JulieRyan,Inc.
RISK MANAGEMENT AND INFORMATION SECURITY
Presented at the 11th Computer Security Applications Conference
New Orleans, Louisiana
December 19, 1995
|
Daniel J. Ryan |
Julie J. C. H. Ryan |
|
Corporate Vice President |
Senior Associate |
|
Science Applications |
Booz•Allen |
|
International Corporation |
& Hamilton |
Abstract
Risk is inherent in life. As it is the antithesis of security, we naturally strive to eliminate risk. As worthy as that goal is, however, we learn with each experience that complete security is never possible. Even if it were possible to eliminate all risk, the cost of achieving that total risk avoidance would have to be compared against the cost of the possible losses resulting from having accepted rather than having eliminated risk. The results of such an analysis could include pragmatic decisions as to whether achieving risk avoidance at such cost was reasonable. Applying reason in choosing how much risk we can accept and, hence, how much security we can afford is risk management.
Some inherent vulnerabilities can never be eliminated fully, nor would the cost and benefit warrant this risk avoidance approach. In most cases, however, it is possible to balance the risk of loss or damage of disclosure against the costs of countermeasures and select a mix that provides adequate protection without excessive cost in dollars or in the efficient flow of information to those who require ready access to it. We can and must provide a rational, cost-effective, and enduring framework using risk management as the underlying basis for security decision making.
Redefining Security
Report of the Joint Security Commission
February 28, 1994
Thinking About Risk
Risk = Threat x Vulnerability x Impact
Countermeasures
It is useful in thinking about risk management to use a sort of formula. This formula is not meant to be taken as a mathematical equation for use in making quantitative determinations of risk level. Actually, the formula can be made mathematically rigorous using probability theory — a discipline known a "probabilistic risk assessment"— and works well when it is possible to obtain representative statistical data about possible events. Such an approach has been used with some success in predicting failures of spacecraft, nuclear power plants, and other systems where such values as mean time between failures can be calculated for components and subsystems. It works less well when probability distributions are less well-behaved or are unknown, as is unfortunately usually the case in trying to predict the frequency or success rates of attacks on information assets or systems. Our formula is better taken as an algorithm for use in thinking about the factors that enter into risk management and in assessing the qualitative level of danger posed in a given situation.
Natural disasters represent very real dangers to people, facilities, equipment and other assets, including information and information systems, and have to be considered by managers as part of the larger issue of disaster planning. Reliability and the steps necessary to allow for and deal with reliability failures are also risk management issues for managers. Here we use the word "threat" in describing a more limited component of risk. Threats are posed by organizations or individuals who both intend us harm and have the capability to accomplish their intentions. These types of threat and measures that may be taken to reduce or eliminate the risks they create are the principal subject of this paper. They may take the form of enemy armed forces, spies, criminals, terrorists, psychotics, computer hackers, drug lords or saboteurs. Their organizations may be formal, as are foreign governments' armies or intelligence services, or informal, like the terrorist group that attacked the World Trade Center or hacker groups like the Legion of Doom or Chaos. Threats to our information or to our computer processing and communications systems may be from outsiders seeking access to our information assets, but more often are insiders — traitors who turn over their country's secrets for money or ideological reasons, white-collar criminals, or disgruntled employees harboring real or imagined grievances. In real-world security situations, threats do not occur one at a time, or even independently.
Vulnerabilities are characteristics of our situations, systems, or facilities that can be exploited by a threat to do us harm. A vulnerability for which there is no credible threat does not require a response by the security processes. Examples of vulnerabilities include structural weaknesses of buildings located in earthquake territory, weak and easily discoverable passwords on our computers and networks, easily penetrated facilities, unvetted personnel, or operations carried out in such a way that outsiders can detect their existence and analyze their objectives. Careful attention to the design of or facilities and systems can reduce or eliminate vulnerabilities: locks and barriers can be strengthened, fences raised, alarms and monitors installed, computers systems upgraded to incorporate security features, sprinkler systems installed and a wealth of other features, devices and procedures implemented to reduce vulnerabilities.
With the appearance of devices to capture and analyze packets on networks — so called "sniffers" — the classical approach to access control using passwords assigned to specific users has become a significant vulnerability on most systems and networks. It was always true that failure to change default passwords or the use of easily guessed passwords like one's own name represented a vulnerability that could be and was exploited by hackers. Eventually, every dictionary word came to fall into the category "easily guessed" because the hackers just encrypted the entire dictionary and compared it to stolen lists of encrypted passwords, working backward to find the actual password. Still, combinations of letters and numbers or nonsense strings of characters were hard to break until sniffers were discovered by the hackers.
