Security Basics mailing list archives
Re: Risk Ranking...
From: Woods_Beau () dkmc org
Date: Thu, 31 Aug 2006 15:56:10 -0400
I think the first step in the process is to get a good definition of "threat", "vulnerability", and "risk". See Bejtlich's blog for that, or get his book The Tao of Network Security Monitoring. His discussions largely pull on his US Military training and their definitions of these terms. Here, you really need to get your head around what you are trying to do, in general terms. What is the scope of the project, what are you really attempting to address, do you have policies regarding this kind of thing, etc. Then you need to decide what is most important to you. In Healthcare, a virus on a medical device could result in death of one or many people, whereas a virus on a workstation could just mean wiping out the installation. Find a level of protection you want to have and work backwards from there. You'll have to put a good bit of time into it to do it right, but it will be worth it. You will most likely have to speak to the Compliance people and determine what their views are for this. Do not work in a silo! Think of this as a part of your business continuity plan. Use that plan to determine your most important assets and to help in figuring out what assets have the highest value to your enterprise. Next, you'll need to see where you are now -- what devices do you have, what patch levels are they, who maintains them, are any patches known to break the apps, what are the risks associated with the computers. This is a real pain, it will take a massive effort, and you'll continually have to update. Do it in waves or cycles. Start with a quick nmap scan or something to see what devices you have and what they're running. You may be surprised to find that you have some things you can't identify. Then go into more detail as you get your head around what you have to begin with. Then you will want to take a look at where you want to end up. People are fond of saying that security isn't an end-state, and they're right. But you have to have a plan to work towards as a goal. When you have hit that target, and even as you progress towards it, you will revise that plan. After you've made up your plan, you need to think backwards to where you are now. That way, you can chart out a timeline and minor goals and identify areas where you can consolidate projects, etc. I had the same problem as you when I was trying to come up with some risk metrics. Specifically, I was looking for a way to assess ouside threats and internal vulnerabilities that would allow for some decisionmaking. I found Richard Bejtlich to be informative (taosecurity.blogspot.com), as well as SANS (isc.sans.org and www.sans.org). However, this is a limited subset of the real issue, which is keeping the environment secure. This larger goal includes issues like privacy leaks, insider threats, natural disasters, physical threats, etc. As I don't typically deal with those, I can't really speak to them all. But by and large, I just created my own. I haven't had much time to refine it to the point where I can create a mathematical score, but here is what I came up with. The value to the left of the description is the assigned risk value. The theory is that by adding or multiplying these values, I should be able to give a general idea of how much risk each vulnerability or threat poses. The scale is exponential, so that as the severity of the threat/vulnerability increases, the the total risk increases faster than linearly. The idea is that each escalation is more than just an incremental increase in risk. However, I have not played with the numbers to see if they are realistic in practice. I'm publishing this here, and licensing this entire post under the Creative Commons Attribution-ShareAlike 2.5 License so anybody can use it as long as they share their derivations. Hopefully this will help people who are looking for this kind of thing and can't find it anywhere else. Distribution Method Ratings 1 Physical Presence Delivery: The vulnerability must be exploited locally. 2 User Interaction Delivery: The computer user must directly interact with the system in order for the vulnerability to be exploited (such as a trojan horse). 4 Mobile Code Delivery: The vulnerability is exploitable without direct user interaction (such as a mobile code exploit or mass mailer virus). 8 Internal Propagation Delivery: The vulnerability can be exploited with no user interaction whatsoever (such as a network worm). Note: If a piece of malware is a blended threat (able to exploit multiple vectors), each method will be taken into consideration. Malware Damage Levels 1 Light Damage Potential: The malware may change configuration settings, deliver pop-up ads, or redirect web searches. Repair Time: Less than one man-hour. Anti-Virus or other programs may do this automatically 2 Moderate Damage Potential: The malware may do any of the above. Additionally, it may log and send information from the computer, attempt to send mass amounts of email, close or crash programs, and/or change important configuration settings. Repair Time: Between one and two man-hours. Anti-Virus and other automatic programs may help, but much of the work will be done manually. 4 High Damage Potential: The malware may do any of the above. Additionally, it may reboot, slow down, or crash the computer, prevent programs from functioning normally, delete or overwrite system files, prevent the computer from starting, and/or remotely infect other computers through the network. Repair Time: Between one and four man-hours. The computer may have to be reimaged. If the computer has compromised others, the repair time will escalate due to the volume of computers infected. 8 Extreme Damage Potential: The malware may do any of the above. Additionally, it may delete or overwrite important data, transmit confidential or patient data, and/or generate massive amounts of network traffic. Repair Time: Unknown number of man-hours. The computer will most likely have to be reimaged. Any locally stored data may have to be recreated; any data stored on the network may need to be restored. If the computer has compromised others, the repair time will escalate due to the volume of computers infected. System Exposure Levels 1 No Exposure Prevalence: No computers have exposure or are likely to be compromised in a widespread event, but the organization may be indirectly affected by other organizations? exposure. 2 Low Exposure Prevalence: Exposure exists on less than 20% of our systems are vulnerable or are likely to be compromised in a widespread event. 4 Moderate Exposure Prevalence: No more than 60% of our systems are vulnerable or are likely to be compromised in a widespread event. 8 High Exposure Prevalence: More than 60% of our systems are vulnerable or are likely to be compromised in a widespread event. Vulnerability Threat Levels 2 Minor Threat Viability: No Proof of Concept (POC) code or working exploits are thought to be available. 4 Escalating Threat Viability: POC code is available, but no working exploit is thought to exist. 8 Known Threat Viability: A working exploit is thought to exist. Importance Levels 1 None Systems: None of the following 2 Desirable Systems: 4 Essential Systems: 8 Mission Critical NOTE: This should closely resemble your Business Continuity Plan for which apps, servers, etc. are most important. This metric was designed specifically for Microsoft patches on Black Tuesday, but it may apply to other events with minor adjustments. Patch Installation Determinations Disallowed Explanation: The patch is known to cause programs to function incorrectly. The risk of not patching is low. Discouraged Explanation: The patch may have unknown effects even though the patch has been tested. Recommended Explanation: The patch will probably not cause any unintended side-effects because it only affects software not required for business use. Encouraged Explanation: Significant risks exist by not patching; the patch does not break critical applications. Essential Explanation: There is a high risk to the organization if the patches are not applied. The risk may even dictate that the patch be applied immediately, and without testing. "Barrick, Chanda B" <cbbarric () iupui edu> 08/28/2006 09:41 PM To <security-basics () securityfocus com> cc Subject Risk Ranking... I am trying to figure out how to develop a risk ranking methodology for incident reporting in a healthcare environment. I don't even really know where to begin. I've been googleing, but I'm not finding much that is helpful. Anyone have any suggestions? Thanks Chanda --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus --------------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole use of the individual(s) to whom it is addressed, and may contain confidential and privileged information, including HIPAA protected PHI. Any unauthorized review, use, disclosure, distribution, or reproduction is prohibited. If you have received this e-mail in error, please notify the sender by reply e-mail and destroy this message and its attachments in its entirety. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Risk Ranking... Barrick, Chanda B (Aug 29)
- Re: Risk Ranking... Brian Loe (Aug 30)
- Re: Risk Ranking... Woods_Beau (Aug 31)
- <Possible follow-ups>
- RE: Risk Ranking... Kyle White (Aug 30)