Classify Business Risks
The way in which individuals and businesses use their assets varies across all industries. If a person looks at risk and its impact to the organization, he or she could quickly become overwhelmed trying to create a comprehensive list of all the possible threats and vulnerabilities that affect the company. Luckily, there are several techniques that can help direct this activity. The following method achieves this by focusing the task on the risks posed by the people, process, and technology of the organization.
Risks Posed by People
Ideally, all personnel in an organization should readily understand the threat to a company’s health if risk is not managed. Unfortunately, risks and risk management are often perceived quite differently. Personnel often tend to be the weakest link when it comes to security threats to an organization.
One of the challenges with effective risk management of IT resources is achieving a proper balance between security and usability. FIGURE 1-2 shows a diagram. In the diagram, on the left, the computers are completely locked down with such a high level of security that the controls may prevent users from adequately performing their jobs. On the right, the computers are easy to use, but security is being neglected. In the middle, a balance between the two has been achieved.
FIGURE 1-2 Balancing security and usability in an organization.
Balanced security rarely satisfies everyone. Security personnel want to lock systems down tight, whereas end users find those security controls inconvenient and want more usability.
It is common for individuals in the following roles to have different perceptions of risk:
- Leaders and managers—Leaders and managers are concerned mostly with profitability and survivability. Because attacks can result in loss of C-I-A, leaders are willing to spend money to mitigate risks. However, their view of risk is typically based on costs associated with the risk and the controls. Managers need accurate facts to make decisions regarding which controls to implement to protect company assets.
- System administrators—System administrators are responsible for protecting IT systems. When they understand the risks, they often want to lock systems down as tight as possible. Administrators are often highly technical individuals. Sometimes, they lose sight of the need to balance security costs with profitability. Some organizations have administrators, often Tier 1, who serve as the first line of defense for IT support. These administrators are given limited administrative permissions. They often view the security controls as hindrances to performing their job and don’t always recognize the importance of the controls. For example, the need to use a change management process isn’t always understood. A well-meaning technician may bypass a change management process to solve one problem but unintentionally create another problem. These unapproved changes can result in business losses.
- Developer—Some companies have in-house application developers. They write applications that can be used in-house or sold as part of the company’s product offerings. Many developers have adopted a secure computing mindset. They realize that security needs to be included beginning at the design stage and going all the way through to the release stage. When developers haven’t adopted a security mindset, they often try to patch security holes at the end of the development cycle. This patching mindset rarely addresses all problems and results in the release of vulnerable software. Ideally, security needs to be an integral step in the life cycle of software or application development.
- End user—End users simply want the computer to work for them. They are most concerned with usability and often don’t understand the reason for the security controls and restrictions. Instead, security is viewed as an inconvenience. Well-meaning users often try to circumvent controls so they can accomplish their job. For example, because USB thumb drives often transport viruses without the user’s knowledge, companies frequently implement policies restricting the use of thumb drives. However, a user who needs to transfer a file from one computer to another to complete a project deadline may view a USB thumb drive as a necessary solution.
TIP
The use of thumb drives can be restricted through a written policy telling people not to use them as well as by using technical controls. Computer users can easily ignore a written policy, but they can’t easily bypass a technical control. A best practice is to create and enforce both types of policies, written and technical.
The perceptions of these different role holders can be addressed through targeted training. Some training can include all employees. Other training should be targeted to specific roles. Targeted training helps role holders better understand the big picture. It can also help them understand the importance of security and its value to the success of the company. People responsible for managing risks must take all perceptions into account. This is especially true if any of the controls can be bypassed. For example, theft of laptops is a common problem for some companies. An employee can leave a laptop to take a break at a conference only to come back and find the laptop gone. This risk can almost be eliminated if the company purchases hardware locks, which can secure the laptop to a desk or other furniture. However, if users don’t perceive the risk as valid, they may simply not use the lock; therefore, they must be trained to understand the controls and the consequences (to the company and themselves) for not complying with the controls.
Risks Posed by a Lack of Process
Process represents the actions taken to reach a desired outcome. A lack of formal process is a contributor to risk in any organization. Without a process for creating recipes and training cooks, a bakery, for example, could not produce consistently delicious cupcakes, and risks income loss. Without a process for inventory control, a sales company may risk loss of customers from lack of supply. For many organizations, these processes take the form of policies, standards, and guidelines. The following list describes some of the processes associated with IT resources:
- Policies—Policies are formal statements that are issued directly by an organization’s leaders, such as an acceptable use policy, which describes both acceptable and unacceptable behavior when using company-owned computers and network resources.
