Information System =
Much is Enough?
Two generally accepted notions of = information=20 system security are that it is expensive, and that a = system’s usefulness=20 is inversely proportional to its degree of security. Senior = policy- and=20 decision-makers face a daunting challenge in determining "how much = security". Adding layer after layer of security measures can = become=20 unaffordable, in terms of direct and indirect costs and = diminishing=20 utility of the information system. Further, a haphazard = application of=20 security measures may leave critical vulnerabilities exposed, or = result in=20 unnecessary protection being applied.
In the development of systems of = any type, good=20 systems engineering practice calls for a thorough requirement = analysis and=20 a process to trace requirements throughout system development in = order to=20 ensure that the final product meets the original need. In the = field of=20 information system security, the equivalent of the requirement = analysis is=20 a risk assessment. When established in policy as a = specified=20 methodology tailored to an organization’s needs, it serves = multiple=20 purposes. It can be a disciplined, repeatable process for = identifying=20 security needs. It forms a basis for subsequent security review = during the=20 lifecycle of an information system. It can aid management in = making=20 decisions on expenditures, and also assist the security = professional by=20 presenting sound justification to management for particular = measures. The=20 ideal outcome obviously, would be to implement sufficient = security, yet no=20 more security than is affordable and whose cost is properly=20 justified.
The Department of Defense and the = armed=20 services within it have established extensive policies regarding=20 information system security. A part of those policies is the = Defense=20 Information Technology Security Certification and Accreditation = Process=20 (DITSCAP), a deliberate process that leads to an appropriate level = of=20 security certification and finally accreditation by a Designated = Approving=20 Authority (DAA). The final accreditation is a part of the = "building=20 permit" required prior to installation or modification of an = information=20 system. The DITSCAP applies to all information systems, whether = classified=20 or unclassified, and is tailored to each system according to the=20 sensitivity of the information it processes.
When security measures are applied = to a system,=20 there is always some remaining, or residual, risk. For example, = although a=20 well-designed firewall provides significant protection to a = network, there=20 is still risk of insider attacks or data-driven attacks being = introduced=20 via legitimate access protocols. Accreditation by the DAA implies = that the=20 DAA has reviewed the system’s security posture, and deems = any residual=20 risk as acceptable. The DITSCAP prescribes a Risk Assessment as = the basis=20 for identifying appropriate and effective security measures and = for aiding=20 the DAA in determining the residual risk. Specific risk assessment = methodologies are numerous and almost always tailored to the = system under=20 consideration. The remainder of this paper discusses one=20 approach.
Risk Assessment = 101.
The elements of a good risk = assessment include:=20
The business or operational = assessment=20 is done to gain an understanding of the people, systems and = processes of=20 an organization, and an estimate of the external environment in = which they=20 operate. It provides necessary context for the remainder of the = risk=20 assessment. It provides insight that will be needed later in the = process=20 for making decisions.
The asset valuation consists = of=20 identifying assets and assigning each a value. The effort requires = some=20 thought, because the term, "asset", means more than physical items = like=20 computers or network infrastructure. Intellectual property, = proprietary=20 information and professional reputation are less tangible, but are = assets=20 nonetheless, and are vulnerable to various security problems. = Also, an=20 organization’s assets may have value to others outside the = organization,=20 which should perhaps be considered in this process. The analysis = may be=20 quantitative or qualitative or both. For example, real property = has a=20 clear monetary cost associated. The value of professional = reputation is=20 much harder to quantify. However, in order to make subsequent = decisions on=20 the basis of cost-benefit tradeoffs, some kind of cost or weight = that=20 indicates the consequences of losing each asset is = required.
For purposes of the risk = assessment, threats=20 are defined as events or circumstances that can harm a system. In = the=20 threat assessment, all possible threats are first=20 identified. Then the likelihood of each threat is estimated. To be = thorough, the threat identification should include anything that = can=20 compromise the confidentiality, integrity or availability of a = system.=20 That means that fire, theft, natural disaster and others need to = be=20 considered alongside viruses, network penetration and denial of = service=20 attacks. The likelihood of some threats may be estimated through=20 historical data, while that of others will be based on experience = and=20 judgement. The threat likelihood is expressed as a probability = between 0=20 and 1.
The vulnerability assessment = is the=20 deliberate examination of the system to determine its weaknesses.=20 Vulnerabilities are deficiencies in design, controls, procedures = etc. that=20 can be exploited. The vulnerability assessment considers existing = security=20 countermeasures, and is used to determine which threats are = carried=20 forward to the next step of the risk assessment. There is clearly = no need=20 to consider implementing countermeasures for a threat against = which a=20 system is deemed not vulnerable. It is important however to = initially list=20 all threats and vulnerabilities for purposes of future review. = Sources for=20 identifying potential vulnerabilities include:
Checklist driven, non-technical = means=20 (observation, demonstration, interview, and document analysis) are = used to=20 provide information pertinent to the physical, personnel, = administrative,=20 procedural, and operations security factors of the vulnerability=20 assessment. Technical tools such as network security tools, = password=20 crackers and war dialers may be employed in internal or external = attack=20 modes to determine the level of access that a valid user or = intruder could=20 obtain.
Risk is the combination of the = probability=20 of a threat, and the resulting impact on assets. The risk=20 analysis is the process of analyzing the threat probabilities = and=20 resultant consequences from the previous steps of the risk = assessment. It=20 considers which assets are vulnerable to which threats, and to = what=20 degree. It is intended to highlight the difference between = low-value=20 assets vulnerable to low-probability threats versus high-value = assets=20 vulnerable to high-probability threats, and all combinations in = between. A=20 simple method: first estimate which assets are vulnerable to which = threats. Multiply the threat probabilities times the values of the = assets=20 each threat may effect. This provides a "weight" that is a measure = of=20 risk.
The countermeasure = assessment identifies=20 countermeasures that may be required and strikes a balance between = risk=20 identified in the previous step and the cost of implementing = specific=20 countermeasures to reduce it. Further, this assessment should help = determine the sequence in which countermeasures will be = implemented should=20 time or money preclude simultaneous implementation. It is = certainly=20 conceivable that the risk analysis and countermeasure assessment = will show=20 that no additional countermeasures are needed.
Finally, a test is conducted = to validate=20 the work. The validation testing may repeat some of the activity = of the=20 vulnerability assessment, but is in no way limited to that. The = interest=20 is in being thorough, in order to determine risk remaining after=20 application of selected countermeasures.
A thoroughly documented risk = assessment=20 requires considerable time and effort, but is well worth the = expense on=20 all but the most trivial networks and systems. It provides facts, = rather=20 than guesses, regarding specific security measures to be = implemented for a=20 given system. It provides a complete picture and a common = understanding to=20 both top level management and the security practitioner and = enables sound=20 decisions regarding cost, system utility and adequate = security.