Thursday, March 21, 2013

A Path to Understanding Risk

Part of the life of an information security professional is assessing risk, however we rarely feel that the likelihood and consequence we give a risk at the end of the day represents our true feelings about the risk.  That is because most of the processes we have for assessing risk are vague approximations of the true context we understand as professionals.  Whether it's an organic approach or an approach such as CVSS, it is usually a system for creating buckets that we try to capture the context of the risk in.  However, it ends up being like trying to set buckets outside to capture all of the rain.  Instead we need a way to capture the entire context of the risk as it exists in our minds.

1. Instead, we should start with what is in our head when we consider the risk.  A Narrative.  The narrative starts with a threat actor and ends when they accomplish their goal, realizing our risk along the way.  The narrative includes events that happen and conditions that exist or occur because of events in the narrative.  An example might be...
A thief wants to steal my dog.  He walks by my house and sees my dog in the window.  He walks up to the front door and rings the door bell.  I'm not home so nobody answers.  He then tries the door nob.  The door was unlocked so he walks in.  He picks up my dog and leaves.  The thief now has my dog and I do not.
In this example we have a threat actor, (the thief), his goal, (steal my dog), the consequence, (I no longer have my dog), multiple actions, (the thief walks by, he rings the doorbell, he walks in, etc), and multiple conditions, (my dog is in my house, I am not, my door is unlocked, etc).

Conditions represent many things.  The thief's goal and the consequence in the example above, (and in general), are conditions.  Mitigations and vulnerabilities are also conditions.  In the example, my door being unlocked is a vulnerable condition.  If I had a security system, that would be a mitigating condition.  This helps tie this approach back to our normal risk assessment process.

2. The next step is to understand the consequences.  I lost my dog, yes, but what was the impact? In the example, the impact is mostly personal.  However, in the real world, the impact should be assessed against the Business Mission.  The impact is likely a loss of:

  • Confidentiality
  • Integrity
  • Availability
  • Resources
  • Control
Some good questions to ask are:
  • Can the Information System's mission still be accomplished?
  • How is the mission degraded?
    • What are the secondary impacts to mission degradation (political, brand image, confidence, etc)
  • Is the mission recoverable?
    • What are the resources (cost, schedule, technical, risk) to recovery?
  • What happens if the mission is executed with incorrect information?
  • Does the loss of information decrease our (or our friends') ability to act?
  • Does the threat gaining information decrease our (or our friends) ability to act?
  • Does the threat gaining information increase their ability to act?
  • What additional control does the threat gain by realizing the risk (even if we do not lose control)?
3. From the narrative, create an attack path.  The attack path is going to include the same actors, conditions and events as above.  We're also going to add another element, an "attribute".  Attributes are characteristics that describe other steps in the attack path.  In our example, the thief has the attribute: "motive" = "wants my dog".  Additionally, the thief having the attribute "skill" = "lock picks" may make it more likely for him to open the door, even if it were locked.  Also, we can capture other, alternate approaches.  If the door was locked, the thief might try a window, the garage door, or a back door.  In our example, the attack path may look something like:

  1. - A Thief - Actor - 5 - A normal, everyday thief.
  2. - "Motive" = "Wants to steal my dog" - Attribute - 1 - I don't know why anyone would want to steal my dog.
  3. - Walks by my house - Event - 3 - Not many thieves walk by my house.
  4. - Sees my dog - Event - 1 - My dog is normally asleep on the couch where you can't see him.
  5. - Walks up to my door - Event - 5 - Walking up to my door is easy.
  6. - Rings the doorbell - Event - 5 - Anyone can ring my doorbell.
  7. - Nobody is home - Condition - 2 - My wife is usually at home when I'm not, but there are times when nobody's home.
  8. - Nobody answers door - Event - 5 - If no-one's home, of course no-one's going to answer the door.
  9. - Tries door nob - Event - 5 - Anyone can turn my doornob
  10. - Door's unlocked - Condition - 2 - The house is usually locked when no-ones at home.
  11. - Actor walks in - Event - 5 - The actor comes inside my house.  If the door is unlocked, there's nothing stopping him from doing this.
  12. - Actor picks up my dog - Event - 4 - My dog is kinda hard to pick up.
  13. - Actor leaves - Event - 4 - The actor leaves my house with my dog and without being caught.  Notionally he then walks to wherever he is parked with my dog in his hands.  While not completely likely, it's possible and I doubt anyone would stop him.
  14. - Actor has my dog - Condition - 5 - If they took it, they have it.
  15. - I don't have my dog - Condition - 5 - If they have my dog, I definitely don't.
  16. - "Impact" = "2" - Attribute - 5 - I like my dog, but I can find a new one.  Life could be worse.
Ultimately, you can make the attack path as detailed or as general as you want.  You can have more steps or fewer, more attributes or less, let it branch more or make it very linear.  I assessed likelihood and risk on a 1-5 scale.  You could do 1-3 (low, medium, high), or a percentage.  It really doesn't matter much.  There are ways to calculate a final number from this that are mathematically sound, but, more importantly, you can capture the risk and it's context as it exists in your mind.  You can also see what mitigating conditions and vulnerable conditions effect your risk.  And as you become more adept at it's use, you can combine the attack paths you collect into an attack graph to ultimately help you manage your information security posture.

1 comment:

  1. This comment has been removed by a blog administrator.