21. Other Organizational Support
Now some of the other I guess that’s always a good category, isn’t it? Other organizational support. So there are in this security industry, in all aspects of the security industry, many different types of subscription services that we can integrate into an information security program and the services are there to help leverage the expertise of external service providers without making them responsible for it. In other words, you might see, depending on the vendor good practices organization. I mean even if I weren’t to say, go to organizations like Asaka or maybe Sans or ISC squared, I won’t put the little squared on there anyway.
Those are organizations that have generally good practices that you can incorporate into the overall program. Now, I would still say you also want to include what your vendor of the different controls, operating systems, software also recommend as good practices in concert with looking at these other good organizational or good practice organizations. Another thing we can do, of course, is look at security networking roundtables. Those are usually organizations that try to gather information and so that’s what they do right roundtable. It’s almost like a discussion. It doesn’t mean we’re all in the same room, but they’re going to gather information from other security professionals from the same industries and try to organize discussions around topics of common interest.
So that I call it learning from others. And we can do that because if we have these roundtables and we have now again, this is not the same as giving out corporate secrets. Certainly it’s not the same as social engineering where you’re worried that somebody’s asking questions about your security systems to try to figure out how to defeat them. I mean it could be, but usually it’s trusted individuals. But somebody else might have had a similar problem that you’re running into and isn’t that a great place to be able to have a roundtable and to be able to do that kind of comparison? Of course there’s lots of security training organizations that are available.
These are institutions that provide classes on technical topics in information security. Well, even the ones I just mentioned, like Asaca, they certainly offer or have the ability to sponsor training so that you can learn about information systems, whether it’s auditing or management. Again, Sans has a lot of more network oriented security information about current threats, hackers and countermeasures. And sometimes though, they also focus on showing you how to be a good hacker. But there’s nothing wrong with that because then you can use those skills to test the security through an audit process and make sure that you’re again at that certain target that you want to be at. But they could be there just to teach you about vulnerabilities.
And again going into some of these other organizations, they may be able to keep you up to date as well. And so here we are talking about vulnerabilities, the vulnerability alerting service and these are again just services that allow you to maintain a list of technology that you use and get the news and updates regarding to the types of new threats or vulnerability and that’s important. And again you can go to these like Sands and certainly have that a lot of places. If you just in fact don’t know of a good place to start looking for these updates, just do a search on the internet for the term CVE and that’s going to get you into unfortunately you may or may not be able to subscribe based on the technology you’re using. So you may get a lot of updates that might not be pertinent to you but it’s a way of you getting that type of information that should be able to help you know what you need to look for as you continue to modify perhaps your security program.
22. Risk Analysis
When we talk about risk analysis, as we’ve stated before, there are many approaches to doing the overall risk assessment, but risk analysis is the process of analyzing the threat landscape and the vulnerabilities of the organizational’s assets. Now, risk analysis is really the combining of your vulnerability information from the assessment and the relative threats that have been gathered from other sources to determine the risk of compromise as well as the magnitude of the threat. So hopefully you’re kind of getting the idea that under risk management. We looked at risk assessment, and we talked about a lot of frameworks for coming up with the information that we need.
But from there, we actually do the real analysis. So we get an idea, really you’ve said in your assessment, here’s a vulnerability, and we have some ideas of what the threats are. But now what I want to know is, what is the relative degree that that threat could actually work, that it could be there? And if it did succeed and if it was realized, we want to know what is the magnitude right, the exposure factor of that particular threat? So we’re actually trying to put the hard values, whether quantitative or qualitative, into being able to say, all right, based on this assessment, from our analysis, this is what we see. These are the potential outcomes.
23. Lesson 5: Risk Assessment
Now let’s take a look at the risk assessment. Now if you remember again that this is the first step of risk assessment is really the assessment of what’s important to the organization. I bet you haven’t heard that before because I just said it in a different way. It’s back to the classification of the assets to have the ratings of criticality of importance. Now, there are a lot of different risk management models that you can use and approaches that you can use use. And the goal again is to help you, give you a framework, if you would, of methods or models that help you go through the process of risk assessment. I suppose one way to think of it is rather than creating your own from the ground up, you’re going to save a lot of time, effort and energy by using trusted models, depending of course, on the organization that best matches your organization. But these trusted models as a framework or a guideline to give you something to work with. Now, COVID obviously has quite a few that we have looked at or at least mentioned before. As far as the models that you can use, there’s also Octave, the NIST has theirs and even the International Standards Organization, ISO. Now, one of the things that they have in common, or many of the things that all of these models have in common is that they all are designed to assess, to evaluate and to rank your risk.
