29. Vulnerabilities Part1
Now, in the term of threats, you’ve heard me say lots of different examples of threats. And, of course, I’ve talked a lot about natural events, the floods and the earthquakes, unintentional events. Well, you could make an argument that fires are generally unintentional. We don’t often plan them unless we’re an arsonist, but any number of things could happen that may cause that to occur. Other unintentional threats could very well just be again, power outages. I remember not too many years ago that the service provider I used for my email systems and my website was based in a large city, and they had some sort of event, something unintentional occur that caused a power line to go down.
And the automatic rerouting of power on the grid apparently overwhelmed this grid and caused an eight statewide shutdown of power that lasted for nearly half a day. All right, so I don’t know what the original outage was that caused this redirect, but that certainly sounds to me like something that was unintentional. Now, we could, of course, have intentional types of attacks that might be physically involved or intentional ones that are nonphysical. When I go back to unintentional, it doesn’t even have to be something like the power grid. It could just be somebody accidentally deleting a file, deleting a folder, deleting a database. Well, hopefully they didn’t do that accidentally.
But when we get into some of the intentional things, well, physical intentional might be theft. It could be malicious injury, arson. As I just mentioned before, physically stealing equipment such as your laptops or your hard drives, your intentional non physical would probably get us more into the hacker realm, where people are breaking into your systems, trying to take over. Your networks taking advantages of known vulnerabilities to do what we call owned the box and being able to steal information or use your own equipment against you.
30. Vulnerabilities Part2
Now these threats usually are relying on there being a vulnerability or a weakness. Now remember that a vulnerability is not a true or false condition. It can have different degrees. In other words, we’re not saying you either are vulnerable or you’re not vulnerable, but you may have some degree of different types of vulnerabilities and it’s important to estimate the degree of vulnerability. And that can only be done through testing or by having a group of subject matter experts who can be able to talk about how bad that might be. Now, examples of vulnerabilities could certainly be defective software. Now, defective software doesn’t mean that suddenly there’s a bug in it and somebody’s going to exploit it with a buffer overflow and own that program. It could mean that.
But remember I mentioned that part of the assets, especially information assets, is the integrity of the information. Defective software could very easily start producing improper output. That output might be things we make management decisions or business decisions on and certainly not at all a good place to be when you’re making the wrong kinds of decisions. I think of commercials I saw where somebody and this is more of an input error, but just imagine the program did this. They wanted to order five units of something and ended up getting 5000 units of something. And of course that’s where they were talking about they have this big sale, right? But decisions like that can be very disastrous.
If it was from defective software, it could be bad configurations as well. That’s always the issue. One of the things we tell people is that you should never have the default configuration on any network device. I remember I was with a friend, we were in Huntsville, Alabama, at a restaurant that advertised free WiFi. And so we were at this restaurant and we opened up our laptops and we were trying to figure out which WiFi access point it was the only one we saw said Linksys. Now, if you’re all familiar with these small home user devices, linksys is a company that makes access points for home users to make some very good ones. But by default it has SSID of linksys.
Okay? So when I saw that, actually when we both saw that, because we’re both in this kind of the security business, we immediately wondered to ourselves do you think that they just accepted the default configuration? Because if they did, that mean that we could connect to that access point with the username of admin, the password of admin, all published as the default configurations. And then once there, we could do almost anything we wanted to that access point. All right? What I can tell you is I didn’t do that, but somebody did. And I witnessed the fact that it was on its default configurations, potentially a very bad situation to be because of again, of the danger. It could also just be bad design. Now, bad design again, can come in a lot of different options and flavors. If I’m thinking about a network and let me talk about cellular companies. I’ve done a lot of work for a lot of the major cellular companies.
And I’ll tell you that one of the things they put at the high rate of what’s most important to them is that the network communications is always up. If there’s an outage, it becomes an instantaneous emergency and everybody works on it. Now, that outage could have come from a bad network design where they may have had a single point of failure, where losing one router, one switch, one port may have cut off an entire set of communication paths that would be part of a bad design. It might just simply have a vulnerability of not having enough people to cover what you need. It could be an issue of poor passwords or a lack of redundancy. Kind of goes back to that single point of failure idea as far as if one port goes down, traffic couldn’t reroute around a different direction, which would be bad if you’re in the middle of a phone call or needed to make a phone call. So all of these could be examples, as I said, about what a vulnerability might be.
