CISSP For Dummies

Beyond basic security fundamentals, the concepts of risk management are perhaps the most important and complex part of the information security and risk management domain. The CISSP candidate must fully understand the risk management triple; quantitative compared with qualitative risk assessment methodologies, risk calculations, and safeguard selection criteria and objectives.

The business of information security is all about risk management. A risk comprises a threat and a vulnerability of an asset, defined as follows:

• Threat: Any natural or man-made circumstance or event that could have an adverse or undesirable impact, minor or major, on an organizational asset.

• Vulnerability: The absence or weakness of a safeguard in an asset that makes a threat potentially more harmful or costly, more likely to occur, or likely to occur more frequently.

• Asset: An asset is a resource, process, product, or system that has some value to an organization and must therefore be protected. Assets may be tangible (computers, data, software, records) or intangible (privacy, access, public image, ethics), and may likewise have a tangible value (purchase price) or intangible value (competitive advantage).

Threat x Vulnerability = Risk

 Instant Answer   The risk management triple consists of an asset, a threat, and a vulnerability.

Risk can never be completely eliminated. Given sufficient time, resources, motivation, and money, any system or environment, no matter how secure, can eventually be compromised. Some threats or events, such as natural disasters, are entirely beyond our control and are largely unpredictable. Therefore, the main goal of risk management is risk mitigation: reducing risk to a level that’s acceptable to an organization. Risk management comprises the following three main elements:

• Identification

• Analysis

• Control

Risk identification

A preliminary step in risk management is risk identification. Risk identification involves identifying specific elements of the three components of risk: assets, threats, and vulnerabilities.

Asset valuation

Identifying an organization’s assets and determining their value is a critical step in determining the appropriate level of security. The value of an asset to an organization can be both quantitative (related to its cost) and qualitative (its relative importance). An inaccurate or hastily conducted asset valuation process can have the following consequences:

• Poorly chosen or improperly implemented controls

• Controls that aren’t cost-effective

• Controls protect the wrong asset

 Instant Answer   A properly conducted asset valuation process has several benefits to an organization:

• Supports quantitative and qualitative risk assessments, business impact assessments, and security auditing

• Facilitates cost-benefit analysis and supports management decisions regarding selection of appropriate safeguards

• Can be used to determine insurance requirements, budgeting, and replacement costs

• Helps demonstrate due care and limit personal liability

Three basic elements used to determine the value of an asset are

• Initial and maintenance costs: This is most often a tangible dollar value and may include purchasing, licensing, development, maintenance, and support costs.

• Organizational (or internal) value: This is often a difficult and intangible value. It may include the cost of creating, acquiring, and re-creating information, and the business impact or loss if the information is lost or compromised. It can also include liability costs associated with privacy issues, personal injury, and death.

• Public (or external) value: Another difficult and often intangible cost, public value can include loss of proprietary information or processes and loss of business reputation.

Threat analysis

Threat analysis involves the following four steps:

1. Define the actual threat.

2. Identify possible consequences to the organization if the threat is realized.

3. Determine the probable frequency of a threat.

4. Assess the probability that a threat will actually materialize.

For example, a company with a major distribution center located along the Gulf Coast of the United States may be concerned about hurricanes. Possible consequences may include power outages, wind damage, and flooding. Based on climatology, the company can determine that an annual average of three hurricanes pass within 50 miles of its location between June and September and that a high probability exists of a hurricane actually affecting the company’s operations during this period. During the remainder of the year, the threat of hurricanes is a low probability.

The number and types of threats that an organization must consider can be overwhelming but can generally be categorized as

• Natural: Earthquakes, floods, hurricanes, lightning, fire, and so on

• Man-made: Unauthorized access, data entry errors, strikes/labor disputes, theft, terrorism, social engineering, malicious code and viruses, and so on

 Warning   Not all threats can be easily or rigidly classified. For example, fires and utility losses can be both natural and man-made. See Chapter 11 for more on disaster recovery.

Vulnerability assessment

A vulnerability assessment provides a valuable baseline for determining appropriate and necessary safeguards. For example, a Denial of Service threat may exist based on a vulnerability found in Microsoft’s implementation of Domain Name System (DNS). However, if an organization’s DNS servers have been properly patched or the organization uses a UNIX-based BIND (Berkeley Internet Name Domain) server, the specific vulnerability may already have been adequately addressed, and no additional safeguards may be necessary for that threat.

Risk analysis

The next element in risk management is risk analysis. A risk analysis brings together all the elements of risk management (identification, analysis, and control) and is critical to an organization for developing an effective risk management strategy.

 Instant Answer   A risk analysis involves the following four steps:

1. Identify the assets to be protected, including their relative value, sensitivity, or importance to the organization. This is a component of risk identification (asset valuation).

2. Define specific threats, including threat frequency and impact data. Again, this is a component of risk identification (threat analysis).

3. Calculate Annualized Loss Expectancy (ALE). ALE calculation is a fundamental concept in risk analysis; we discuss this in further detail later in this section.

4. Select appropriate safeguards. This is a component of both risk identification (vulnerability assessment) and risk control (which we discuss later in this chapter).

