|
|
|
|
|
|
Lesson#30
|
Threat Identification
|
|
|
|
Threat Identification
“A threat is some action or event that can lead to a loss.”
Various types of threats may exist that could, if they occur
result in information assets being exposed,
removed either temporarily or permanently, lost, damaged,
destroyed, or used for un-authorized purposes
are identified. Susceptibility to threats, whether logical or
physical are a major risk factor for the data base
and information system of an organization. These risks are to be
identified and steps that include physical
and logical controls need to be instituted and monitored on a
regular basis. Security measures can be
designed only if we know what kind of threats or risks are to be
guarded against. Obviously, we would also
have to determine the frequency of the known and the unknown
risks or threats.
Threats and risks are usually used synonymously. These are
always there and cannot be avoided but should
be managed to minimize losses and maximize returns. Each level
of management and each operational
area perceives risk differently and communicates these
perceptions in different terms.
29.1 Types of Threats
•
Physical threat
– This refers to the damage caused to
the physical infrastructure of the information
systems, e.g.
•
Fire
•
Water
•
Energy Variations
•
Structural damage
•
Pollution
•
Intrusion
•
Logical
– This refers to damage caused to the
software and data without physical presence.
•
Viruses and worms
•
Logical intrusion
Likelihood of occurrence of Threat:
Having identified the threats, they need to be ranked on the
basis of their probability of occurrence.
Sometimes analysis on occurrence of threat is easily available.
For example, the insurance company might
be having a study of occurrence of fire incidents in a city for
the purposes of fire insurance; however, the
extent of threat resulting from a new virus may not yet have
been identified or become known to the users,
etc. In such a situation where no past data or reliable source
of probability occurrence is available, users can
be asked to give the best estimate of how frequently the threat
is possible to occur. Usually, higher the value
of the information asset identified, higher are the chances for
it being susceptible to vulnerability, for
example, an ERP software built up to a high integration level,
may need to be provided with high level of
security against potential threats.
29.2 Control Analysis
The goal of this step is to analyze the controls that have been
implemented or are planned for
implementation by the organizations to minimize or eliminate the
likelihood of occurrence of threat. To
derive an overall likelihood rating that indicates the
probability that a potential vulnerability may be
exercised within the construct of the associated threat
environment. Security controls encompass the use of
134
technical and non-technical methods. Technical methods are
safeguards that are incorporated into
computer hardware, software and firmware such as controls
mechanisms, identification and authentication
mechanisms, encryption methods, intrusion detection software,
etc. Non technical controls are management
and operational controls such as security policies and
operational procedures and personnel, physical and
environmental security. The control categories for both
technical and non technical control methods can be
further classified as either preventive or detective. These two
sub-categories are explained as follows
•
Preventive controls
inhibit attempts to violate security policy and include controls as access
control
enforcement, encryption and authentication
•
Detective controls warn
of violations or attempted violations of security policy which include such
controls as audit trails, intrusion detection methods.
Likelihood Determination
To derive an overall likelihood rating that indicates the
probability that a potential value may be exercised
within the construct of the associated threat environment, the
following governing factors must be
considered.
o
Threat-source motivation
and capability
o
Nature of the
vulnerability
o
Existence of
effectiveness of current controls
29.3 Impact analysis
The next major step in measuring level of risk is to determine
the adverse impact resulting into a successful
exercise of vulnerability. Before beginning the impact analysis,
it is necessary to obtain the following
necessary information.
•
System mission
•
System and data
criticality
•
System and data
sensitivity
The information can be obtained from existing organizational
documentation, such as the mission impact
analysis report or asset criticality assessment report. A
business impact analysis report or asset criticality
assessment report. The adverse impact of a security event can be
described in terms of loss or delay of
any or all of the three security goals.
•
Loss of integrity:
System and data integrity refers to the requirement that information should be
protected from improper modification. Integrity is lost if
unauthorized changes are made to the
data or IT system by either intentional or accidental loss of
system or data. Violation of integrity
may be the first step in a successful attack against
availability or confidentiality. For all these
reasons, loss of integrity reduces assurance of an IT system.
•
Loss of availability: If
a mission-critical IT system is unavailable to its end user, the organization’s
missions may be affected. Loss of system functionality and
operational effectiveness.
•
Loss of confidentiality:
System and data confidentiality refers to the protection of information from
unauthorized disclosure. The impact of unauthorized disclosure
of confidential information can
range from the jeopardizing of national security. Unauthorized,
unanticipated, or unintentional
disclosure could result in loss of public confidence
embarrassment or legal action against the
organization.