31. Risks
Now, when we take a look at risks, it’s important to remember that we can’t eliminate all of the risks, but instead our goal is to reduce the risk to a point of acceptance. Now, there are a lot of different categorizations of risk, things that you may consider like facilities risk. I think we’ve talked a lot about physical facilities or risks of damage or theft, health and safety. Now we are of course talking about the people, but what exactly be talking about? Since we’re talking about information risk, a lot of you may say, well, where’s the health and safety come in? You can consider the fact that employee records and the information about the people are information we want to keep safe. Losing that could affect their safety, could affect the health of their identity through identity theft, things like that. Information security.
I think, again, we’ve covered a lot of ideas about those risks. Your control frameworks, okay, again, your controls are your policies, your standards and procedures and those things that we work with. And certainly there are some risks to having those incorrect, risks to the reputation, technology risks, the risks of criminal acts. If we’re dependent on suppliers, we have risks there as well. If I’m producing different types of widgets, but I need supplies, metal, steels, electrical items, and those don’t come in so I can’t assemble those. Those are issues that we have to deal with. And of course, as we look at the worldwide distribution of our goods, perhaps there are some other geopolitical types of issues we have to deal with as far as the types of risks we may encounter.
32. Analysis of Relevant Risks
One of the things we look at is the analysis of the relevant risks. Now, risk analysis is the phase where the level of risk is assessed and it’s understood. Now, this is the information that is first input into the decision that we’re going to use to determine which risks need to be treated as well as finding the most appropriate and costeffective methodology. Now, this should include really a thorough examination of the risk sources. How did we learn about this information of what the risks are? We have to realize that there are going to be some positive and negative consequences. Now, I like that. Again, that gets me back into the politician mode where it’s hard to support for any stance I take. There’s a good side and a bad side. It very well may be that I might have some positive results of managing my risks in reducing that risk.But it may have some negative consequences in changing the way in which we do business or the way in which users can interact with systems.
Maybe there are more hurdles they have to go through through authentication. And again, we can look at it from a positive negative, but we’re hoping for a net positive over any of the negative consequences. In other words, if it’s a little more burdensome to use a system for a user, but we have a positive indication of not losing information that could cripple our organization, that’s probably a good trade off. Now, remember, we also are interested in the likelihood that these risks may occur and we also have to have an assessment of what existing controls do. We have basically back to our resources. What do we already have in place and how are they working or how can we tune them or configure them to help us get us to that new desired set of security that we’re trying to achieve?
33. Risk Analysis
With risk analysis. There are a couple of ways that we can approach it. As we’ve talked about the qualitative analysis, which is a lot of I like to say guesswork, but it’s using expert opinions and advice to be able to help take a look at how well we think a risk may occur, what impact it potentially can have. And even in the looking at controls that we might use to mitigate those risks, the quantitative approach put hard numbers in there. But sometimes those numbers are hard to come by, and often we have to utilize a range of numbers. Some people even take a look at the quantitative and say it’s often best if we use the worst case scenario as the kind of numbers that we’re talking about.
And a semi quantitative risk is trying to put together the qualitative, the opinions with the quantitative analysis and often you might see a rating chart that kind of breaks the two of those together as a way of doing the analysis. Now, there are any number of methods that you can use to estimate risk, a lot of mathematical formulas you can use in a quantitative analysis, a lot of different methods to the qualitative analysis. And it’s important that you understand that there are ways, a lot of methods because when you look at a risk and you think about the consequences, there could actually be multiple consequences to any particular risk. We talk about the fact that you might lose customer information and although that may set back the company’s ability to process, we still have to worry about the fact that it could affect a reputation, affects future orders.
And so there you can kind of see that rippling effect, what we call a cascading effect and of course, that risk may, with multiple consequences could affect some of the objectives or different objectives that we’re trying to achieve. Now, there’s other information that we want to look at that we can put into as a factor into the risk analysis. One of the things we can do is learn from past experience to see what kind of effect or impact we had for certain types of loss of information or for risks having occurred. We can take a look at wellknown, reliable practices, sometimes even best practices. We may seek out the information or the, again, the opinions of specialists or expert advice on certain subject matters that we’re looking at. And there are a number of existing models and simulations that can help us in the estimation of the overall risk as we’re again going through the analysis portion.
34. Semi -Quantitative Analysis
Now with a semi quantitative analysis, what we’re looking at is, again, that kind of a combination of quantitative and qualitative. So what we do is we start off, of course, with what are the business assets and what are the threats. We have those in either the quantitative or qualitative environments. But what we do is we start looking for ratings for each threat, basically saying what would be the business impact? Now the ratings are going to be a combination of an opinion with a range of monetary impact. That’s where we get the semi quantitative. So two examples of doing the risk analysis might be if we’re looking at the likelihood that a risk could occur, and if we have a number rating scale of one through five or one through seven, we assign values to the objective or qualitative parts of our ratings.