Using the sniffer in a method analogous to a telephone wiretap, the hacker collects packets traversing the network from user to server. The packets contain the user identifier and password, which the hacker can then use to masquerade as the licit user, no matter how complex the password might be. Any reusable password is, then, vulnerable to exploitation. Before considering how to abate the resulting risk, however, we have to note that even if we can solve the reusable password problem, we still won't have made our system secure, merely improved its security.
Just as Shakespeare said, "Troubles come not as single spies," nor do threats. Most managers must consider the possible consequences of attacks from a variety of different threats, each of which may act on a specific vulnerability different from those attempted to be exploited by other independent threats and any of which may be unrecognized. Ordinarily, threats to information and information systems are paired with a specific line of attack or set of vulnerabilities – since a threat which has no vulnerability it is capable of exploiting creates no risk, it is useful to deal with threat-vulnerability pairings in the risk management process. Always being careful, of course, to recognize that there is not a one-to-one correspondence so that we cannot depend upon elimination of a vulnerability to necessarily neutralize a threat nor elimination of a threat to mean that a vulnerability can be tolerated safely. The numerator of our equation is, therefore, a sum of threat-vulnerability products. Any threat with no associated vulnerability or vulnerability with no threat results in a zero addition to risk, simplifying its analysis.
Countermeasures may abate the danger even if there is both a malevolent and capable threat as well as a vulnerability which can be exploited by that threat. All else being equal, more countermeasures mean less risk, so countermeasures appear in the denominator in our algorithm. Guards can be hired, personnel subjected to background investigations or polygraph examinations, badges may be used to identify authorized personnel, procedures implemented in our computer systems and networks to backup data bases and to enforce sound password practices, and so forth. Such countermeasures reduce the likelihood of a successful attack and so lessen risk.
With regard to the problem of reusable passwords, the countermeasure is to use passwords only once. Several methods are available for implementing such "one-time passwords." A pseudorandom generator function R(t,su) which takes as its input the time t and a seed key su and generates a number apparently at random but in fact deterministically can easily be used if the user and server can synchronize their clocks. The user and the server then both know the time, the seed key and the function and can generate the same value, which is used as the password. The password is no longer valid a minute later, since t will have changed and hence R(t, su) will generate a different value. Of course, a fast typing hacker with a sniffer may be able to logon immediately behind the licit user if multiple simultaneous logons are permitted — another vulnerability that must be corrected.
Other approaches involve a challenge and response, using a function F(c, su) which is not time dependent but which is known to both user and server. Also known to both is the user's assigned seed key su, which must be kept private between the two. The user supplies his or her user id and the server responds challenges with a randomly chosen value c. The user calculates F(c, su), which is returned to the server as the password. Knowing F, c and su, the server can check the response to validate the user's access authority. As with time-dependent functions, multiple simultaneous logons must be disabled if dexterous hackers with sniffers are to be defeated.
The impact of a successful attack depends upon the value of the target. If the impact of a security failure is small, allocation of scarce resources to security systems and processes can also be small. For example, the loss of some routine office correspondence might occasion little concern. Conversely, the consequences of some security failures are exceptionally dire. Failure of the public switched network that carries our telephone and computer communications could be devastating to the nation's economy or could inhibit deployment of military forces, emergency response teams or law enforcement officials. The use of nuclear, chemical or biological weapons by terrorists, penetration of our cryptographic systems by foreign intelligence services, or foreknowledge of our strategic and tactical warplans by our enemies could have consequences for our country too severe to permit the smallest relaxation of security, even if such threats are relatively unlikely and the cost of protection is high. In the extreme cases — infowar — attacks on a nation's information infrastructure could be so serious as to determine the outcome of a geopolitical crisis without a single shot being fired. Obviously, as the value of the target rises, the impact of a successful attack goes up as well, and so our sense of risk increases. Consequently, impact is a multiplier in our algorithm.
Managing risk
As we have noted, in the real world of information protection, it is not possible to evaluate in any quantitative sense the factors in the risk management algorithm. The cost of some countermeasures like alarm systems or insurance may be ascertainable, although acquiring information about the cost of countermeasures turns out to be surprisingly difficult using current methods of accounting. What portion of the cost of a wall is attributable to security? If computers that are shielded against emission of potentially compromising radiations are an option, are both cases (with and without shielding) costed independently and compared? Even if it were easy to determine the cost of potential countermeasures, the likelihood of the threat successfully attacking, the extent of our vulnerabilities and the impact of a possible loss are at best uncertain. As with most management problems, insufficient information makes security decisions more of an art form and less of a science.
