DeepSec 2014 Talk: Build Yourself a Risk Assessment Tool

All good defences start with some good ideas. The is also true for information security. DeepSec 2014 features a presentation by Vlado Luknar who will give you decent hints and a guideline on how to approach the dreaded risk assessment with readily available tools. We have kindly asked Vlado to give you a detailed teaser on what to expect:

It seems fairly obvious that every discussion about information security starts with a risk assessment. Otherwise, how do we know what needs to be protected, how much effort and resources we should put into preventing security incidents and potential business disasters? With limited time and budget at hand we’d better know very well where to look first and what matters the most.

If we look at some opinion-making bodies in information security, such as ISF, ISACA or (ISC)², and of course, at ISO/IEC standards (the 27000 series), we can see that in information security there is no escape from risk assessment. A difficult question for anyone responsible for managing information security is to decide when to rely on best practice or baseline security controls and when to apply risk assessment and in what detail.

Risk assessment in information security is, at least in theory, quite self-evident. We have to

  • look at business objectives,
  • identify assets these objectives are built upon,
  • identify the core underlying systems that represent the assets,
  • estimate the potential impact (I) on these assets if something goes wrong (a threat materializes), and
  • identify threats to these assets by looking at related vulnerabilities and countermeasures eliminating them (probability – P).

In the end, we arrive at our risk R by calculating impact times probability (I×P), almost certainly identifying some actions to perform (i.e. measures to mitigate the risk, either its impact or probability).

Well, that’s the easy part. Now, we are supposed to repeat this risk assessment- either as soon as any of these variables changes (objective, asset, system, threat, vulnerability, control) or at least once per agreed-on period of time.

In general, existing security compliance frameworks (e.g. ISO/IEC 27001, COBIT, PCI DSS) do not dictate any specific risk assessment methodologies or tools. The common agreement seems to be: stick to the scheme of asset-threat-vulnerability-control and use whatever suits you to objectively reduce risks  – anything that allows you to be consistent, reproducible and measurable.

And this is the moment you start looking for a risk assessment tool, be it a commercial or an open-source one. In fact, your security team may be small and you may have no risk assessment specialist in there. Yet, you need to be structured about your security risk decisions in a easy-to-do and efficient manner every time you run an assessment hoping that if you don’t catch something important in this run, you will succeed in the next iteration, or an incident will teach you about it the hard way.

How many risk assessment methodologies for information security can we find on Internet today? If you filter out government- and consultancy-related methodologies (mostly without a tangible product you could buy) you end up with a list of 15-20 different methodologies with some of them comprising also a risk assessment tool. This might seem like a lot but only until you try to implement one of them in your organization.

You start with the first one and realize it needs weeks of training because its learning curve is so steep, the other uses awkward terminology, the next one has some strange threat categories mixing apples with oranges or uses just plain old references (talking about Windows 95,  fax machines and dial-up connections) and another one requires you to take a series of complicated installation and configuration steps (plus requiring a highly privileged account on your desktop). And yet another group of tools, instead of risk assessment, talks about scanning and vulnerability management.

In fact, if you are a security manager in a small to medium size company where every security topic passes through your hands, you might be better off by using your own tool because building it is not a rocket science and does not take that much time. You develop its features on the go and by doing it you capture all the internal knowledge that otherwise might be lost.

Over the years of being a security practitioner in a commercial organization I have learned few things.

  • The quest for a perfect ready-made tool is useless, because it is you and your team who add the most value in the process (the tool will not have the “knowledge” on its own).
  • In case you think you did find a perfect product built by someone else, think again: are you sure it is you – not the tool – who discovers risks?
  • Simple things work the best: the more complicated the tool, the less focused you stay on the subject-matter (i.e. the risks); not everything needs to be assessed thoroughly at the same time and at the same level of detail; not everything needs to be automated and re-calculated in real-time.
  • The tool should be pre-defined and structured only to some extent, not limiting your creativity and knowledge of the context (translated as your “internal expertise”).
  • Tools come and go and you may get stuck with a quite expensive product nobody supports any more and your own knowledge recorded in there may not be easily accessible.
  • When you hit the proper balance between a pre-defined, mandatory check-list and creativity, you’ll be focusing only on those things that are important the most, those that – in a given context – make or break the security of your product or service.

The presentation is not about latest advances in information security risk assessment. It will describe the process of making a practical, wiki-based tool, starting with publicly available resources: threats, vulnerabilities and controls (mostly from ISO/IEC 2700X) that are merged into a light ecosystem that is configured, improved and used only via a web browser. Such an ecosystem, actually an Information Security Management System called RISSCON, is used daily in a real company (Orange Slovensko a.s.) to keep up with the requirements of ISO/IEC 27001.

Tags: , , ,

Comments are closed.