Security Assessment Homework

CHAPTER

6 Performing a Risk Assessment THERE ARE SEVERAL STEPS TO TAKE when performing a risk assessment. You start by clearly defining what you will assess. This involves describing the system. You then collect data to identify threats and vulnerabilities. These threats and vulnerabilities help you identify the risks.

Then identify countermeasures or controls that can mitigate the risks. Evaluate in-place and planned controls. Finally, evaluate and recommend additional controls. You can support these recommendations with a cost-benefit analysis.

Chapter 6 Topics

This chapter covers the following topics and concepts: • What to consider when selecting a risk assessment methodology • How to identify the management structure • How to identify assets and activities • How to identify and evaluate relevant threats • How to identify and evaluate relevant vulnerabilities • How to identify and evaluate countermeasures • How to select a methodology based on the assessment needs • How to develop mitigating recommendations • What presenting risk assessment results entails • What the best practices for performing risk assessments are

Chapter 6 Goals

When you complete this chapter, you will be able to: • Select an appropriate risk assessment methodology • Define the operational characteristics and mission of the system to be assessed • State the importance of reviewing previous findings and status • Describe the relevance of a management structure to a risk assessment • Identify the types of assets to include in a risk assessment

• List steps to identify and evaluate threats • List actions to identify and evaluate vulnerabilities • List actions to identify and evaluate countermeasures • Describe the difference between in-place and planned countermeasures • Describe the process used to assess threats, vulnerabilities, and exploits • Describe the process used to develop mitigation recommendations • Describe the results of a risk assessment • List best practices for performing risk assessments

Selecting a Risk Assessment Methodology

Once you decide to perform a risk assessment (RA), you’ll need to outline how you’ll proceed. In other words, you’ll need to decide what specific steps to take. An RA isn’t a project that you can decide to do one day and complete it the next. It takes time and planning.

The two primary types of RA approaches are quantitative and qualitative. This chapter helps to paint the overall picture of an RA. In general, a risk assessment involves the following steps:

• Identify assets and activities to address. • Identify and evaluate relevant threats. • Identify and evaluate relevant vulnerabilities. • Identify and evaluate relevant countermeasures. • Assess threats, vulnerabilities, and exploits. • Evaluate risks. • Develop recommendations to mitigate risks. • Present recommendations to management.

Before progressing with the RA, you need to complete two preliminary actions. These are:

• Define the assessment. • Review previous findings.

Defining the Assessment You need to clearly define what you’ll assess. If it’s a system, you need to describe the system. If it’s a process, you need to describe the process.

It’s important to describe the system or process as it is right now. An RA is a point-in-time assessment. This is unlike overall risk management, which is a continuous process.

When describing the system or process, you will often focus on two primary areas:

• Operational characteristics • Mission of the system

It’s also important to include the scope of the RA when defining it. This helps prevent uncontrolled changes. Uncontrolled changes result in cost overruns and missed deadlines.

Operational Characteristics Operational characteristics define how the system operates in your environment. It’s not enough to just name the system, such as “E-mail server.” Instead, you need to identify how the system is currently configured and operating.

Consider Figure 6-1. This shows a single e-mail server in a network. The e-mail server handles all e-mail to and from the Internet. It provides e-mail services for all clients in the internal network. Now, let’s say this illustration is old and doesn’t reflect the organization’s current configuration.

FIGURE 6-1

E-mail server in a network.

FIGURE 6-2

Upgraded diagram showing an internal e-mail server and an e-mail server in a DMZ.

Now look at Figure 6-2. Figure 6-2 shows the organization’s current network diagram, which has a demilitarized zone (DMZ). The DMZ includes one e-mail server used to send and receive e- mail from the Internet. The internal e-mail server sends and receives e-mail from the DMZ server but does not interact with the Internet.

The differences between Figures 6-1 and 6-2 help show the importance of documenting operational characteristics. What would happen if you began an RA by evaluating the threats against the system in Figure 6-1? Your information would be outdated, and you would spend valuable time on the wrong effort.

You need to perform the RA against the current system. However, the current configuration isn’t always apparent or readily available. It sometimes takes some digging. Some simple questions you can ask include:

• Do you have current diagrams that show all of the current systems? • Do you have documentation of the current configuration?

Mission of the System The mission of the system defines what the system does. Compared with the operational characteristics of the system, the mission is easy to define. The mission definition for any single system can be as short as a paragraph. It can also consist of simple bullet statements.

For example, an e-mail system could have the following mission: The e-mail server provides all e-mail services for the organization. This includes the following

functions:

• Routing e-mail between internal clients • Accepting e-mail from external e-mail servers and routing to internal clients • Accepting e-mail from internal clients and routing to external e-mail servers

• Scanning all e-mail attachments and removing malware • Scanning all e-mail for spam and stripping out confirmed spam

Managing Configuration and Change

Configuration management and change management are two important risk management processes. They also have a direct impact on risk assessments. These two processes are sometimes mentioned together, but they are different. Configuration management ensures that similar systems have the same, or at least similar, configurations. When systems are very similar, you can use techniques such as baselines, scripting, and automation to configure them more efficiently. Systems that share the same configuration are easier to maintain collectively. They are also easier to evaluate for risks. Change management prevents unapproved changes to systems. All changes are formally requested using a change management process. Technical experts review the requests and then either approve or disapprove them. The goal is to reduce unintended outages from changes. When you don’t use change management, a change to one system can easily cause an outage in another system. For example, a technician in a large organization was troubleshooting a problem with a printer. The printer wasn’t automatically receiving an Internet Protocol (IP) address, which prevented print jobs from reaching the printer. The technician manually assigned an IP address and verified the printer worked. This may sound harmless, and even helpful. It wasn’t. The IP address assigned to the printer was also assigned to a server that other technicians were repairing at the time. After technicians repaired the server and brought it online, it no longer worked properly. The printer had its IP address, causing an IP address conflict. Technicians had to spend extra time troubleshooting the issue and correcting both problems. These problems could have been avoided with a change management process. The printer technician would have submitted the change request for the printer. The administrator who assigns IP addresses would easily have seen the conflict and denied the request. The server wouldn’t have had an extended outage. Additionally, the change management process ensures the correct documentation for changes. When an organization has mature processes in place for configuration and change management, risk assessments are easier to perform. It’s easier to identify the current status of a system. Available documentation is more up to date.

