Some Issues and Activities in Information Risk Assessment and Security David R. Mapes dmapes@erols.com 12/10/1998

THE UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
GRADUATE SCHOOL

Some Issues and Activities in
Information Risk Assessment and
Security

for

CSMN - 655 - 1141: Information Risk Assessment and Security

by

David R. Mapes
dmapes@erols.com
12/10/1998

Risk Assessment

Scenario:

New guidelines have been established and your company has been mandated to perform a risk analysis on a major sensitive information system. The Board of Directors of your organization wants to know the purpose and value of a risk analysis, the extent of resources required, and the options and methodologies available to perform the risk analysis. You have been asked to prepare a briefing for the Board and to address their concerns. What will you tell them.

I. Purpose of a risk analysis

The purpose of a risk analysis could be said to be to identify and quantify risks, determine the frequency with which they will occur, establish the cost or impact if they do occur, and determine alternative courses of action to control them; however, it might be better to put it to management that risk analysis is performed to help control costs and reduce the uncertainty of business operations by identifying those areas where a loss is likely to occur and determining ways of avoiding or mitigating it. While this clearly defines the purpose of a risk analysis with regard to a high level business justification, it hardly provides sufficient detail for a practical implementation of risk analysis across an actual organization; to do that requires a procedural breakdown focusing as much upon how the risk analysis is carried out as on what it is. To start with one needs a usable definition of risk against which to apply the analysis: for a risk to exist there must be some asset or activity of value to the organization that has an exposed vulnerability to which a threat exists with some likelihood of being actualized. Having established a working definition of risk one can carry on the process of analysis and finally of delineating and selecting among alternative means of avoiding or mitigating a risk.

The first step in a risk analysis is to identify those assets and activities of the organization having the most value or highest cost if they are lost, impaired, or fail. The list of assets is not limited to physical plant and equipment and may extend to data, people, software, contracts, business activities and to things as insubstantial as time, ideas, and good will. Identifying assets requires imagination and observation. Check lists, or automated tools that supply them, help with asset identification, as does having a team perform the analysis rather than a single individual; in an organization of any size a team approach becomes essential as no one person is likely to have the breadth and depth of knowledge and experience required to perform this type of analysis for the entire organization.

Having identified the key assets and activities of the organization one can start trying to assess their vulnerabilities and the threats likely to exploit those vulnerabilities. Identifying asset vulnerabilities is a mental and observational exercise that ranges in complexity from the application of common sense (my favorite oxymoron) to the use of game theory, "what-if" scenarios, and simulation to find what could happen to damage, destroy, or impede a key asset or activity. Vulnerabilities can range from poor control over access to key portions of the organization's physical plant, to poor personnel practices that could lead to the hiring of incompetent or overtly dangerous employees, to the locating of a key organizational operation (unnecessarily) atop an active fault line. Once key assets and activities are paired with vulnerabilities one can proceed by trying to identify threats that might exploit them. Threats can be posed by entities as impersonal as the weather, the economy, or seismic activity or as intimate as an over zealous competitor, a disgruntled employee, or an unethical corporate officer. Some of these threats are not universally addressable because, while you can try to locate physical plant in safe, stable areas, hedge your economic bets with conservative financial management, and institute an ethics program, acts of God can still happen. However, each of the possible steps mentioned above can form a part of a more comprehensive corporate security and management plan that deals with the threats we can address.

Having established a set of threatened, vulnerable, and valued assets and activities one must, finally, establish the likelihood for each threat that it will successfully exploit a vulnerability. This risk probability can be used in a quantitative framework with the value or cost of the asset to establish a risk exposure (RE = probability/year * value (Boehm, p 4)) in annual terms or, in a qualitative framework, to place a given risk in the low, medium, or high category. Whether one speaks of RE or category, the essential point is to establish a hierarchy that allows for the selection risks for avoidance or mitigation on a rational basis. Even if one's overall approach to risk analysis is qualitative those assets and activities of greatest value to the organization should be evaluated from a quantitative perspective to better enable evaluation of various avoidance and/or mitigation strategies.

Once a ranked list of risks has been established options for avoiding or reducing the impact of each risk can be considered in an orderly fashion taking into account such factors as the available budget, any ethical considerations, and the need to show due diligence and fiduciary responsibility. Boehm suggests computing a risk reduction leverage (RRL = (RE before - RE after)/cost of option (p. 8)) ratio for each avoidance or mitigation option for a given risk as a means of directing the selection process. In quantitative risk analysis these two sets of data (RE and RRL) can be plugged into a spread sheet to aid in finding the lowest overall risk for a given set of risks and budgetary limit. Key points to keep in mind are: management must buy-in to carrying out the analysis and to acting upon its results (implementation is key to gaining more than minimal benefits from the analysis); the analysis should focus across the breadth of the organization rather than getting bogged down in the fine details of any one area (don't over analyze); the scope of the analysis should be the entire organization and tie into the overall business mission of the organization; and, while risk analysis will cost time and money, the cost of not doing it will likely be higher.

