Risk Analysis

Arun Saxena

Assistant Professor, Amity Lucknow

The consensus among security professionals is that there’s no risk situation in which security is perfect. Before designing the organization’s security plan and implementing it, one must first determine risk associated with the employees, the network and the databases of the customer, job and personnel information. The ultimate objective is not  to reduce the risk to zero, but to devise ways to manage risks in a reasonable manner. This process is called risk analysis, determines the threats an organisation faces, what resources are at risk, and what priority should be given to each resource .  Its’s the first step in formulating a security policy, a statement that specifies what defences should be configured to block unauthorised access, how the organisation will respond to attacks, and how employees should safely handle organisation’s resources to prevent loss of data or damage to files.

Because threats change constantly along with technology, determining risks and developing a security policy to manage those risks are ongoing processes,  rather than a one- time operation.

Risk Analysis Factors

Risk is defined as the possibility of damage or loss, so risk is the study of the likelihood damage or loss in a particular situation or environment. In terms of a network connected to the internet, risk analysis should encompass computer hardware and software plus data warehouses–storehouses of valuable customer, job, and personnel information that a company needs to safeguard. 

Following are the factors associated with that are involved in a risk analysis :

Assets

Assets in an organisation are the hardware, software and informational resources that the organisations have to protect by developing and implementing a comprehensive security policy. Four type are assets are likely to be protected:

•          Physical Assets -Equipment and buildings in the organisation.
  •          Data Assets-Databases, personal records, customer or client information, and other data the organisation stores and transmits electronically.
    •          Software Assets- Server programs, security programs, and other applications used to communicate and carry out the organisation’s typical activities.
      •          Personnel Assets- People who work in the organisation as well as customers, business partners, contractors, and freelance employees.

      Some assets are tangible objects such as computers and other assets are intangible, such as a company’s reputation and the level of trust it inspires in its customers.

      Threats

      Threats are events and conditions that haven’t occurred but could potentially occur, and their presence increases risk. Some dangers are universal such as weather related disasters. Others are more specific to the system, such as a server storing a customer database, with obvious danger being the threat of an attacker gaining access to the system. Other examples of circumstance-specific threats include the following:

      •          Power Supply-The power supply in organisation area might br unreliable, making the organisation subject to brownouts, blackouts, and sudden surges called voltage spikes.
        •          Crime Rate-If the organisation is established in a high-crime area  or other offices in the area have been broken into, the risk increases.
          •          Facility-Related-If the office of organisation is in a building which is prone to fluctuations or has insufficient fire suppression, the risk of the fire damage increases.
            •          Industry- If an organisation operates in a highly competitive industry or in one requiring high security, a security breach could result in litigation or major loss of revenue or even force the business to close.

             

            Probabilities

            The seriousness of a threat depends on the probability that it will occur. Geographic or physical location, habitual factors, and other factors affect the probability that a threat will occur. A geographic factor may include earthquakes being common in a region. Physical location might influence threat probability because of an electrical problem in the building housing your systems. Habitual factors could be poor security practices, such as employees keeping passwords written down near their computers, that increase the probability of a security breach. These factors are a large part of what risk assessment seeks to cover. Risk analysis evaluates each factor and rates its potential impact or exposure.

             

            Vulnerabilities

            Vulnerabilities are situations or conditions that increase the possibility of a threat, which, in turn increases risk. Examples include connecting computers to internet, putting computers out in open where anyone can use them, installing web servers outside corporate network in vulnerable demilitarized zone (DMZ), and so on.

             

            Software vulnerability is some defect (commonly called a "bug") in software which may allow a third party or program to gain unauthorized access to some resource. Such vulnerability may exist at operating system level and application level. Examples of operating system with vulnerabilities include windows and Linux. Examples of application software with vulnerabilities include Internet Information Services, Internet Explorer, and Outlook Express and Apache web server. The number of flaws in different systems may vary but every system can and will have flaws.

             

            Security professional have many resources for finding information on current vulnerabilities or possible network attacks e.g. common vulnerabilities and exploits (CVE) etc. Vulnerability analysis helps security professionals in determining what to protect. Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use.

             

            Vulnerability analysis consists of several steps:

            •          Defining and classifying network or system resources
              •          Assigning relative levels of importance to the resources
                •          Identifying potential threats to each resource
                  •          Developing a strategy to deal with the most serious potential problems first
                    •          Defining and implementing ways to minimize the consequences if an attack occurs.