Reviewing Previous Findings If previous audits or risk assessments are available, you should review them. These reports can contain a lot of valuable information to make your job easier.

These reports list assets, threats, and vulnerabilities. They should also list controls currently in place. They may provide recommendations for additional controls. Three items especially worth investigating are:

• Recommendations—Previous recommendations give insight into several issues. They address threats and vulnerabilities considered relevant at the time. They also include controls

considered valuable at the time. Even though many issues may have changed, some may be the same or similar.

• Current status of accepted recommendations—Ideally, all accepted previous recommendations are in place. You can then measure the effectiveness of approved and implemented recommendations. However, if an approved recommendation isn’t in place, the previous report may help you determine the reason why. Perhaps the hardware or software is still in the purchasing pipeline. Maybe the approved recommendation was simply ignored.

• Unapproved recommendations—The recommendations that were not approved can also give some insight into the business. They may indicate that the organization is willing to accept a higher level of residual risk. The organization could have suffered losses that would have been mitigated by an unapproved control. If that’s true, management may be more receptive to the control at this time.

Identifying the Management Structure

The management structure refers to how responsibilities are assigned. When you define the scope of the RA, it’s helpful to keep the scope within the ownership of a single entity. This allows for easier implementation of recommendations.

A small organization may have a single information technology (IT) division. This single division is responsible for all IT systems and processes. Because its staff controls all IT systems, they can implement recommendations for any of the systems.

However, a larger organization may have multiple IT divisions. In this case, various managers or management teams oversee different IT systems. Each manager has different responsibilities. For example, an organization may have the following divisions for IT management:

• Network infrastructure—This division is responsible for all the routers and switches in the network. It may include all the firewalls.

• User and computer management—This division performs the day-to-day management of the network and accounts. It may also include basic security measures. For example, the Group Policy tool can manage accounts in a Microsoft domain. Administrators who manage the Microsoft domain would manage Group Policy.

NOTE

Group Policy is an automated management tool. You can set a policy once and allow it to apply to all users and computers in the domain. For example, you can set a password policy that applies to all users. This can ensure that end users use strong passwords and regularly change their passwords.

• E-mail servers—Some larger organizations have 10 or more e-mail servers to manage e- mail. Trained personnel are dedicated to primarily managing these servers. Personnel ensure

e-mail delivery. They also manage spam filtering and malicious attachments. • Web servers—An organization can have dozens of Web servers configured in one or more

Web farms. A Web farm can generate a significant amount of revenue and have dedicated personnel to manage it.

• Database servers—Many organizations have a large amount of data stored in databases. Large databases are stored on dedicated servers. The knowledge needed to manage these servers is specialized, so some organizations have dedicated database administrators to manage them.

• Configuration and change management—This division oversees configuration settings and changes to either all servers or all systems. The team may be responsible for building new servers. They also coordinate and document all change requests.

A small organization may perform a risk assessment for many systems at the same time. However, a larger organization will likely separate the risk assessments.

For example, imagine a large organization hosting e-commerce Web sites. Elements of the Web sites include Web servers, database servers, and firewalls. However, different divisions within the organization manage these different elements. One division manages the Web servers. Another division manages the database servers. A third division manages network security, including the firewalls. Performing a single RA on all three elements can be challenging. This is especially true when implementing recommendations. Managers in the different divisions might have competing goals, schedules, and priorities.

However, if the organization assesses a single division at a time, the results are easier to implement. For example, you could perform three separate RAs. You could assess the Web servers, database servers, and firewalls separately. Each assessment would have specific recommendations targeted for the owners of the system.

Identifying Assets and Activities Within Risk Assessment Boundaries

Asset valuation is the process of determining the fair market value of an asset. This is one of the first priorities of risk management. You can determine the value from the replacement value of the asset. You can determine the value based on either what the asset provides to the organization, or the cost to recover the asset. It’s also possible to determine the value using a combination of both values.

Once you know the value of your assets, you can then prioritize their importance. If an asset is worth $1,000, it needs one level of protection. If another asset is worth $1 million, it needs another level of protection.

NOTE

This section introduces assets and activities related to risk assessment.

It is important that you evaluate only assets that are within the boundary of the RA. Scope creep occurs when you start evaluating assets outside the scope of the RA. This results in wasted time and wasted resources.

When considering the value of an asset, you can look at it from different perspectives:

• Replacement value—This is the cost to purchase a new asset in its place. For example, if a laptop fails or is stolen, the price to purchase a new laptop with similar hardware and software may be $1,500.

• Recovery value—This is the cost to get the asset operational after a failure. For example, if the hard drive on a server fails, you wouldn’t replace the entire server. Instead, you’d replace the hard drive and take steps to recover the system. This may require you to reinstall the operating system and restore data from a backup. You would also consider the time needed to perform the repair. For example, if a repair requires two hours, the system is not available for two hours. If it’s a Web server generating $10,000 an hour in revenue, you would include $20,000 as part of the recovery value.

There are several elements to consider when determining the value of different assets. These include:

• System access and system availability • System functions • Hardware and software assets • Personnel assets • Data and information assets • Facilities and supplies

System Access and System Availability Access and availability refers to how and when the asset needs to be available. Some assets need to be available 24 hours a day, 7 days a week. Other assets only need to be available Monday through Friday during business hours. The more available the asset needs to be, the more risks you have related to outages.