24. NIST Risk Assessment Methodology
We can take a look as an example of the NIST risk assessment methodology. And there’s really nine steps that they have in their methodology. Now, again, remember, this is your model, kind of your outline that helps you in deciding how to go about your risk assessment. Number one is they may start off with the system characterization. Now, there is a description of the system or the asset perhaps of what we’re worried about. Now in that process, we have to be able to figure out what are the threats? And that is the threat identification. And again, remember that threats can be from a variety of different things. Natural disasters, as we’ve talked about, accidental damage, malicious threats of damage, outside forces, loss of electrical power, power grids, even acts of war, I suppose.
All right, so we look at those threats, we have to identify what those are, and then we also have to identify what our vulnerabilities are. And of course, as we just said, the analysis is kind of the combination of what are the threats and what are the vulnerabilities and what would the outcome be? But that’s the analysis part. The risk assessment is helping gather this information. Now, the other thing we can do is try to figure out what controls we have, what are in place, what might we need so that it would be part of the control analysis. And again, controls generally, we look at them as the policies, the standards, the procedures and the guidelines, whereas the actual countermeasure is something that we said was a targeted control.
Now, out of all of that, we also have to remember that one other aspect was the likelihood. Remember, I used the example of saying, well, there’s a threat that a comet or meteor could fall out of the sky and destroy our facility. Okay, yes, that’s a valid threat. But when I rank it with likelihood, then we can probably say that’s one we’ll just shelve and worry about later on. But if, again, if I live on a fault plane and somebody says earthquakes are bound to happen, then I’m thinking, okay, there’s a higher likelihood, something we should look at. Now, of course, if this vulnerability was exploited by whatever threat it is that we are looking at, we have to look at also the impact analysis.
Now, that’s an important aspect, right? We want to know what is that exposure factor? What could it mean to our company? And when we talk about impact analysis there we can get into the discussions about dependencies, about how things could cascade or get even worse from one outage. Risk determination is another aspect of the risk assessment. Also, part of what we’ll do is make recommendations for the types of controls. And once all of this is put together through the assessment process and it doesn’t mean, by the way, that you can’t add other steps into this methodology. It’s just again, it’s an outline of a methodology, a model that you can use, one of many, as we just mentioned.
But when it’s done, you should have the results documented. Now, the documentation is an important aspect. It’s not just because that’s the document that we may be getting paid to produce, especially if you’re an outside consultant. Often that’s the payable. That’s what we’re getting paid on of those results. But it’s designed to outline clearly what we found and what are some ideas and giving us basically that working document that helps us eventually come up with a security program to understand what we’re trying to achieve. And again, this is a great way of looking at where we are in our current state by having this risk assessment. Because the risk assessment is our current state, what are we doing right now, especially when we look to what we want to be doing. So again, if we don’t know where we’re starting, it’s hard to get to that destination. And this helps us in that starting point.
25. Aggregated or Cascading Risk
Now a part of the looking at risk is this idea of aggregation or cascading risk. Now you could say that some threats could affect a large number of minor vulnerabilities, but if you take them in total or aggregate, it could have a major impact. Okay, I’m going to go back in my time machine again and talk about a little piece of malware called Blaster. Now Blaster really, really didn’t do anything bad to our systems. It spread like crazy. It was a very good as far as being a worm and being able to perpetuate itself. But what it did is it ordered our Windows machine to attack a Microsoft website. All right? So there was a vulnerability. Because of a vulnerability in the Windows operating system, this code was able to do this very action.