                     

                    Consequences

                    Substantial adverse consequences can result from a virus that forces you to take an organisation’s web site offline for a week or a fire that destroys all the computer equipments of a company. As discussed above those threats can be ranked in the order of their probability of occurrence. This can be extended by attaching a rating of impact to them. A cost-benefit analysis is vital to justify the investments done in security. Here the cost implies the cost that company is paying because of security incidents whereas the benefit is the amount per year saved by preventing incidents. It is observed that the actual cost of an incident is usually much higher than the cost of replacing equipment and restoring data (if it can be restored).

                     

                    Safeguards

                    Safeguards are measures one can take to reduce threats, such as installing firewalls and IDSs, locking doors, and using passwords and encryption. These measures interact with one another to help manage risk. When deciding how to manage risk, one must identify and classify risks first. Then the priorities of threatened assets should be determined and finally it is to be determined whether to accept, transfer, or mitigate the risk.

                     

                    Risk Analysis Methods

                     

                    The building blocks one needs to prepare a risk analysis are the list of assets that are to be protected, the probability that they will occur, consequences if they occur, and safeguards you can take to protect them. Then different methods of risk analysis are used to create a security policy and evaluate how well the policy is performing so that one can update and improve it. Following methods can be used to perform risk analysis [33].

                     Survivable Network Analysis

                    Survivable Network Analysis (SNA) is a security process developed by the CERT  Coordination Center (www.cert.org) . SNA starts with the assumption that a computer system or network will be attacked. It leads one through a four step process designed to ensure the survivability (the capability to continue functioning during attacks, system faults, accidents, or disasters) of a network if an attack occurs.

                     

                    Survivability focuses on a network’s essential services and assets and critical capabilities and depends upon four key properties of a network:

                    •          Resistance- The capability of a system to repel attacks.
                      •          Recognition-The capability to detect attacks when they occur and to evaluate the extent of damage and compromise.
                        •          Recovery- The capability to maintain essential services during an attack and restore all services following an attack.
                          •          Adaption and Evaluation- The capability to improve system survivability based on knowledge gained from attacks.

                          The study of network survivability builds on other concepts related to risk analysis, including fault tolerance (the capability of an object or a system to continue operations despite a failure, such as system shutdown), safety procedures, security systems, and ongoing testing. Most software products aren’t designed with survivability in mind. That’s why survivability studies can be valuable. Instead, software is often designed to work for a certain number of users or a certain amount of information, until it’s replaced by new and improved versions.

                           

                          The steps in SNA are as follows:

                          •          System Definition- First, you create an overview of the system’s organisational requirements. Here system architecture is analyzed while taking into account its hardware components, software installation, databases, servers, and other computers that store the organisation’s information.
                            •          Essential Capability Definition- The system’s essential services and assets that are critical to fulfilling the organisation’s missions and goals are to be identified.
                              •          Compromisable Capability Definition- The situations in which intrusions to the system occur are designed and then intrusions are traced through the system architecture to identify what can be accessed and what sorts of damage can occur.
                                •          Survivability Analysis- The potential points of fault in the system are identified-integral components that can be compromised. Then recommendations for correcting points of fault are made and specific ways to improve the system’s resistance to intrusions and capability to recover from attacks, accidents, and other disasters are suggested.

                                 

                                The emphasis is made on an ongoing process rather than a series of steps ending in a report of a configuration regarded as secure and permanent. One might start with password management, then upgrade the system to encrypt critical data, and then install software that filters out potentially harmful e-mail so that system’s capability to survive improves continually.

                                 

                                Threat and Risk Assessment

                                 

                                Threat and Risk Assessment (TRA) approaches risk analysis from the standpoint of threats and risks to an organisation’s assets and consequences of those threats and risks if they occur.

                                 

                                 Like SNA, TRA has four steps:

                                         Asset Definition- The software, hardware, and information that is to be defended is identified.

                                •          Threat assessment- The kinds of threats that place the assets at risk are identified. These include vandalism, fire, natural disasters, and attacks from the internet. Threat assessment also includes an evaluation of the probability and consequences of each threat.
                                  •          Risk Assessment-Each asset for any existing safeguards, the severity of threats and risks to assets, and the consequence of the threat or risk taking place are evaluated. The combination of these factors creates an assessment of the actual risk to each asset.
                                    •          Recommendations- Based on risks and current safeguards, one can recommendations to reduce the risk. These recommendations should then be made part of a security policy.

                                       

                                      TRA is carried out in different ways by security agencies all over the world.