For example, consider a Web server used to sell products over the Internet. Customers may access the Web site at any time. If the Web site is not operational when the customer tries to access it, you have lost a sale. More, you may have lost a customer.

With this in mind, the risk assessment needs to consider the risks associated with this Web site going down at any given time. Additionally, you need to consider how to perform maintenance on the system without taking the Web site down. This includes performing backups of the data. It

also includes keeping the system up to date. The Web server may be one of many servers in a Web farm. It may be one of multiple Web

servers in a failover cluster. Both configurations allow a single server to go down while the Web site continues to function. If you run a single server, an outage can be catastrophic.

On the other hand, you could have a file server that is only used internally. Internal employees access it when they are at work. For example, employees may have standard works hours between 8:00 a.m. and 5:00 p.m., Monday through Friday. This schedule gives you extensive time to perform backups or other maintenance when employees are not at work.

System Functions If a system provides a service, you should consider the functions of the system when determining the asset’s value. Of particular importance is how the functions are performed: manually or through automation.

For example, imagine you’re evaluating the value of e-mail in your organization. Your e-mail system could have multiple elements, including a spam filter. Studies report that as much as 90 percent of the e-mail sent through the Internet is spam. Spam filters will eliminate some of this spam with a goal of not eliminating any valid e-mails.

A spam filter that filters out as much as 30 percent of the spam provides a significant reduction in unwanted e-mail with a high assurance that valid e-mail isn’t filtered. Figure 6-3 shows an e- mail server with a spam appliance added to filter spam.

In the figure, all e-mail is routed from the Internet through the spam appliance. The appliance filters some of the spam and sends the rest of the e-mail to the e-mail server.

With this in mind, what is the value of the spam filter? It uses an automated process so the value is simply the value of the appliance. If it breaks or malfunctions, you can replace it.

However, some spam filters require much more interaction. You could have dedicated technicians who are constantly viewing the filtered spam to ensure it doesn’t include any valid e- mails. These technicians could be adding valid e-mail source addresses to whitelists. They could also be adding known spammers to blacklists.

NOTE An e-mail whitelist is a list of approved e-mail addresses or e-mail domains. For example, you can add [email protected] to the whitelist to ensure any e-mail from this address is never marked as spam. You could also add the xyz.edu domain to ensure e-mail from anyone in the xyz.edu domain is not marked as spam. Addresses added to a blacklist are automatically marked as spam.

FIGURE 6-3

E-mail server with a spam appliance.

IT Appliances

Many IT appliances exist to help make the IT jobs a little easier. Technicians don’t have to know how an appliance works. They just plug it in and it works. Compare this with a toaster. You don’t have to know the technical details of how the toaster works. You put in bread. Hot toast pops out. Of course, even a toaster has some knobs and controls. It does require a little user interaction. A spam appliance works similarly. You give it power, connect the input to receive external e-mail, and send the output to your e-mail server. It automatically filters out some of the spam. Administrators can still interact with the spam filter. They may want to view the filtered spam. They may want to adjust the sensitivity of the spam filter. Many spam filters also allow you to add addresses. They let you always block some or always allow others. A firewall appliance is another example. It needs little configuration after you plug it in. Administrators can still tweak it here and there for special needs. However, it will do most of what is needed right out of the box.

When calculating the value of the manually managed spam appliance, you also need to consider the work done by the administrators. The value may be higher if it takes additional labor and expertise to initially configure it as well as manage it.

Hardware and Software Assets Hardware assets are any assets that you can physically touch. This includes computers such as laptops, workstations, and servers. It also includes network devices such as routers, switches, and firewalls.

There is a wide range of values among the devices. A simple desktop PC can cost less than $500. However, a high-end server can cost tens of thousands of dollars.

Software assets include both the operating systems and the applications. The operating system

is what allows the computer to operate. This could be a Microsoft operating system such as Windows 8 or Windows Server 2012. It could also be a UNIX or Macintosh operating system.

Applications allow you to perform tasks. For example, Microsoft Word is an application that allows you to create and edit documents. Similarly, Oracle is a server-level application used to manage databases.

Operating systems and applications can also have a wide range of costs. For example, the operating system and applications for a desktop PC can range in the hundreds of dollars. However, the operating system and applications for a server can easily range in the thousands of dollars.

Personnel Assets Personnel assets are also very important to value. An organization that is able to retain personnel often has fewer problems than an organization with a high turnover rate. There are specific things an organization can do to retain valued personnel.

For example, organizations have different levels of benefit packages. These include different types of insurance such as health, dental, and life. They also include retirement plans such as matching 401K contributions. Many organizations also take additional steps to increase the morale and working environment.

The steps you take to retain employees are often dependent on how much you value them. When IT administrators have the high level of knowledge required to keep your network running in good order, they have a high value.

Data and Information Assets Data and information assets can have different levels of value depending on the data. Most organizations will take steps to identify the classification of data. For example, your organization could identify the following data classifications:

• Public data—This data is freely available to anyone. It may be available via public sources such as news releases or other publications. It could also be freely available via an organization’s Web site.

• Private data—This is internal data. It includes data on employees and customers. Due to its delicate nature, personal data should be protected for fear that the information may be abused, for example, for purposes of identity theft. It may also include data on internal processes.

• Proprietary data—This is highly valuable data. It deserves a lot of protection. If this data is lost, it could seriously affect the company’s profitability. For example, a company could spend millions of dollars on research and development. The goal is to create a product they will sell. If a competitor gets this data, they could beat the company to market and sell the product themselves. The research and development funds would be lost.

Facilities and Supplies Other items to consider when valuing your assets are the facilities and supplies needed to run your business. You’ll need this information when calculating your insurance needs.

Insurance is one of those items you always want to have but never want to use. It provides a layer of protection if you suffer a loss. However, the loss is rarely painless. Even if the insurance company covers the loss, the process is difficult.

