Saturday, May 19, 2018

Understanding Risk Assessment

Risk Assessment is a part of the Risk Management process. It is a method of identifying the vulnerabilities and threats and the impact in case the threat agent exploits the vulnerability to suggest security controls. There are a lot of Risk Assessment methodologies which are available such as NIST SP 800, FRAP, OCTAVE, Delphi etc. to assess the level of risk. 

In simple terms, risk assessment involves identifying weaknesses, threats and potential danger in case of exploitation and basis this you will recommend certain countermeasures.

Sounds Simple? It’s practically the most challenging, time consuming and difficult work in the entire risk management process. Let’s understand what makes this simple straightforward process so difficult to execute. You are a security professional and the CEO calls you to do the security assessment of the site at New Delhi. If you start doing the risk assessment in this case, I assure you that you will end up pulling your hair in the end. Why so? You will realize the answer to this question if you answer the following questions:

1. What is the scope of your risk assessment? 
2. Does it involve only the physical assets of the building? 
3. Do you need to consider all the functions operating out of the building?
4. Do you need to involve the third party vendors under this assessment?
5. Would you include the intangible assets in this assessment?
6. What is the time limit for this assessment?
7. Are there any budgetary constraints for this assessment?
8. What methodology would you choose for the asset valuation? Will you include to be scrapped assets?

Unfortunately, a lot of security professionals and businesses do not identify the answer to these questions before beginning with the risk assessment.  

The most important criteria for any risk assessment is the buy-in from the top management. This buy-in must include the time limit and budget for the risk assessment activity. In some cases, the scope of this assessment may be defined by the top management or the middle management level. If the scope, time and budget are finalized, half of the problem is solved. 

 Let’s talk about the other half. Risk Assessment involves the following 4 steps:

1. Identify the assets and their valuations.
2. Identify the vulnerabilities and threats associated with them.
3. Quantify the probability and business impact of these potential threats.
4. Recommend countermeasures with a balance b/w cost and benefit.

Clearly, you will find that it is really simple to complete these steps. Yes, it is. However, there is a catch. Well, there is always a catch in the security role. Let’s understand this step by step.

1. As a security professional, you may be an expert in security, but you will not be able to understand all the risk a department faces. This issue can be resolved by working with the cross-functional team. Since each organization has different departments, and each department has its own functionality, resources, tasks, hence for or the most effective risk analysis, an organization must build a risk analysis team that includes individuals from many or all departments to ensure that all of the threats are identified and addressed. Hence, there is a lot of dependency amongst this team to work together to do this assessment.

2. Asset identification – Tangible or Intangible or Both – This needs to be finalized in the early stages itself. 

3. Asset Valuation – It is important to ask questions during this phase. There are many costs that are associated with a particular asset which is not limited to the market cost of the asset. The value placed on information is relative to the parties involved, what work was required to develop it, how much it costs to maintain, what damage would result if it were lost or destroyed, what enemies would pay for it, and what liability penalties could be endured. If this activity is not done in a proper manner, it would create an issue when countermeasures are to be deployed. An organization working on advance defense projects would deploy different countermeasures for its servers that an ice cream vending machine remotely controlled by a server.

If all such steps are done, you have completed the risk assessment. Now you can present the report to the CEO which asked you to do the risk assessment. Wait, the CEO has a different report from another professional who was asked to conduct such an assessment. The results are as different as day and night. This is a common issue which comes up when a standard methodology is not followed for risk assessment.

Let’s explore the risk assessment methodologies in the next article. 

What are your thoughts on risk assessment? Which of the following steps do you find the most difficult? Share your thoughts in the comments below.

Wednesday, May 16, 2018

Demystifying Risk Management

When you speak to security professionals or the management in many organizations, most of them are of the opinion that security risk management is all about deploying the latest security tools available in the market with a focus on applications, hacking and malware and nowadays data breach. Although these items are important to be considered, yet they are an extremely small part of the overall information security puzzle.

Consider an organization dealing with nuclear reactor designing and another organization dealing with providing cloud backup solutions. Would the risk management be the same for both the organizations? The answer is NO which most of you would agree upon. Both the organizations would be vulnerable to certain threats which may threaten its business models. Every business exists to make money and security become only an issue when this bottom line is affected. Risk Management should always be done with the objective that threats which are identified do not affect the bottom line. Hence, it is critical that security professionals understand threats faced by a company, but it is more important that they understand how to calculate the risk of these threats and map them to business drivers.

Let’s take up the two scenarios once again. In both the cases, there would be innumerable threats which these businesses will face. Should that business work on resolving every threat it faces? From a business standpoint, it can allot only a certain amount of money to resolve these threats. What security professionals need to understand that even if a company faces innumerable threats through a lot of vulnerabilities, they need to prioritize the risk arising out from these threats and resolve them with the limited budget available to them. In order to do so, every business will come up with an acceptable level of risk which it can withstand even it materializes. 