- Standards—Standards are mandatory rules written to support or at least provide some direction to policies. For example, a password standard could follow an acceptable use policy.
- Guidelines—Guidelines are not mandatory but provide guidance on specific behavior. For example, guidelines are written on how to create a strong password.
Ideally all organizations should have a general information security policy and may have specific policies in place to define how the business will handle access control, remote access, email usage, incident response, disaster recovery, business continuity, and other risk situations.
Risks Posed by Technology
Whether in a small business, large government body, or publicly traded corporation, most IT infrastructures consist of the seven domains shown in FIGURE 1-3: User, Workstation, LAN, LAN-to-WAN, WAN, Remote Access, and System/Application. Each domain poses its own set of risks. One method for identifying the risks posed by technology is to review each domain, concentrating on the threats, vulnerabilities, and impact of a loss.
FIGURE 1-3 The seven domains of a typical IT infrastructure.
The following examples describe some of the risks for each domain; more risks exist than are described for each domain. Businesses must provide protection in each of the domains. A weakness in any one of the domains can be exploited by an attacker even if the other six domains have no vulnerabilities.
User Domain
The User Domain defines the way in which people interact with an organization’s information system. They can be customers, employees, contractors, or consultants. The old saying that a chain is only as strong as its weakest link applies to IT security too. People are often the weakest link in IT security. For example, an organization may require strong, complex passwords that can’t be easily cracked, but an employee may write his or her password on a sticky note, leaving the organization vulnerable to unauthorized access.
Workstation Domain
A workstation can be a desktop or a laptop computer, a special-purpose terminal, or any other device that connects to an organization’s network; a workstation is where users first access the systems, applications, and data of the organization. The Workstation Domain requires tight security and access controls. In addition, bugs and vulnerabilities are constantly being discovered in operating systems and applications. Software vendors regularly release patches and fixes that must be applied to help keep the systems protected.
LAN Domain
The LAN Domain is the area that is inside the firewall. A local area network (LAN) can be a single workstation and printer connected in a small home office network or a large network with thousands of devices. Because these devices share network resources, they are vulnerable to a threat that attacks a single device. For example, a user may visit risky websites and unknowingly download a virus that can infect the entire network.
LAN-to-WAN Domain
The LAN-to-WAN Domain is where the IT infrastructure links to a wide area network (WAN) and the Internet. The LAN-to-WAN Domain provides Internet access for the entire organization and acts as the entry and exit point for the WAN. The public side of the boundary is often connected to the Internet and is a frequent target of hackers looking for vulnerabilities that will allow unauthorized access to the LAN.
WAN Domain
The Wide Area Network (WAN) Domain connects remote locations. The goal of managing the WAN Domain is to allow users the most access possible while making sure that what goes in and out is safe. A significant amount of security is required to keep hosts in the WAN Domain safe. Risks associated with this domain include eavesdropping and authorized access because most traffic in this domain is sent in cleartext, which means that hackers can access usernames and passwords. In addition, data is subject to corruption and malicious attacks.
Remote Access Domain
The Remote Access Domain connects remote users to the organization’s IT infrastructure. Remote access is critical for staff members who work in the field or from home, for example, outside sales reps, technical support specialists, or health care professionals. Wi-Fi hotspots make it easy for users to connect to a virtual private network (VPN) to access email and other business applications, but it also poses risks to the organization’s proprietary data if the employee’s device is stolen or left unsecured.
NOTE
VPN connections use tunneling protocols to reduce the risk of data being captured. A tunneling protocol encrypts the traffic sent over the network, which makes it more difficult for attackers to capture and read data.
System/Application Domain
The System/Application Domain is where the organization’s data is stored. This data can be private customer data, intellectual property, or national security information. Data is what attackers seek deep within an IT system. Loss of this data, whether by attack, disaster, or negligence, is the greatest threat in the System/Application Domain.
TIP
A server should be locked down using the specific security requirements needed by the hosted application. In other words, an email server requires one set of protections, which is different from that required for a database server.