Some organizations may realize that one of their facilities is so important it needs redundancy. In this case, redundancy is another site that can perform the same functions. The three types of alternate sites are:

• Hot site—A location that can take over the operations of another location within a short period. A hot site has all the hardware, software, and data needed to perform the critical functions of the original site. A hot site is the most expensive of the three types of alternate sites.

• Cold site—A building with electricity and running water but little else. You can bring your computers and data to this location and set up operations. A cold site is the least expensive of the three sites. However, it takes the longest time to set up and is the hardest to test.

• Warm site—A compromise between a hot site and a cold site. It may include all the hardware but the data may not be up to date. It may take as long as one or more days to implement a warm site.

The type of alternate site you choose depends on the value of the primary location. You’ll also need to consider the supplies that will be stored there to ensure the alternate location can perform the same type of work. Of course, it’s also possible you don’t need an alternate location at all.

Identifying and Evaluating Relevant Threats

A threat is any potential danger. The danger can be to the data, the hardware, or the systems. A threat assessment is the process of identifying threats.

It’s important to understand how threats interact with risks as a whole. Consider Figure 6-4. This shows the relationship between threats, attacks, vulnerabilities, and loss. A threat creates an attack. The attack exploits a vulnerability. When the threat/vulnerability pair occurs, it results in a loss.

NOTE

This section introduces threats and activities related to risk assessment.

In the diagram, an attacker is presented as a threat. However, a threat can be anything that can

compromise confidentiality, integrity, or availability. Remember that threats can be external or internal, natural or man-made, or intentional or accidental.

FIGURE 6-4

Threats and vulnerabilities.

You can use one of two primary methods to identify threats. They are:

• Reviewing historical data • Performing threat modeling

Reviewing Historical Data History often repeats itself. This is true in so many areas of life. It’s also true with IT systems. You can save yourself a lot of time by reviewing historical data to identify realistic threats.

When reviewing historical data, you can look for the following events:

• Attacks—If your Web site was attacked before, it’s likely to be attacked again. The success of the next attack depends on the level of protection you implemented since then. The same is true for any type of event.

• Natural events—If hurricanes have hit your location before, they likely will do so in the future. Most organizations that are in risk zones for natural disasters have disaster recovery and business continuity plans in place. This includes disasters such as hurricanes, tornadoes, and earthquakes. These plans should be reviewed, if not tested, on a regular basis, such as once a year.

• Accidents—Accidents can be any accidental event that affects confidentiality, integrity, or availability. This includes users accidentally deleting data. It can also include user errors or mishaps in the workplace.

• Equipment failures—Equipment failures result in outages. Some systems are more prone to

failure than others. Additionally, some failures have a much greater impact on the mission of the business. By analyzing past failures, you can often predict future failures. You can identify the systems that will benefit from additional redundant hardware.

Performing Threat Modeling Threat modeling is a process used to identify possible threats on a system. It attempts to look at a system from the attacker’s perspective. The result of threat modeling is a document called a threat model.

The threat model provides information on:

• The system—This includes background information on the system. • Threat profile—This is a list of threats. It identifies what the attacker may try to do to the

system, including possible goals of the attack. For example, one attack may attempt to take the system down. Another attack may attempt to access data in the system.

• Threat analysis—Each threat in the threat profile is analyzed to determine if an asset is vulnerable. Threat analysis includes reviewing existing controls to determine their effectiveness against the threat.

Threat modeling allows you to prioritize attacks based on their probability of occurring and the potential harm.

Identifying and Evaluating Relevant Vulnerabilities

Recall that a vulnerability is a weakness. It can be a weakness in physical security, technical security, or operational security. It can be procedural, technical, or physical.

Two things are certainly related to vulnerabilities: • All systems have vulnerabilities—You can’t eliminate all vulnerabilities any more than you

can eliminate all risks. Your goal is to identify the relevant vulnerabilities. You can then choose to implement controls to reduce the weakness.

• Not all vulnerabilities result in a loss—It’s only when the threat and vulnerability come together as a threat/vulnerability pair that a loss occurs. You only need to identify and evaluate the relevant vulnerabilities.

NOTE

This section introduces the identification and evaluation of vulnerabilities process.

One of the ways to identify and evaluate vulnerabilities is by using assessments. The two primary assessments are:

• Vulnerability assessments • Exploit assessments

Vulnerability Assessments A vulnerability assessment is a process used to discover weaknesses in a system. The assessment will then prioritize the vulnerabilities to determine which weaknesses are relevant.

You can perform vulnerability assessments internally or externally. An internal assessment attempts to discover weaknesses from within the network. An external assessment attempts to discover what attackers outside the company may see.

A vulnerability assessment often starts by gathering information. Vulnerability scanners perform network reconnaissance. This is similar to an enemy scouting out a target to evaluate it and identify the best method of attack. A vulnerability assessment may have multiple goals, such as:

• Identify IP addresses—Ping scanner tools identify which IP addresses are in use. If the system responds to a ping, you know it is operational with this IP address.

• Identify names—You can use “whois” tools to identify the name of a computer from the IP address. This works for computers on the Internet.

• Identify operating systems—A fingerprinting tool can tell you what operating system is running on an IP address. The tool sends traffic to and receives traffic from the system. It then analyzes the traffic to determine which operating system is running. For example, a Microsoft operating system includes unique bits in some Internet Control Message Protocol (ICMP) traffic. These bits verify that it is a Microsoft product. Similarly, some UNIX and Linux operating systems include bits in ICMP packets that identify those operating systems.

• Identify open ports—A port scan identifies open ports. This tells you which protocols are running and what services are running. For example, if port 80 is open, the Hypertext Transfer Protocol (HTTP) protocol is running on the system. This indicates it is a Web server.