Basis the above discussion, we can easily define risk management as:

Process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level and then maintaining that acceptable level. 

We must ponder over two important facts here: management & maintaining. Management of the risk means identifying, resolving and then reviewing again and repeating this cycle again. A lot of security professionals confuse this with term Risk Assessment. Risk Assessment is only a part of the overall Risk Management cycle. Maintaining is another important aspect which a lot of companies get confused with. Risk Management should not be a “fit it forget it” approach and must be done on a periodic basis to ensure that the acceptable level of risk is maintained at all times. But what happens when a new risk comes up but does not affect the acceptable level of risk.

Imagine the business handling the nuclear reactor faces a new risk because a vulnerability has been discovered in an application which controls the cooling of the reactor. The vulnerability can be exploited by an attacker by manually logging into the system and running a specific command via the command prompt through an administrator access only. 

What should a security professional do? The first step should be is to assess the change in the risk which has occurred in comparison to the acceptable level. To evaluate this, a risk assessment needs to be done which will help the professional understand what needs to be the future course of action. Many companies, however, do not evaluate the change in the risk levels and start focusing on patching the vulnerability itself which is a wrong approach. You may argue that a new vulnerability when detected may impact the company and hence needs to be patched anyway. So why not focus on patching it straight away? It ultimately boils down to the security budget and resources which you have at your disposal. If the security budget is tight and no resources are available and there is no change in the acceptable risk levels, it would be a good option to either postpone or prioritize the important issues at hand, rather than immediately focusing on patching the vulnerability. 

Since every organization has a finite amount of money and an almost infinite number of vulnerabilities, properly ranking the most critical vulnerabilities to ensure that your company is maintaining the acceptable level of risk, is what risk management is all about. Carrying out risk management properly means that you have a holistic understanding of your organization, the threats it faces, the countermeasures that can be put into place to deal with those threats, and continuous monitoring to ensure the acceptable risk level is being met on an ongoing basis.

Monday, May 14, 2018

Understanding Control Types & Functionality

A safeguard or a control or a countermeasure is implemented to reduce risk an organization faces. 

Let’s understand it through some examples.

1. A company puts in antivirus solutions to reduce the potential danger from malware.
2. Citizens put in steel gates at the entry of the streets in their areas.
3. A leading e-commerce company deploys a backup solution.
4. Person deploys a CCTV at his home.
5. Since the organization could build a perimeter wall, it deploys security guards to man the area around the building.

What do all of these examples have in common? In all of the above examples, we can sense that there is a mechanism which has been deployed to reduce the potential danger which an organization or an individual face. This mechanism reduces the level of risk and is called as a control.

There are 3 types of control which can be deployed:

1. Administrative Controls (Managerial) – Controls that are deployed from a management perspective. Also, known as soft controls as they are soft in nature. Examples of such controls include security policies, training, internal company standards etc.

2. Technical Controls (Logical) – Controls that are technical in nature and deal more from a logical perspective. Deployment of firewalls, encryption, anti-virus, access authentication etc.

3. Physical Controls – These are put in place to ensure physical security. Examples include – security guards, fences, perimeter walls, CCTV, doors, dogs etc.

All these types of controls provide the following six types of functionalities:

1. Preventive – Controls that try to prevent an incident from happening.
2. Corrective – Control that fixes things after an incident has happened.
3. Detective – Where issues can be detected in advance.
4. Recovery – Controls that help you recover from the incident
5. Deterrent -  Discourage an attacker from attacking.
6. Compensating – An alternative control put in place to compensate for the intended control.

These definitions are quite straightforward and should be applied as such. For example – Consider the second example where steel gates have been deployed. Steel gates are a preventive control deployed by the people. Your train of thought may also run in this manner. An attacker would see the steel gate and find it to be a deterrent, and hence this must be considered a deterrent control. Note that in any case, you need to understand the basic intent behind that control and you’ll get the functionality right. A steel gate has been deployed to prevent something bad from happening and hence is a preventive control.

Another point to remember is that the controls must be deployed in layered fashion like an onion. It is advisable to put preventive, detective and corrective controls in a layered fashion to ensure that you  should be able to prevent the attack from happening in the first case ; if you could not prevent it, you should be able to detect it and in case you failed to detect it, you should be able to correct what has happened.

Let’s leave you with something to work upon. 

Todd is a security specialist deployed by a leading e-commerce company. He has been asked to create a list of preventive controls which can be deployed to protect the company’s internet facing servers from being hacked. Can you list down a few preventive controls to help Todd?

Saturday, May 12, 2018

Understanding Vulnerability, Threat & Risk

Consider the following two examples:

There is an office building where there are no physical security controls. There is no perimeter wall to surround the building. On entry, you do not find any identification proofs being asked. There is no baggage scanner.

An e-commerce company has around 50 computers in an office through it which it manages its back-end operations. The systems are not connected to the Internet and hence no anti-virus solutions are installed in the systems. Moreover, anyone can log in these systems as there is no authentication (simply stated – no username, password) mechanism to log in the systems.

