Risk Assessment+
There's a COVID joke here... somewhere...
Hello all.
This post will discuss Risk Assessment. Not only is it on the Security+ exam, but it is crucial that those in managerial positions understand the role of risk assessment in terms of network and system maintenance.
What is risk assessment?
Risk assessment is defined as the process in determining how much risk exists within a network or system. It is a process that is derived from risk management. Risk management is used to minimize the likelihood of a negative situation occurring.
Risk management is the trade-off that managers, CEOs, and other upper-echelon employees decide on to see what parts of a system or network can be sacrificed in order to provide either more security or more ease-of-access. The “negative situations” could either be situations of security (e.g. unauthorized access) or situations of convenience (e.g. logging in to the mainframe).
For example, it would be extremely easy to let employees log in to the mainframe with just a single master password, but it would be extremely risky! Should an employee give up that password to someone who is not authorized to have it, a catastrophic situation could occur. However, on the other hand, it would be ridiculously difficult to set up a server machine firewalled off so that it can only be accessed physically, but it would be a much more secure method of authentication (think those spy movies where the guy goes past 8 different doors with a keycard, hand, retina scan, and all that jazz).
Having proper risk management is crucial to any organization. It is a hotly contested debate among those who want things to be done easily, and those who want things to be done right.
Risk & Vulnerabilities
Risk is defined as “the probability that a threat will be realized”. If you remember the Malware post, we briefly touched on zero-day vulnerabilities. These zero-days are a situation in which an unknown threat is realized, meaning that one could not properly assess the risk because the risk gave the appearance of being non-existent.
Risk is a balancing act between vulnerability versus threat. Let’s say you open up your FTP port 21 on your laptop for external connections. Everyone who sees your machine and its FTP port open on the internet can attempt to access it via FTP. This is your threat. You are threatened by outside, unauthorized people who can attempt to access your machine. A threat is a condition in which your technology systems could be harmed, destroyed, or compromised. Threats are external and out of your control. You can only mitigate threats, not destroy them.
In a basic case, the only thing keeping those unauthorized from accessing your files through FTP is a password. That is your vulnerability. A vulnerability is the weakness or weaknesses in the design or implementation of a system. If the only thing keeping people from your laptop files is a password, you have a high vulnerability, especially if you have a crappy password. Know that vulnerabilities are almost always in your control.
A more proper method of opening FTP on your local machine would be to use something more secure (like SFTP for encrypted transfers) with a public/private key setup, essentially whitelisting yourself for connection attempts.
Threats and vulnerabilities are not mutually inclusive. If you have a threat, but no vulnerability, then you have no risk. Likewise, if you have a vulnerability, but no threat, then you also have no risk.
Risk Assessment Methods
Risk can be assessed through a variety of different methods, including mathematical computations (creating a matrix-like figure or heatmap for calculations), assessment and analysis techniques (red-team situations i.e. pentest), or just subjectively guessing (idiocy).
I cannot answer any questions concerning your company and what an “acceptable” amount of risk is. That is different for every organization’s situation. By conducting a risk assessment, you identify the risks that exist, the likelihood of these risks causing an issue, and how much it would cost if the risk is realized by a threat.
There are four ways of performing a risk assessment:
Identify Assets
Make a laundry list of important things that your organization owns.
This can be servers, routers, security cameras, EVEN FISH TANKS.
Identify Vulnerabilities
You have options concerning vulnerabilities such as vulnerability assessments, vulnerability scans (Shodan has one for example), or the conduction of a pentest.
Identify Threats
Straightforward, but remember what I said earlier? If you have a threat, but no vulnerability associated with that threat, then you have no risk.
Identify Impact
Should the risk be realized, what would the impact of it be? Would it be worth the risk?
This is the final step and is the deciding factor of accepting risk which is discussed below.
Dealing with Risk
There are four ways of dealing with risk:
Avoid
A situation in which you either stop the activity that has risk, or you choose an alternate activity that is less risky.
For example, you are running a server farm where 20% of the machines are running Windows 7 (NGMI if you’re running that btw). Avoiding the risk with an EOL Windows installation would be to obviously upgrade to a Windows version that is still being supported.
Transfer
Risk transfer is when you would pass the risk to a third party. Think hiring blue-team infosec contractors to assess your systems.
Another situation is buying cyber insurance… but PLEASE FOR THE LOVE OF GOD DO NOT DO THIS (not financial advice btw).
Mitigate
To minimize risk to an acceptable level. If you get a pentest done on your network/systems, afterwards, the red-team will (hopefully) discuss the vulnerabilities that can be exploited and offer solutions to mitigate the risk involved with these vulnerabilities.
Another easy example is to update your software. (Duh!)
Accept
To accept the risk and the costs if the risk is realized.
Let’s be honest, there is no such thing as “no risk”. You can perform any and all of the three above methods, but it is practically impossible to remove all risk. Please consider the below meme as to why.
The remaining risk that remains after performing mitigation techniques is known as residual risk.
Quantitative and Qualitative
Remember this from middle school? Yeah you do.
There are two different ways of measuring risk: qualitatively and quantitatively.
Qualitative Assessment
Qualitative assessment uses intuition, experience, and other relevant methods to assign a relative value to risk.
Think of how your grandma stores her passwords. She probably has them written in her phone notes. To her, it doesn’t appear to be that risky. However, if you asked someone like BowTiedCyber, BowTiedFren, or myself on how we would assess the risk of doing that, we would collectively have a heart attack. You don’t want your grandma doing a pentest on your network, do you?
Note that experience is critical. Qualitative assessments are subjective. Therefore, having an experienced team performing your assessment is crucial.
Quantitative Assessment
Quantitative assessment heavily relies on numbers and monetary values to calculate risk. This removes the estimation and guesswork, essentially removing all biases and running strictly on numbers in terms of risk management.
The estimation of the amount of damage that a negative risk may achieve is known as magnitude of impact. This is seen more often in quantitative assessments as managers want to see numbers in association with possible losses.
Terms used in quantitative assessments:
Asset Value (AV)
Exposure Factor (EF)
The factor of adjustment that is implemented if a threat is realized (usually a percentage).
Single Loss Expectancy (SLE)
Cost associated with the realization of each individualized threat that occurs.
SLE = AV * EF
Annualized Rate of Occurrence (ARO)
Annualized Loss Expectancy (ALE)
Expected cost of a realized threat over a given year.
ALE = SLE * ARO
In reality, a good IT directory will adopt a hybrid approach. This is the combination of experience alongside numerical calculations to determine a proper risk approach.
Methodologies
In order to assess risk, you must also assess security. Security is what is used to thwart attacks on your systems and network.
Security Assessments verify that an organization’s security situation is designed and configured to properly thwart attacks. Risk assessments, internal/external audits, and vulnerability assessments fall under this blanketing term.
Some assessments are required by law. For example, if you store credit card information on one of your database (like Amazon), you fall under the Payment Card Industry Digital Security Standard (PCIDSS).
There are 2 types of methodologies associated with these assessments:
Active
Utilize intrusive techniques such as scanning, hands-on testing, and probing of system/network(s) to determine vulnerabilities.
Passive
Utilize open-source information/intelligence (OSINT), passive data collection, and other unobtrusive analysis without making direct contact with the targeted systems/network(s).
A common methodical approach is starting off with a passive approach and then shifting into a more active approach as you gain more detailed information about a system/network.
This concludes this week’s free post. There is a bit more information concerning risk such as security controls, but those can be discussed at another time.
The above is not legal/financial advice.
Thanks for reading!