• Identify weak passwords—A password cracker determines the password for one or more accounts. The success of the password cracker largely depends on the strength of the password. In other words, a password cracker can discover weak passwords.

• Capture data—Data transferred over the network can be captured and analyzed. You can then read any data that has been transferred in cleartext, or unencrypted.

If you need to perform vulnerability assessments, you can choose from many different tools. Some tools perform only a specific function, such as only translating an IP address to a name. Other tools include multiple functions. This is similar to Microsoft Office, which includes a full suite of applications.

Some of the commonly used vulnerability assessments tools are:

• Nmap—Nmap is a network mapping tool. It combines a ping scanner to discover IP addresses with a port scanner to determine open ports. It then uses other techniques to discover the operating system and other details of the remote system. Nmap is free.

• Nessus—Nessus is a commercial product that provides a full suite of additional tools. As an example, it can run Nmap, or one of several other port scanners. It can detect common vulnerabilities in the configuration of a system. It also includes password crackers. Tenable Network Security sells Nessus. The company regularly improves Nessus by publishing new tools in the form of snap-ins.

• SAINT—SAINT is an acronym for System Administrator’s Integrated Network Tool. Just as Nessus is a full suite of tools, SAINT is also a full suite of vulnerability tools. Saint Corporation sells SAINT and other security tools.

Exploit Assessments An exploit assessment attempts to discover what vulnerabilities an attacker can exploit. Exploit assessments are also referred to as penetration tests. You usually start an exploit assessment with a vulnerability assessment. After you discover weaknesses, you attempt the exploit.

There is a significant difference between the exploit assessment and the vulnerability assessment. Specifically, an exploit assessment is intrusive. The goal is to test the exploit. If the exploit assessment is successful, it can disrupt operations. With this in mind, you should be cautious when performing exploit assessments.

Many of the popular vulnerability assessment suites include tools you can use to perform exploit assessments.

NOTE

You perform a vulnerability assessment to discover weaknesses. However, it’s important to realize that attackers can perform the same steps.

Identifying and Evaluating Countermeasures

A countermeasure is a security control or a safeguard. You implement a countermeasure to reduce a risk. You can reduce a risk by reducing vulnerabilities or by reducing the impact of the threat.

When identifying and evaluating the countermeasures, you should consider:

• In-place controls—These are controls that are currently installed in the operational system. • Planned controls—These are controls that have a specified implementation date.

NOTE

This section introduces the identification and evaluation of countermeasures.

In-Place and Planned Countermeasures Countermeasures cost money. Prior to purchasing a countermeasure, an organization will evaluate its options. During its evaluation of alternative countermeasures, the organization will gather relevant documentation. When performing a risk assessment, you should retrieve the documentation for these controls and review it. This documentation can reveal several things to you.

If the control is in place, you can measure its effectiveness. Ideally, counter-measures are as effective as you expect them to be. Some aren’t as effective. You may have added an intrusion detection system and found that due to the high level of false alarms, administrators ignore it. You may have added a spam appliance and found that it marks valid e-mails as spam.

If an in-place countermeasure is not effective, you’ll want to know why. The risk assessment can include an evaluation of this control to determine what to do differently. If the control is effective, that’s also important to know.

You probably won’t change planned countermeasures. However, it is still valuable to review the documentation that recommended them. You can evaluate the current systems to ensure the original threats and vulnerabilities still exist. Additional tools or techniques may also exist that will allow you to enhance the original recommendations.

Control Categories There are several ways that controls are organized or classified. One of the popular methods is to define them based on these three categories:

• Procedural controls • Technical controls • Physical controls

The following sections explain these three categories. However, you may also see different categories. The National Institute of Standards and Technology (NIST) has published many documents related to information security. SP 800-53 Revision 4, titled “Security and Privacy Controls for Federal Information Systems and Organizations,” was released in April 2013.

NIST SP 800-53 previously classified these families as Management Controls, Technical Controls, or Operational Controls. However, some controls within each family had combinations of management, technical, and operational classes. NIST removed these classifications in SP 800- 53 rev 4. Table 6-1 shows the NIST control families.

No matter how the controls are listed, the goals are the same. These controls protect the confidentiality, integrity, and availability of systems and data.

TABLE 6-1 NIST control families.

CONTROL FAMILIES NUMBER OF CONTROLS

Access Control 23

Awareness and Training 4

Audit and Accountability 16

Security Assessment and Authorization 8

Configuration Management 11

Contingency Planning 12

Identification and Authentication 11

Incident Response 10

Maintenance 6

Media Protection 8

Physical and Environmental Protection 19

Planning 6

Personnel Security 8

Risk Assessment 5

System and Services Acquisition 20

System and Communications Protection 41

System and Information Integrity 16

Program Management 16

Procedural Controls Procedural controls are the controls placed in response to the rules and guidelines directed by upper-level management. These include several specific controls. However, one important point about procedural controls is that they are implemented with a written document.

Some examples of procedural controls are:

NOTE

Previous versions of NIST SP 800-53 referred to procedural controls as administrative controls.

• Policies and procedures—This may be an organization’s security policy. It can also be the specific procedures used to back up a server, for example.

• Security plans—These are comprehensive plans to help an organization deal with different events. For example, a disaster recovery plan helps an organization plan for a disaster, such as a hurricane or earthquake.

• Insurance—Insurance can reduce the impact of a risk. Common examples include fire insurance and flood insurance.

• Personnel checks—An organization may have policies in place to perform different types of checks on personnel. This could include background checks or financial checks.

• Awareness and training—Many organizations regularly take steps to raise the security awareness of personnel. This can be done through formal training, posters, and e-mails, for example.

• Rules of behavior—Many organizations use acceptable use policies (AUPs) to let people know what they can do with computers and systems. This is often a document that users read and sign when they are hired. It’s common to require employees to review the documents on a regular basis, such as once a year.