If I give the likelihood a rating of one, then I’m saying maybe there’s really no meaningful impact. If the likelihood of that is a three, then maybe we’re saying that is a level that could have an impact on the organization’s brand and then maybe say with an estimation of about a $1 million loss. And so there you can see that I don’t have any completely hard numbers, but putting in kind of the range of numbers, along with the best opinion that we have based on the likelihood of what it could do, that’s kind of what we’re looking at is putting in this semi quantitative is having those kinds of charts where we have a value rating scale and a corresponding potential quantitative impact to be able to help us with making the opinion about looking at the risk, the likelihood of it and the impact and putting it all together.
35. Quantitative Analysis Example
Now, the quantitative analysis example, I’ve kind of went through it all for you, hopefully fairly well at the very beginning of this domain. And that was in computing things like the annual loss expectancy. Remember, that was a combination of the single loss expectancy and that was a basic multiplication of our exposure factor times the value of the asset. So now remember, the exposure factor was if this risk were to occur, if it happened, what would be the estimated damage? And we kind of put that into a percentage. And I used a Building Catching on Fire as an example, saying that according to best practices, to past experience, that our exposure factor is saying that we’d have a 50% loss of the facilities. And then we multiply that by the value of the facilities. And that gave us what we called the single loss expectancy.
And then we also wondered what is the rate of occurrence? Now, I made the rate of occurrence hopefully a little over exaggerated. I said occurs once every ten years. I’m hoping that’s not the case for most of your buildings because again, I wouldn’t occupy that one. But if we were to look at floods, again, exposure factor of floods times the value of the property, we have lots of historical data, right? We talk about past experiences. We have areas on maps that talk about if you’re in the ten year floodplain or the 100 year floodplain. And that kind of gives me an idea of the expected rate of occurrence, of what can go on. And it’s something we have to look at.
I mean, if you think about insurance companies, if you want to just plain old flood insurance for your house, and you built your house right on the bank of a river, let’s say on the bank of the Mississippi. That seems to have a rate of occurrence of, like, every three months of flooding. That’s going to probably price your cost of insurance out of the ordinary, where you probably could even afford or they might not even offer it because they realize that it’s a zero sum for them. So it is an important aspect that we look at when it comes to the rate of occurrence. I only make fun of the Mississippi because I remember down in St. Louis parking in a parking lot for a casino. And when I got out of that casino, one third of my car was underwater. The water had risen during the time that I was in there.
So it just hits me as this idea of was that the best place to park if I were to do that same type of risk analysis for parking my car anyway? So you can do the mathematics on that. It was at least a rental. All right. The other part of quantitative was the value at risk. Remember, again, that is something we’re looking at is based on our historical data and as well as the probability of loss. Now, with that information, remember the other aspect of that was later when we looked at controls that could have helped reduce that risk.
At some point our goal was to try to reduce that single loss expectancy that was annualized over time based on the rate of occurrence. And then we had to make the decision as to whether or not that cost of that control was sufficient for the savings that we were incurring. And altogether, that kind of puts in that quantitative analysis. And again, I realize coming up with hard numbers, sure, hard number for a server. I could say I’ve spent $50,000 in the hardware for maybe a cluster of servers and it’s running my web ecommerce site.
And even though I could tell you that those servers cost me $50,000, it’s hard to still say if the servers failed, how much business revenue did I lose from not being able to take sales or orders when that’s like my only method of being able to earn income for that corporation? So that’s where it gets a little trickier again to fully do a quantitative analysis. That’s why I said right at the very beginning that can be a very complex situation and a very time consuming but it is an important aspect that we have those values so that we can really determine what the impact is going to be. Especially as we’re eventually getting to the point where we try decide ways and methods to reduce or mitigate that risk.
36. Evaluation of Risks
Part of this analysis as well as the evaluation of risks. Now, at some point there has to be a decision that’s going to be made about which risks need treatment and what are their priorities. And that kind of goes back to the prioritization of the assets. Now, the decisions are usually going to be based on the level of risk and those again, are
related to the impact to our business that’s back to that prioritization, the likelihood of that event. And is there even an aggregated impact as well? Those are going to help put us on the list of which ones should we address, especially if I have limited resource or limited funds. We want to make sure we’re investing in a place that would have the most impact or would be the way of reducing the most loss to our organization.