Saturday, May 26, 2018

Security Risk Assessment in The Internet of Things

Internet of Things henceforth referred to as IoT in the article refers to all the devices connected to the internet which “talk” to each other. This means if your washing machine is connected to the Internet and it talks to a cloud server giving its health information to the company’s server, it would qualify as IoT device. Your smartphone and smartwatch is an IoT device too. So, Simply, the Internet of Things is made up of devices – from simple sensors to smartphones and wearables – connected together.
The IoT is one of the most talked about technologies nowadays. Every company is working on its implementation and introduction into our daily lives. Given the increasing number of cyber-attacks, it makes sense to identify the risks faced by the deployment of this technology. The traditional method of doing a risk assessment involves identifying assets, their weaknesses, threats which they may face and potential danger in case of exploitation. On identification of these risk, they are prioritized and countermeasures are adopted to treat this risks.

These traditional approaches are based on certain assumptions, the primary one being that the dynamism is extremely low. When you identify the assets, this would be one-time activity and these assets won’t change much in a risk assessment period of say 6 months at the least. What if the number of assets and the risk associated with them was to change every minute or day? Clearly, the risk assessment methodologies such as NIST SP 800-30, OCTAVE, FRAP etc are not equipped to handle the complexity which IoT presents us. 

In this blog post, we will try to understand the current methods of risk assessment, their shortcomings in their application to complex systems such as IoT and propose certain methods to handle the issues at hand.

In the earlier blog post on Risk Management, we learned about risk management being defined as:
A process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level and then maintaining that acceptable level.

If we apply the same definition in the IoT environment, the overall concept of risk management remains the same. Wouldn’t it? In principle, yes. However, let us understand the practical challenges here. Risk Assessment is an integral part of Risk Management. Risk assessment has certain methodologies through which we can assess the risk(s) faced by the organization. If we apply, NIST SP 800-30, we need to identify the assets ( IT only), the vulnerabilities, the threats faced and then the calculation of risk and proposing countermeasures to treat the risk and then monitor the complete system. 

Let’s take another one. Facilitated Risk Analysis Approach (FRAP) is focused on identifying the systems that really need assessing to reduce time and costs. It analyses one system, application or a business at a time. Data is gathered and threats to the business operations are prioritized based on their criticality. Since it is a qualitative approach, you ask experts to gather around and discuss the risks which this particular assets, system or application would face.

If you observe these methodologies, you would appreciate the fact that they are focused on identifying critical assets and the harm that may occur to them or the threats faced by a particular asset or an application. This means you follow the asset-based approach or a threat based approach when you use these methodologies.

Clearly, the approach taken by these methodologies apply best to a static system. When the complexity and dynamism in the system changes every minute, such risk assessment methodologies will not stand the test of time. Risk is a complex word in itself. It is a probabilistic measure of a threat exploiting a vulnerability. When threats and vulnerabilities change on a continuous basis, the calculation (quantitative) or identification (qualitative) of risks faced becomes an enormous challenge.

An IoT device is not much of a complete system in itself. It needs the help of many parts to fully function and be usable. It is like a part of the body which is useless without the complete body. In extremely simple terms, an IoT system would be made up of at least 3 components – application, cloud environment and Thing environment. All these would communicate with each other using application programming interfaces. The following article explains this in detail -

Thursday, May 24, 2018

Risk Analysis Approaches

Which color do you like? Choose one – Red, Amber or Green. Let’s try another one – How much would you like your company’s risk to cost – 10,000 $, 20,000 $ or 50,000? Choose one again. Confused? Don’t be. After all, risk analysis is about analyzing risk either in terms of color or a heat map or numbers.

The two approaches to risk analysis are Quantitative & Qualitative. Let’s understand them.

Quanti – tative Approach

This break will help you remember that this approach is related to numbers. Quanti refers to numbers here. We assign monetary and numeric values to all aspects of risk analysis. If you revisit the topic of Risk Assessment, we identified that there are multiple parameters to be taken care of while calculating risk. Hence, in this approach, we assign monetary values to each aspect so that at the end we can quantify or measure what is the value of the risk in dollar terms. 

Let’s understand this through a simple example – 

There is a building which has a cost of 100,000$. There is no fire suppression system installed in the building. In case of a fire, the building may be damaged and will suffer a loss of 25000$ that is, around 25%.  Over past experiences, it has been seen that the fire may occur once in every 5 years. 