Technical Controls A technical control uses computers or software to protect systems. The benefit is that the control is automated. You can set it once and it will consistently enforce the control.

Some examples of technical controls are:

• Login identifier—Users are required to provide credentials before you grant access to the system. This is also referred to as authentication. Three primary factors of authentication exist: • Something you know, such as a username and password • Something you have, such as a smart card • Something you are, as captured by biometrics

• Session timeout—Many systems automatically time out after a period of inactivity. For example, a password-protected screen saver locks a computer after a specific number of minutes. When the time has passed, the screen saver starts and the user must enter credentials before accessing the system again.

• System logs—System logs log activity performed by systems, users, or attackers. For example, a system log can identify when a server is shut down, or when specific services are stopped or started. Application logs can log specific application activity.

• Audit trails—You can use many types of audit logs to create an audit trail. A security log can log all access to specific files. A firewall log can log all traffic entering or leaving a network.

• Input validation—Applications can use data range and reasonableness checks to validate data before using it. As a simple example, it is not possible to divide by zero. A program that accepts values used in a divide operation can ensure the value is not zero before using it.

• Firewalls—Network firewalls can control traffic coming in and out of a network. Host- based firewalls can restrict traffic for individual systems.

• Encryption—You can encrypt data when it is stored on a drive or when it is transmitted over a network. This provides confidentiality of the data.

Physical Controls A physical control controls the physical environment. This includes controls such as locks and guards to restrict physical access. It also includes elements to control the environment, such as heating and cooling systems.

Some examples of physical controls are:

• Locked doors—You can lock server rooms to protect your servers. You can lock wiring closets that host routers and switches. You can also protect proprietary data, such as employee files or research data, by locking doors and filing cabinets.

• Guards and access logs—You can have guards control access to sensitive areas. This can be at the front entrance of a building or in internal areas. You can use an access log to list individuals who have authorized access. The guard then only allows access to personnel on this list. You can also use access logs to record individuals who have accessed a room.

• Video cameras—Cameras can monitor areas on a continuous basis. Many closed circuit television (CCTV) systems can record data from multiple cameras. CCTV systems work very well as a deterrent.

• Fire detection and suppression—A fire can destroy a significant amount of data and hardware in a very short period. Effective detection and suppression systems detect the fire before it gets too big. They then quickly extinguish it.

• Water detection—Some areas are prone to flooding. When water is detected, pumps can be turned on automatically to remove the water. If the flooding can’t be controlled, the detection system can turn off electrical systems to reduce possible damage.

• Temperature and humidity detection—Systems need to operate within certain temperature ranges. If they get too hot, electrical components overheat and fail. High humidity can cause condensation on the systems that can also cause failures. Heating, ventilation, and air conditioning (HVAC) systems control the temperature and humidity.

• Electrical grounding and circuit breakers—Proper grounding ensures that dangerous voltage is routed to ground when electronic systems fail. This protects equipment and personnel. Circuit breakers protect systems and wiring. When a failure results in excess current, the circuit breaker will pop before the excess current can start a fire or damage the equipment.

Selecting a Methodology Based on Assessment Needs

Once you have identified and evaluated the elements individually, you need to calculate the associated risk. The two primary methodologies that you can use are:

• Quantitative • Qualitative

Quantitative The quantitative method uses predefined formulas. You need to use the data you collected to identify the following values:

• Single loss expectancy (SLE)—This is the expected loss for any single incident. You express this in monetary terms, such as $1,000.

• Annual rate of occurrence (ARO)—This is the number of times you expect the loss to occur each year. For example, the risk may have occurred four times last year, so the ARO is four.

• Annual loss expectancy (ALE)—You can calculate ALE as SLE × ARO. For example, it could be $1,000 × 4 or $4,000.

• Safeguard or control value—This is the cost of the countermeasure or the control. You express this in monetary terms.

You implement a control to reduce the risk. More directly, the control will reduce the ARO. If the ARO was four before the control, the ARO should be less than four after the control. You then compare the cost of the control with the savings.

For example, consider the following scenario. A Web site generates revenue of $5,000 an hour. In the past two years, it has suffered two hard drive failures. Each year, one of the several hard drives in the system has failed. Each failure has resulted in about three hours of downtime. The hard drive cost was about $300. What is the SLE, ARO, and ALE?

• The SLE is $15,300. You calculate this as $5,000 × 3 for the outage. You then add $300 for the new hard drive.

• The ARO is 1. Historically, the outage has occurred once a year. If you don’t take steps to reduce the risk, it will likely occur once each year.

• The ALE is $15,300. You calculate this as $15,300 × 1.

This example doesn’t include intangible costs. For example, a customer who visited the Web site when it was down may never come back. The cost to get this customer back, or to get another customer, is an intangible cost.

You may decide that a hardware redundant array of independent disks (RAID) can eliminate this risk. You’ve identified a hardware RAID that costs $3,000. It includes several disk drives. If

any single drive fails, the RAID can detect the failure and automatically recover. In other words, the failure of a drive will not cause the system to fail. It will change the ARO from 1 to 0.

Is it cost effective to implement this RAID? You determine this by comparing three pieces of information:

• ALE before control—This is $15,300. • Cost of control—The hardware RAID costs $3,000. • ALE after control—This is $300, resulting in a savings of $15,000. A hard drive in the

RAID might still fail. This still results in a cost of $300 for the replacement hard drive. However, the RAID prevents the outage.

If the cost of the control is less than the ALE after the control, the cost is justified. In other words, you are spending $3,000 to save $15,000. This results in a realized savings of $12,000.

On the other hand, if the cost of the control was $50,000, the cost is not justified based on the data you have. You would spend $50,000 to save $15,000, which puts you in the hole. If the cost of the control is close to the ALE after the control, you can also calculate the return on investment over several years.