The Annualized Loss Expectancy (ALE) provides a standard, quantifiable measure of the impact that a realized threat has on an organization’s assets. The estimated annual loss for a threat or event, expressed in dollars, ALE is particularly useful for determining the cost-benefit ratio of a safeguard or control. ALE is determined by this formula:

SLE x ARO = ALE

where

• Single Loss Expectancy (SLE) is a measure of the loss incurred from a single realized threat or event, expressed in dollars. It is calculated as Asset Value ($) x Exposure Factor (EF).

• Exposure Factor (EF) is a measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage.

• Annualized Rate of Occurrence (ARO) is the estimated annual frequency of occurrence for a threat or event.

The two major types of risk analysis are quantitative and qualitative.

Quantitative risk analysis

A fully quantitative risk analysis requires all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability, to be measured and assigned a numeric value. However, assigning a value to every component associated with a risk (safeguard effectiveness and uncertainty) isn’t possible, so you must apply some qualitative measures.

 Instant Answer   A quantitative risk analysis attempts to assign an objective numeric value (cost) to the components (assets and threats) of the risk analysis.

Achieving a purely quantitative risk analysis is impossible.

Advantages of a quantitative compared with qualitative risk analysis include the following:

• Financial costs are defined; therefore, cost-benefit analysis is possible.

• More concise, specific data supports analysis; thus, fewer assumptions and less guesswork are required.

• Analysis and calculations can often be automated.

• Specific quantifiable results are easier to communicate to executives and senior-level management.

Disadvantages of a quantitative compared with qualitative risk analysis include the following:

• Many complex calculations are usually required.

• Time and work effort involved is relatively high.

• Volume of input data required is relatively high.

• Some assumptions are required. Purely quantitative risk analysis is generally not possible or practical.

Qualitative risk analysis

Qualitative risk analysis is more subjective than a quantitative risk analysis; and, unlike a quantitative risk analysis, it’s possible to conduct a purely qualitative risk analysis. The challenge of a qualitative risk analysis is developing real scenarios that describe a threat and potential losses to organizational assets.

Advantages of a qualitative compared with quantitative risk analysis include

• No complex calculations are required.

• Time and work effort involved is relatively low.

• Volume of input data required is relatively low.

Disadvantages of a qualitative compared with quantitative risk analysis include

• No financial costs are defined; therefore, cost-benefit analysis isn’t possible.

• Because qualitative risk analysis is less concise, it naturally relies more on assumptions and guesswork.

• Generally, qualitative risk analysis can’t be automated.

• Qualitative risk analysis is less easily communicated. (Executives seem to understand This will cost us $3 million better than This will cause an unspecified loss at an undetermined future date.)

 Instant Answer   A qualitative risk analysis is scenario-driven and doesn’t attempt to assign numeric values to the components (assets and threats) of the risk analysis.

Risk control

A properly conducted risk analysis provides the basis for selecting appropriate safeguards and countermeasures. A safeguard is a control or countermeasure that reduces risk associated with a specific threat. The absence of a safeguard against a threat creates a vulnerability and increases the risk.

 Instant Answer   Safeguards counter risks through one of three general remedies:

• Risk reduction: Mitigating risk by implementing the necessary security controls, policies, and procedures to protect an asset. This can be achieved by altering, reducing, or eliminating the threat and/or vulnerability associated with the risk.

  This is the most common risk control remedy.

• Risk assignment (or transference): Transferring the potential loss associated with a risk to a third party, such as an insurance company.

• Risk acceptance: Accepting the loss associated with a potential risk. This is sometimes done for convenience (not prudent) but more appropriately when the cost of other countermeasures is prohibitive and the potential risk probability is low.

Several criteria for selecting safeguards include cost-effectiveness, legal liability, operational impact, and technical factors.

Cost-effectiveness

The most common criterion for safeguard selection is cost-effectiveness, which is determined through cost-benefit analysis. Cost-benefit analysis for a given safeguard or collection of safeguards can be computed as follows:

ALE before safeguard – ALE after safeguard – cost of safeguard = value of safeguard to the organization

For example, if the ALE associated with a specific threat (data loss) is $1,000,000; the ALE after a safeguard (enterprise tape backup) has been implemented is $10,000 (recovery time); and the cost of the safeguard (purchase, installation, training, and maintenance) is $140,000; then the value of the safeguard to the organization is $850,000.

When calculating the cost of the safeguard, you should consider the total cost of ownership, including

• Purchase, development, and licensing

• Testing and installation

• Normal operating costs

• Resource allocation

• Maintenance and repair

• Production or service disruptions

The total cost of a safeguard is normally stated as an annualized amount.

Legal liability

An organization that fails to implement a safeguard against a threat is exposed to legal liability if the cost to implement a safeguard is less than the loss resulting from a realized threat. The legal liability we’re talking about here could encompass statutory liability (as a result of failing to obey the law) or civil liability (as a result of failing to comply with a legal contract). A cost-benefit analysis is a useful tool for determining legal liability.

Operational impact

The operational impact of a safeguard must also be considered. If a safeguard is too difficult to implement and operate, or interferes excessively with normal operations or production, it will be circumvented or ignored and thus not be effective.

Technical factors

The safeguard itself should not introduce new vulnerabilities. For example, improper placement, configuration, or operation of a safeguard can cause new vulnerabilities; lack of fail-safe capabilities, insufficient auditing and accounting features, or improper reset functions can cause asset damage or destruction. Finally, covert channel access or other unsafe conditions are technical issues that can create new vulnerabilities.