29.4 Risk Determination/Exposure Analysis
This phase relates to analyzing how much the information assets
are exposed to various threats identified
and thus quantifying the loss caused to the asset through this
threat. This phase relates to analysis of both
physical and logical threats and comprises of four steps. Four
steps are usually followed while analyzing the
135
exposure.
•
Figure out whether there
are any physical or logical controls in place
•
Employees are
interviewed
•
Walk trough’s are
conducted
•
How reliable are these
controls
•
Check whether the
firewall stops a virus from entering the organization’s system
•
Check whether the
antivirus installed stops the virus from execution
•
We cannot start an
earthquake to see if the building can absorb shocks or not
•
What is the probability
that occurrence of threat can be successful against these controls
•
Compare assets
identified with threats identified to see if controls exists
•
Estimate the probability
of occurrence based on past experience and future
apprehensions/expectations
•
How much loss can occur
due to the threat being successful
•
scenarios are written to
see how an identified potential threat can compromise control
Risk identification is often confused with risk mitigation. Risk
mitigation is a process that takes place after
the process of risk assessment has been completed. Let’s take a
look at various risk mitigation options.
•
Risk assumption: To
accept the potential risk and continue operating the IT system or to
implement controls to lower the risk to an acceptable level.
•
Risk Avoidance: To avoid
the risk by eliminating the risk cause and e.g. forgo certain functions of
the system or shut down the system when risks are identified.
•
Risk Limitation: To
limit the risk by implementing controls that minimize the adverse impact of a
threat’s exercising a vulnerability e.g. use of supporting
preventive and detective controls.
•
Risk Planning: To manage
risk by developing a risk mitigation plant that predicts implements and
maintains controls.
•
Research and
acknowledgement: To lower the risk of loss by acknowledging vulnerability or
flaw
and researching controls to correct the vulnerability.
•
Risk Transference: To
transfer the risk by using other options to compensate loss such as
purchasing insurance.
29.5 Occurrence of threat
When a threat occurs, there can be following consequences.
1. Controls against the threat exists
•
Controls can help stop
the occurrence of the threat.
•
Threat occurs but damage
is avoided by the controls
•
Threat circumvents
controls and causes damage
2. Controls against threat do not exist.
•
Threat has not yet been
identified
•
Threat has been
identified but the consequent loss is considered as minor
•
Threat occurs, whether
identified or not and causes damage to the system.
136
Threat can cause damage whether controls exist or not.
Cumulative amount of loss can be a major threat to the system.
There is no international standard on
acceptable level of losses. Materiality of every loss, howsoever
determined by management must be written
and backed up by the approval of those who are in charge of the
IT Governance. Review of these matters
will be undertaken when a security audit is done in order to
ascertain the comfort level the can draw from
the security policy of the organization.
29.6 Computing Expected Loss
In fourth step of the exposure analysis, the amount of expected
loss is computed through following formula
A = B x C x D
1. A = Expected Loss
2. B = Chances (in %) of threat occurrence
3. C = Chances (in %) of Threat being successful
4. D = Loss which can occur once the threat is successful
Control Adjustment
This phase involves determining whether any controls can be
designed, implemented, operated. The cost of
devising controls should not exceed the expected potential
benefit being en-cashed and the potential loss
being avoided. The controls that could mitigate or eliminate the
identified risk appropriate to the
organization’s operations are provided. The goal of the
recommended controls is to reduce the level of risk
to the IT system and its data to an acceptable level. Following
factors should be considered in
recommending controls and alternative solutions to minimize or
eliminate identified risks.
•
Effectiveness of
recommended options
•
Legislation and
regulation
•
Organizational policy
•
Operational Impact
•
Safety and reliability
The control recommendations are the results of the risk
assessment process and provide the risk mitigation
process during which the recommended procedural and technical
security controls are evaluated, prioritized
and implemented.
It should be noted that not all possible recommended controls
can be implemented to reach and to
determine which ones are required and appropriate for a specific
organization, a cost analysis, should be
conducted for the proposed recommendations of controls to
demonstrate that the costs of implementing
the controls can be justified by the reduction in the level of
risk. In addition, the operational impact and
feasibility of introducing recommended option should be
evaluated carefully during the risk mitigation
process.
The above decision takes into account consideration of following
factors:
5. Personal judgment of the situation
6. Any information gained on desired/non-existing controls
during the previous phases
7. Seek demands of users for an ideal control environment.
Existing controls should not be totally discarded while
adjusting controls. They can either be terminated
totally, due to the threats not being there any more or
existence of better controls or modification for
betterment, this phase should consider the security to be cost
effective, and integrated. |
|
|
|
|
|
|