NOTE

The mean time between failure (MTBF) gives a reliability estimate for hard drives. RAID hard drives often have a higher MTBF than standard hard drives. For simplicity, the ALE after control calculation assumes all the drives have the same MTBF.

Qualitative You often don’t have access to the actual costs, or the costs aren’t easy to calculate. You can instead use a qualitative methodology. A qualitative methodology uses the opinions of experts to determine two primary data points:

• Probability—This is the likelihood that the risk will occur. You can express it in words, such as Low, Medium, or High. You can also express it in a percentage, such as 10 percent, 50 percent, or 100 percent.

• Impact—This identifies the magnitude of the loss if the risk occurs. You can express it in words, such as Low, Medium, or High. You can also express it as a number in a range, such as 1 to 10 or 1 to 100.

The probability and impact allow yoau to rank the risks. This ranking allows you to prioritize the most important and least important risks. For example, imagine you are evaluating buffer overflow attacks, SQL injection attacks, and Web defacing for a Web server.

TABLE 6-2 Qualitative analysis survey with existing controls.

Experts have provided you with the data shown in Table 6-2. They provided this input based on the current controls protecting the server.

You can now prioritize each of these risks:

• Buffer overflow—Risk score of 5. You calculate this as .10 × 50. • SQL injection attacks—Risk score of 67.5. You calculate this as .75 × 90. • Web defacing—Risk score of 6.25. You calculate this as .25 × 25.

This clearly shows you that the highest risk based on current controls is from SQL injection attacks. You can now identify controls to mitigate this risk.

You can then query the experts to identify the controls that will provide the best gain. You can use a similar survey that identifies the probability and impact of a risk after implementation of a control.

Developing Mitigating Recommendations

After performing the analysis, you can provide specific recommendations. These recommendations should mitigate the risks. You can include the data you’ve collected to support the recommendations.

Supporting data may include:

• Threat/vulnerability pairs • Estimate of cost and time to implement • Estimate of operational impact • Cost-benefit analysis

Threat/Vulnerability Pairs The recommended controls should address specific risks. As a reminder, a risk occurs when a threat exploits a vulnerability. If a threat doesn’t exist to exploit a vulnerability, a risk doesn’t exist. Similarly, if a vulnerability doesn’t exist that a threat can exploit, a risk doesn’t exist.

For example, malicious software is a very real threat. However, if you create an isolated system that will never connect to the Internet or accept data from other sources, it is not vulnerable. In this example, a threat/vulnerability pair doesn’t exist. The threat can’t be matched to a vulnerability. In contrast, consider a typical computer system. It has access to the Internet, accepts e-mail, and allows users to connect universal serial bus (USB) devices. It is highly vulnerable.

A control needs to address specific threat/vulnerability pairs. Each recommendation will address one or more threat/vulnerability pairs. If you can’t associate a control with a threat/vulnerability pair, you don’t need the control. This becomes an easy check for the validity of the control.

Many controls will address several threat/vulnerability pairs. If the control will mitigate several pairs, you should list each of them.

Estimate of Cost and Time to Implement You should include the cost of the control in the recommendation. This will be included in the cost-benefit analysis. It’s important to accurately identify this cost by including both direct and indirect costs.

The direct cost is the purchase of the control. However, indirect costs aren’t always easy to identify. For example, the indirect costs could include the labor needed to learn the control. They could also include the cost of training.

A common mistake is underestimating the costs needed to implement a control. For example, a sophisticated firewall may require a trained administrator. If you acquire a firewall but your administrators don’t have the knowledge to use it, it will sit idle. Administrators will then need to master it on their own or attend a formal class. In the interim, the firewall sits in the box.

You should also include a schedule or time to implement the control. For simple controls, the time can be negligible. For other controls, the time can be extensive. For example, imagine you decide to increase security when users log on. Instead of using usernames and passwords, you decide to use smart cards. This will require a phased approach. You’ll add a public key infrastructure (PKI) to issue certificates. You’ll need to add card readers to all systems. You can then issue smart cards to users.

Estimate of Operational Impact Countermeasures can sometimes consume so many system resources that the system is unable to perform its primary job. If a control has any effect on the system’s normal operations, it has an operational impact. You can identify the operational impact of a control as negligible, low, medium, high, or overwhelming. Ideally, a control will have very little impact on normal operations. If the impact is too high, you may not be able to use the control. It’s important to consider the operational impact while developing recommendations.

Any computer system has four primary resources. If a control has an operational impact, it will

usually show up in one of these resources. These are:

• Processor—The processor performs the majority of the computing work. Desktop PCs usually have a single multicore processor. Servers often have multiple processors. Countermeasures can consume a significant amount of processing power. If the server’s processor usage peaks close to 100 percent, the system slows to a crawl.

Overwhelming Countermeasures

One organization spent over $10,000 to implement a security control it wasn’t able to use. A little planning could have prevented this loss. As background, you can use a host-based intrusion detection system (HIDS) as a security control. It’s installed on individual systems. HIDS is used in addition to antivirus (AV) software. The AV software detects and prevents malware attacks. HIDS detects intrusion attacks on the system. This organization had AV software installed on the systems. The organization then purchased and installed the HIDS. The combination of the AV and HIDS software overwhelmed the resources of the systems. The processor usage started peaking close to 100 percent. Even simple tasks such as launching a word processor took a long time. The company removed the HIDS from all the systems. Over time, the systems were upgraded and the HIDS was added onto the newer systems. However, this proved embarrassing for the manager who approved the purchase of the HIDS.

• Memory—The processor can only work with data that is in memory. The amount of memory in a system is often a limiting factor. If the system is low on memory, it swaps data back and forth between memory and the disk drive. This swapping slows down the system considerably.

• Disk—The capacity and speed of the disk subsystem is important to consider. Countermeasures often require a minimum amount of disk space. Additionally, data is stored on the disk until needed by the processor. When the processor needs the data, it swaps it into the memory. If the speed of the disk is slow, it may slow down the system.

