects are defined, it becomes easier to recognize where risks exist and which objects may not be adequately protected. We can also start seeing correlations between different objects, helping to prioritize which objects are more important to secure first and which require more controls.
| Firewall A | Critical |
|---|---|
| Server X | High |
| Server Y | High |
| WAN Link X | High |
| Server Z | Medium |
| Wan Link Z | Low |
Deriving Relational Risks for Containers
During the audit process, it should become evident that not all objects have direct risks. For example, the risk of a room can only be assessed by looking at the objects that are within the room. Similarly, the risk of a router is completely dependent on the networks it is connecting. These objects are called container objects because their risks completely depend on the risks of the objects contained within them. Since we have already determined the risks of our servers, WANS, and the like, we can use this information to evaluate relational risks (see Table 8.10).
| Container Object | Objects Inside | Overall Risk to Organization |
|---|---|---|
| Server Room A | Server X (critical) | Critical |
| Server Z (low) | ||
| Router Y (high) | ||
| Router Y | WAN Link A (high) | High |
| WAN Link B (none) |