This uncertainty is a contributing cause of our tendency to rely on risk avoidance. By assuming the threat to be capable, intent, and competent, by valuing our potential targets highly, and by conservatively estimating uncertainties, we reduce risk management to: "what are our vulnerabilities and how much do countermeasures cost to eliminate them?" The management problem is, "How much money can I spend and where can I spend it most wisely?" In most cases, fortunately, it is possible to do better. It is often sufficient to bound the problem, even when exact figures are not available. By careful analysis, we may be able estimate the value of each factor in our equation and balance the risk of loss or damage against the costs of countermeasures and select a mix that provides adequate protection without excessive cost.
Ultimately, the risk management process is about making decisions. The impact of a successful attack and the level of risk that is acceptable in any given situation are fundamentally policy decisions. The threat is whatever it is and while it may be abated, controlled or subdued by appropriate countermeasures, it is beyond the direct control of the security process. The process must focus, accordingly, on vulnerabilities and countermeasures. Vulnerabilities are design issues and must be addressed during the design, development, fabrication and implementation of our facilities, equipment, systems and networks. Countermeasures are less characteristics of our systems than of their environments and the ways in which we use them. Typically, to make any asset less vulnerable raises its cost, not just in the design and development phase but also due to more extensive validation and testing to ensure the functionality and utility of security features, and in the application of countermeasures during the operation and maintenance phase as well.
A fundamental problem of risk management, then, is to link the choice of design characteristics which reduce vulnerabilities and of countermeasures to threat and impact in order to create a cost-effective balance which achieves an acceptable level of risk. Such a process might work as follows:
(1) Assess the impact of loss of or damage to the potential target. While the impact of the loss of a family member as a parent is beyond measure, the economic value of the member as a wage earner can be estimated as part of the process of deciding the amount of life insurance to purchase. The economic impact of crime or destruction by fires in a city can be determined as part of the process of sizing police and fire departments. The impact of loss of a technological lead on battlefield effectiveness can be specified.
Not all impacts are economic, of course. The result of loss of sovereignty through war or the destruction of civilization in a strategic nuclear exchange is beyond calculation. On a lesser scale, the political and diplomatic impacts of damage or destruction of some assets must be considered, as for example when a embassy is overrun as happened in Tehran. Such considerations are of necessity subjective and qualitative rather than quantitative in nature.
(2) Specify the level of risk of damage or destruction that is acceptable. This may well be the most difficult part of the process. None of us contemplates the loss of our loved ones or of our own life easily. At the other end of the scale, the destruction of nuclear war is unthinkable. In between, addressing loss or destruction in terms of acceptability seems cold-hearted and unfeeling.
(3) Identify and characterize the threat. The damage that can be caused by accident, disease or such natural forces as earthquakes, hurricanes, tornadoes, fires or floods is known. Criminal behavior can be described and predicted. Terrorist groups have been studied. For the leaders of our country, diplomats and military commanders, this function is performed by intelligence and counterintelligence officers who constantly seek to understand the capabilities, intentions and activities of our enemies.
(4) Analyze vulnerabilities. For individuals, dietary and exercise regimens can reduce vulnerability to some health threats. Fire and intrusion alarms can detect problems and alert response teams. Computer systems and networks can be designed to be less vulnerable to hacker attacks. In military and intelligence situations, both offensive and defensive specialists need to be consulted in order to understand how attacks might be initiated. Where potential improvements that may reduce vulnerabilities are identified, the cost of their implementation must be estimated.
(5) Specify countermeasures. Where vulnerabilities are inherent or cost too much to eliminate during the design and development of facilities or systems, countermeasures must be selected to reduce risk to an acceptable level. Access to facilities can be controlled. Use of computers and networks can be monitored or audited. Personnel can be vetted to various degrees. Not all available countermeasures need be used if some lesser mix will reduce risk to an acceptable level. Costs of each type of countermeasure must be estimated in order to determine the most cost-effective mix.
(6) Allow for uncertainties. None of the factors in the risk management equation is absolute. No threat is infinitely capable and always lucky. No system is without vulnerability. No countermeasure is completely effective, and, short of complete destruction, the impact of damage to an asset is problematic. Risk management requires the realistic assessment of uncertainties, erring on neither conservative nor optimistic sides.
In practice, the estimations needed in applying such a risk management process are accomplished in only gross terms. Threat level or uncertainty may be assessed as high or low. Impact may be designated as severe or moderate. This gross quantification of factors in the risk management equation allows the design attributes used to reduce vulnerabilities and the countermeasures to be grouped so that they can be applied consistently throughout large organizations. Inevitably tradeoffs result among, productivity, flexibility, security and reciprocity, and this, in turn, permits the designer to select a balanced mix of design changes to reduce vulnerabilities and countermeasures to abate residual risks. Knowing we cannot completely eliminate risk, this process permits us to manage the nature and amount of risk to achieve levels we can accept at costs we can afford.