This information above has been gathered as a part of risk assessment. Clearly, you can observe that every aspect has been assigned a value. The asset value (cost of building) has been derived at 100,000$. The loss has also been quantified.  This is what Quantitative Analysis is all about. 

Numbers are incomplete without some formulas.  So here comes the formula:

Asset Value * Exposure Factor = Single Loss Expectancy

Asset Value – What is the value of the asset? You have to include (at the risk assessment) all sorts of cost here to make up the asset value such as cost to develop this asset, cost to maintain it, cost to replace it, money spent on it to make it usable, the value of the asset to owners etc. Here the building value has been identified as 100,000$ which is inclusive of all such costs.

Exposure Factor – What is the exposure if the threat materializes? What percentage of the asset value would be destroyed in case of realization of the threat? Here the building is affected by the fire and that would be destroyed by around 25%. This value is the exposure factor.

Single Loss Expectancy - Actual Loss in case of realization of a threat. Notice the word expectancy here. We are expecting that this would be the loss in case of actual fire.

In our example, if we wish to calculate the SLE, it would be like this –

AV – 100,000$

EF – 25% or ¼ or 0.25

Hence, SLE = 100,000 *0.25 = 25,000$.

Therefore, the company would suffer a loss of 25,000$ from a fire.

Wait, the movie has not finished yet. Notice the last line in the scenario above. Past experiences have shown the occurrence of a fire once every 5 years.  What does this mean and how does it fit here?

Every business needs to make such assessments over a year. If a fire occurs once every 5 years, this means the damage due to the loss would be over a period of 5 years, that is, 25,000$ spread over a period of 5 years. This implies that the company can choose to spend 5,000$ every year to cover any losses arising out of this situation.

This leads us to another formula.

Single Loss Expectancy * Annualized rate of occurrence = Annual Loss Expectancy

Annualized Rate of Occurrence – This value represents the estimated frequency with which a specific threat would occur over a period of 1 year. 

Here the ARO would be 1/5 or 0.2.

Hence, the annual loss which the company may face is 25,000$ * 0.2 = 5,000$.

This value would help the company take a decision over the controls it would like to implement and what money would it can spend. 

Risk Assessment Methodology

Having understood Risk Management & Risk Assessment in earlier blog posts, it is time for us to understand the various methodologies of risk assessment. The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a specific focus. As a security professional, it is important for us to know the best approach for our organization and its needs.

The first one is a considered a U.S. federal government standard called as the NIST, SP 800-30. 

It lays out the following steps:
• System characterization
• Threat identification
• Vulnerability identification    
• Control analysis
• Likelihood determination
• Impact analysis
• Risk determination
• Control recommendations
• Results documentation

The NIST risk management methodology is mainly focused on: 
a) computer systems.
b) IT security issues. 

2. FRAP (Facilitated Risk Analysis Process)

Qualitative methodology 
Focus only on the systems that really need to be assessed. 
• Helps to reduce costs and time spent in risk assessment.
• Risk assessment steps are only carried out on the item(s) that needs it the most. 
• It is to be used to analyze one system, application, or business process at a time. 
• Data is gathered and threats to business operations are prioritized based on their criticality. 
• The risk assessment team documents the controls that need to be put in place to reduce the identified risks along with action plans for control implementation efforts.
• This methodology does not support the idea of calculating probability or likelihood.
• The criticalities of the risks are determined by the team members' understanding of business processes.
• The goal is to keep the scope of the assessment small and the assessment processes simple to allow for efficiency and cost-effectiveness.

3. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) 

• Based on the idea that the people working in the environments best understand what is needed and what kind of risks they are facing. 
• The individuals who make up the risk assessment team go through rounds of facilitated workshops. 
• The facilitator helps the team members understand the risk methodology and how to apply it to the vulnerabilities and threats identified within their specific business units. 
• Scope of an OCTAVE assessment is usually very wide compared to the more focused approach of FRAP.
• Where FRAP would be used to assess a system or application, OCTAVE would be used to assess all systems, applications, and business processes within the organization.

4. ISO/IEC 27005 

• is an international standard for how risk management should be carried out in the framework of an information security management system (ISMS). 
• Deals with IT and the softer security issues (documentation, personnel security, training, etc.) 

5. Failure Modes and Effect Analysis (FMEA)

• is a method for determining functions, identifying functional failures, and assessing the causes of failure and their failure effects through a structured process.
• commonly used in product development and operational environments. 
• The goal is to identify where something is most likely going to break and either fix the flaws that could cause this issue or implement controls to reduce the impact of the break.