We have gone through the process of identifying the assets in our network. Now we have to risk rate them. Many of you have plenty of experience in Risk Assessments so this may be a refresher for you.
The purpose of a risk assessment is to prioritize the use of limited resources in order to address the most important risks appropriately. I like to think that that result of the risk assessment will be an action plan. The process is fairly straight forward:
1. Identify your assets.
2. Identify your threats.
3. Assess the impact of the threats.
4. Assess the likelihood of the threats.
5. Calculate a Resultant Risk Rating.
We all know that a list like this oversimplifies the process but let’s keep it simple for now.
We already have #1 behind us so let’s begin with #2. We call this a risk assessment but the list above says “threats.” What’s the difference? A threat is something that cannot be controlled. Hackers are a threat. A risk is something that can be managed. I have always liked the analogy of sitting on a bench beside the highway. There are threats like flying debris and cars driving off the road. No matter what you do those threats are going to be there. The risk is being hit by a rock, trash, or a runaway car. You can mitigate that risk by wearing a helmet, putting up a fence, move the bench, or just not sit on a bench by the highway!
To identify the threats I like to break them down into Human, Environmental, and Technical. That helps narrow the focus for each asset. Example Time! Let’s take an asset that almost all networks have, a firewall. What are the human threats? The person setting it up could have misconfigured it and hackers could be trying to get into it. What are the environmental threats? Heat, water, or static electricity could cause the firewall to fail. Then what are the technical threats. The firmware could have an exploitable vulnerability, a new attack technique could come out, or the electronics could just fail.
You could say, ‘none of those would ever happen’, but what if it did? Your network could be exposed to a very easy attack. This is the concept of impact and likelihood. A hacker breaking into your network is not likely to happen so why worry about it? Because if they do, it will cost you a ton of money and it could easily put you out of business.
Generally you will give impact and likelihood a numeric rating in order to develop a Resultant Risk Rating (RRR). You could get crazy here by weighting these factors and some type of modeling algorithm to calculate the RRR. This leaves a lot of room for judgment. You want to be comfortable with the calculation and understand what it is doing.
Another example: we are going to give the impact and likelihood a rating. I suggest a 1-5 rating, 1 being less likely or low impact and 5 being very likely or a big impact. But for this example I am going to take the position that impact is more important than likelihood so I am going to give impact a 3/2 ratio. My RRR is going to be a simple multiplication. The formula will look like this: (2*likelihood) * (3*impact) = RRR. By using this calculation I can stratify the results into High-Medium-Low risks. You can use other formulas but this simple calculation works pretty well.
It can take the form of a spreadsheet like this:
You can add columns for mitigating factors, actions needed, due dates, responsible people, etc. This format can be modified for various risk assessments. One common misconception is that all risk assessments can be combined into one. Risk assessments have to be focused to the topic needed. The threats and risks are not the same for security as they are for business continuity. While there is some overlap the overall scope differs so you need to do separate risk assessments.
Next time we will finish up the Identify Function and start discussing the Protect Function.