What do you make of the above scenarios? I sense that you understand that in both the above situations, there is a risk to the building and the company. Let’s understand the definitions of the three most commonly used terms in information security.

Vulnerability – Weakness. In other words, the inability to withstand the effects of a hostile environment. In terms of information security, we refer to a weakness from the aspect of physical security or logical, i.e. it can be hardware, software, human or physical weakness.
Now read the scenarios once again. Can you identify the vulnerabilities in these scenarios? In the first one, one of the weakness can be a lack of the perimeter wall. Here the perimeter wall would be called in as a countermeasure. A countermeasure is a safeguard that is put in place. Hence vulnerability can also be defined as “lack of countermeasure”. Another weakness is that there are no identification proofs being asked which allows anyone to enter the building.

In the 2nd scenario, lack of antivirus solution will be considered as a vulnerability. The lack of any authentication mechanism is also a weakness.

Threat – Potential Danger of the vulnerability being exploited. In the first scenario, there is a threat of a person entering the building and attacking it. In the 2nd scenario, there can be a potential danger of the systems being exposed to viruses or encrypted via a ransomware attack. In both these cases, there is a potential danger of the weaknesses in the systems being exploited by an entity. This entity is known as the threat agent. So simply stated, the threat agent is an entity that can exploit the weaknesses in the system. A threat agent can be a person or a software or a bot.

Risk – Read the above scenarios once again. What is the likelihood here that the building will be attacked or the systems will be hit with a ransomware attack? It is this probability which you calculate or guess via your experience is the risk. The risk in numerical terms will be a multiplication of threat and vulnerability as defined in many books. If the vulnerability gets exploited by a threat agent, damage may occur. Hence, the real potential damage which can happen is Risk.

Let me ask you another question. Do you think the risk would change if I give you additional information that the office building is near a military zone and the systems have the USB ports disabled? If your answer to this is yes, it’s great. This is called as the context in which you talk about Risk. A risk is not something which is calculated once and acted upon or which is common in every context or scenario. With changing scenarios and conditions and countermeasures, risk changes. Unfortunately, many organizations do not understand this fact.

Let’s consider the following scenario to understand these terms better once again.

JJ is the new security manager in a firm. He is asked to review the risk which his organization faces and submit a report. Upon analyzing the company controls, JJ finds that the company does not have an asset inventory in place. The users are also not aware of the policies and procedures of the organization.

1.       What would JJ classify the awareness issue as?
a.       Threat
b.       Threat Agent
c.       Risk
d.       Vulnerability.
2.       How you classify the asset inventory issue?
a.       Threat
b.       Threat Agent
c.       Risk
d.       Vulnerability

Write your answers in the comment section below. 

Monday, May 7, 2018

8 Important Cybersecurity lessons to learn from Avengers

1. Security isn’t just one person’s responsibility - To be truly effective, we need to develop a culture of security that transforms it into a company-wide effort. In most organizations, it is believed that security is either the responsibility of the security administrator or the chief security officer. It is the responsibility of everyone in the organization from the foot soldier to the king.

2. Hackers Hail from All Over the world (maybe even beyond) – Your hacker can hail from any part of the world. The organization can be attacked from any part of the world and this cannot be limited to just your district or state or country your organization is based out of. Well, Thanos was nowhere from this world and still he wanted something from Earth.

3. You need to be a team player – Security team needs to work with various cross-functional teams to achieve results. Avengers is what team means and you need to be a team player and keep aside your differences to ensure security is implemented in the best manner possible.

4. Communication is key - Your coworkers will always have different ideas, motivations, and communication styles than you do — so it's imperative that you take the time to actively listen to the other members of your team when they speak up with their ideas or objections. 

5. Good security comes in layers – You're on a battlefield. There's an impenetrable mass of troops in front of you. You can't possibly break through it. What do you do? Defense In Depth is an ancient military strategy designed to solve exactly this problem. The battle in Wakanda shows that we need to be prepared on multiple fronts to save our precious infrastructure.

6. Improving security isn’t a one in a lifetime activity –  If you have followed Iron Man, who is an integral part of Avengers, you would appreciate the changes which he has brought into his suit. The latest Iron Man’s suit in Avenger’s Infinity War boasts of Nanotechnology being integrated into it. In a similar sense, we need to bring about changes in our security deployment basis the risk assessment done on a continuous basis.

7. Preparing for the Inevitable –  We need to be always prepared for the inevitable. Security isn’t a morning activity which needs to be performed once in the morning like brushing your teeth. Being prepared for an attack 24*7 by implementing various security controls is the key to survival.

8. Beware of “red flags.” – When security teams highlight the vulnerabilities through risk assessments, internal audits or when the SIEM tools beep continuously, do not ignore those red flags. If you ignore these early warnings, you may end up getting half of your organization’s finances and brand value wiped in no time.

Image Courtesy : Google & Marvel.