And even though it was pretty minor, something we might not even noticed or paid attention to because it hit several hundred thousand machines, when you took it as a whole, the Microsoft website that was being attacked with a denial of service took it as a pretty serious threat and it had a very major impact. It took that server down. Now one failure, another part of the cascading risk idea is saying that one failure from a successful threat could cause a cascading chain reaction that sometimes I like to call the ripple effect. If you understand the ripple effect, you throw a stone into a lake and that little dip into the water starts sending out these little ripples or waves that will affect everything else that’s floating around, right? So they get to feel the effects of it.
In the last few weeks and I think I may have mentioned this already, a major air carrier claims. Anyway, this is what I can glean from the news that they had a power outage at one of their sites and now this one failure, which, by the way, is a threat. One of our threats should be in the power supply caused a cascading chain reaction in that it basically took off all of these airport hubs and check in places offline that they lost computer or network connectivity and they couldn’t take care of the existing passengers are okay, but they couldn’t check in new passengers.
Apparently the computer systems couldn’t create flight plans so that the planes couldn’t legally take off without filing a flight plan. Incident, from what the news says anyway, had a very huge ripple effect that affected hundreds of flights, which in turn affected thousands of people. And of course by the time they got back online now with that extra group of passengers trying to shove them into all the other upcoming flights, you can just imagine it was a pretty big mess. But I think that makes a good example of what we mean by the ripple effect.
26. Other Risk Assessment Approaches
Now there are some other risk assessment approaches. One of them is called fair. The Factor Analysis of Information Risk. Now it is a taxonomy which gives us an understanding of the information risk by looking at it in the different pieces. Number one, of course, and this sounds very familiar, you’re going to notice I said that a lot of these models have a lot of things in common. So the pieces and parts, parts the taxonomy of Fair are things like the frequency of the threat, the probability of the threat, the probability of the success of that threat, and the actual output as far as what is the probable nature of the impact, what’s its output goingto be, what’s its damage going to be. Now a part of what it is, and by the way, that is just one of four parts of Fair as the taxonomy.
The other thing that it does is it has a method for measuring. It also has computational engines which is mathematical routines to help you in the decisions about impacts and also being able to take the input of measurements. And it also includes a simulation model where we can take a look at different situations and use it either for the decision about things like the impact probability of success or maybe through the use of controls to try to mitigate that risk.
27. Identification of Risks
Now, there are some other risk assessment approaches. One’s called the risk factor analysis. It’s a model or an approach that’s being undertaken and developed at the Los Alamos nuclear facilities. One is another one that you might see the PRA, the probabilistic risk assessment. Now, that’s a systematic and comprehensive method to evaluate risk, but designed for very complex systems. A complex system very well could be nuclear facilities. It could be the airline industry. Now, you think about complexity, right? Because there we have ticketing, we have boarding, we have passengers, flights, flight plans, multiple airports. Or even if you think about it as the air traffic control and the sheer number of planes in the air at any one, time.
Those tend to be very complex systems that may need a different approach than some of our other traditional models for doing risk assessment. Now, when we look at PRA, it does its risk characterization with two different quantities. Those quantities are the severity of the consequences and the likelihood of the event. Now, there are usually three basic questions that are answered when we’re doing something like the PRA and that is what can go wrong? And the next question we might ask is what and how severe would be the consequences and then how likely is the occurrence? So those are some of the ideas of what it’s doing. Now, here you might notice that this sounds very high level and sometimes one of the ways to approach a complex system is by taking maybe a little bit more of a higher level approach or of course, breaking it down into its smaller components and going through the same risk assessment.
28. Threats
Now, as you can tell, one of the major themes in all of the discussions we had about assessment is the identification of risk. And that means that in risk management as a risk management program, we should have a company’s list of sources of their threats, vulnerabilities and risks. Now in general, when we talk about a risk, a risk can be related or characterized by things about its origin or maybe it’s a certain activity, an event or an incident. And again, we talk about a lot about threats and so this kind of feels like the threat. But remember, the risk is kind of that combination of the threat and that vulnerability. Other things we identify or characterize your risk, as we’ve said, is the consequences, the results, or the impact it’s going to have on the organization.
We should also look at the reasons for its occurrence and start looking at protective controls to not only basically know what they are, but how well or how effective they might be in lowering or mitigating that risk. And of course, some risks may be characterized by their time and occurrence.