• Network interface card (NIC)—A computer uses a NIC to access resources on the network. If the control you’re considering will transfer data on the network, you should consider the current bandwidth of the NIC.

Cost-Benefit Analysis You should include a cost-benefit analysis (CBA) to support your recommendations. A CBA shows that the cost is justified. Ideally, the CBA will show that you can spend a small amount of money up front to save a lot of money in the long term. The CBA is an important tool needed by management to justify the cost.

As demonstrated earlier, a quantitative RA includes dollar figures. You can use the dollar figures in the CBA. A qualitative RA doesn’t include direct dollar figures. When using the qualitative RA, you need to take additional steps to create the CBA.

Presenting Risk Assessment Results

After you complete the RA, you create a report documenting the results. This report should include two phases.

In the first phase, you present the recommendations to management. As a reminder, management decides which recommendations to implement. It’s possible that management won’t approve every recommendation.

Management may determine that the CBA for a recommendation doesn’t justify the cost. For another recommendation, they may decide they want to accept the risk. Any risk that remains after controls are implemented is a residual risk. Because management decides which controls to implement, management is also responsible for the residual risks.

In the second phase, you document the decisions made by management. You then create a plan of action and milestones (POAM). You can use the POAM to track and monitor the controls. The POAM helps ensure the controls are implemented. It also helps track the actual costs.

Best Practices for Performing Risk Assessments

There are several steps you can take to ensure success when performing RAs. The following list identifies some best practices for performing RAs:

• Ensure systems are fully described—This includes both the operational characteristics and the mission of the system. It’s also important to ensure that you have current data. IT systems change as they are upgraded and improved. If current documentation isn’t used, resources are wasted.

• Review past audits—If audits have been performed, ensure you review the results. Audits identify vulnerabilities and often include specific recommendations. These recommendations either should be in place or planned.

• Review past risk assessments—If a previous RA was performed, you should review it. Some systems are assessed on a regular basis, such as every year or every three years. You can review this information and compare it with recent activity. For example, new threats or vulnerabilities may have resulted in outages that weren’t previously addressed.

• Match the RA to the management structure—Perform the RA based on the ownership or responsibility of the system. When the RA crosses management lines, it becomes harder to implement the controls.

• Identify assets within the RA boundaries—When identifying assets, ensure that only assets within the scope of the RA are included. This will help eliminate scope creep.

• Identify and evaluate relevant threats—Ensure that only relevant threats are evaluated. You can review historical data to determine what threats have caused problems in the past. You can also use threat modeling to identify threats.

• Identify and evaluate relevant vulnerabilities—Many weaknesses exist. You won’t include them all. You want to include only the vulnerabilities that are relevant to the RA.

• Identify and evaluate countermeasures—Ensure that all countermeasures are directly related to at least one threat/vulnerability pair. Additionally, ensure that the CBA justifies the cost of the control.

• Track the results—Document the results of the RA. Document the approved recommendations. Create a POAM to track the implementation of the recommendations.

CHAPTER SUMMARY

The performance of the risk assessment takes several specific steps. It’s important to start with a clear definition of the system to be assessed. Whenever possible you should also consider the management structure to ensure easy implementation of the recommendations.

Next, identify threats and vulnerabilities. Relevant threat/vulnerability pairs identify actual risks. Then evaluate controls to mitigate these risks. Present these recommendations to management for a decision with a CBA. Finally, use a POAM to track the approved recommendations.

KEY CONCEPTS AND TERMS

Asset valuation Blacklist Countermeasure Exploit assessment Group Policy Host-based intrusion detection system (HIDS) In-place countermeasure Operational impact Planned countermeasures

Procedural controls Threat modeling Vulnerability assessment Whitelist

CHAPTER 6 ASSESSMENT

1. You are beginning an RA for a system. You should define both the operational characteristics and the mission of the system in the early stages of the RA. A. True B. False

2. Which of the following should you identify during a risk assessment? A. Assets B. Threats C. Vulnerabilities D. Countermeasures E. All of the above

3. Of the following choices, what would be considered an asset? A. Hardware B. Software C. Personnel D. Data and information E. All of the above

4. When defining the system for the risk assessment, what should you ensure is included? A. Only the title of the system B. The current configuration of the system C. A list of possible attacks D. A list of previous risk assessments

5. What can you use to identify relevant vulnerabilities? A. Historical data B. Threat modeling C. CBA

D. A and B only E. None of the above

6. Which type of assessment can you perform to identify weaknesses in a system without exploiting the weaknesses? A. Vulnerability assessment B. Risk assessment C. Exploit assessment D. Penetration test

7. An acceptable use policy is an example of a(n) ________ control.

8. Your organization requires users to log on with smart cards. This is an example of a(n) ________ control.

9. You use video cameras to monitor the entrance of secure areas of your building. This is an example of a(n) ________ control.

10. Which of the following should you match with a control to mitigate a relevant risk? A. Threats B. Vulnerabilities C. Threat/vulnerability pair D. Residual risk

11. What does a qualitative RA use to prioritize a risk? A. Probability and impact B. SLE, ARO, and ALE C. Safeguard value D. Cost-benefit analysis

12. What does a quantitative RA use to prioritize a risk? A. Probability and impact B. SLE, ARO, and ALE C. Safeguard value D. Cost-benefit analysis

13. Your organization purchased a control and installed it on several servers. This control is consuming too many server resources, and the servers can no longer function. What was not evaluated before the control was purchased? A. The cost and time to implement the control B. The operational impact of the control C. The in-place and planned controls

D. The impact of the risk

14. What is included in an RA that helps justify the cost of a control? A. Probability and impact B. ALE C. CBA D. POAM

15. What is created with a risk assessment to track the implementation of the controls? A. CBA B. POAM C. ALE D. SLE