II. Value of a risk analysis

The value of risk analysis is in part dependant upon the type of business the organization is in and the management style of that organization: some operations work under greater or lesser conditions of risk; and some managers take risk into account either subconsciously or as a matter of course while others do not. Regardless of the business conditions and management style of the organization, making risk analysis and management an explicit, visible process will still provide all of the following benefits:

Provide a focused, rational basis for security and business policy planning and decision making.
Produce a list of key assets and activities.
Risks are avoided or mitigated reducing their probability and/or impact.
Provides focus and justification for the cost of security and other risk management strategies.
Consciously and effectively dealing with risk appears to lead to more successful business operations (Down, Coleman, Absolon. p 1).

III. Resources/cost of risk analysis

Risk analysis is not a trivial undertaking in any organization. Knowledge and experience in each area of the organization are required to identify and assess the risks and risk management options that apply. Additionally, different phases of the risk analysis process require different types of skills and ways of thinking that may not be embodied in any one person within the organization. These points coupled with the potential size of the undertaking mandate that a team of people be used. Some team members will be involved full time, while others will only work on an as needed basis during a certain phase or for a certain business area. In addition to in-house personnel, consultants may need to be hired to provide a degree of experience and expertise not available locally. Automated tools (and training in those tools) may have to be purchased. Finally, a risk analysis will require time to complete, how much time depends upon the size and complexity of the organization, its activities, and the business environment. Also, one should keep in mind that a risk analysis is not a one time effort, it should be revisited on a regular basis to ensure that changing business conditions are adapted to and that new risks are identified and managed as they arise. Because risk analysis is an ongoing effort, the costs of tools, training, and (to the extent that they also serve as trainers) consultants can be amortized over their useful life.

IV. Options and methodologies for risk analysis

The options for carrying out the risk analysis include the methodologies to be employed, the degree to which automation and out-sourcing will be used, the breadth and depth used to apply the analysis across the organization, and the frequency with which the analysis will be revisited. There are two basic methodologies that can be used to do risk analysis: quantitative (as embodied by Federal Data Processing Standard 65), and qualitative. While a quantitative approach is more cumbersome and time consuming to apply, it has the advantage of bringing greater accuracy and rigor to the analysis. Qualitative risk analysis is relatively easy to apply but does not provide the positive feedback to the analyst when comparing to alternative avoidance or mitigation strategies that the quantitative approach's RRL calculation offers. Because time (all risks tend to become inevitable over a long enough period) and accuracy are both important factors in a risk analysis, perhaps the best approach is to do an initial qualitative analysis and then revisit those areas of high to medium (depending upon time an money constraints) risk from within a quantitative framework.

The degree to which the risk analysis is supported by automated tools is to some degree a factor of the tastes of the organization, the money available for tools and training, and the time available for the risk assessment. To the degree to which the organization habitually and successfully integrates tools into its overall business activities, is willing to provide adequate training, and is pressed for time the investment in automated risk analysis tools can pay off. If the organization is very pressed for time or short of adequate personnel resources then out-sourcing some or all of the effort may be the only option. The down sides of out sourcing include the expense of consultants, and the need to trust a company outsider with intimate details about the vulnerabilities of key assets and activities of the organization. The relationship between a risk analysis consultant and an organization is one of extreme trust that must be securely codified in a tightly written and strongly underwritten contract.

Humans have been analyzing, assessing, and mitigating risk since before we climbed up out of the swamp (let alone down out of the trees). At some level, the identification and assessment of risks, costs, and benefits is an essential part of animal behavior. It is perhaps surprising then that the corporate animals of the business and political environment did not, until quite recently, indulge more frequently in overt, explicit risk analysis. This is changing now that most public (Federal) entities have been mandated to apply risk analysis as a matter of course.

Digital Signatures

Scenario:

Encryption systems for message authentication and digital signature system implementiation to facilitate electronic commerce. Constraints on the use of digital signatures in the United States?

I. Encryption and message authentication

In any transaction between two parties there is, of a necessity, a certain level of trust implied. Whether one is sending an email to an acquaintance to arrange a lunch meeting, or a credit car number to a vendor to purchase an item the receiver and sender must both trust that they know who they are communicating with. This is true to some extent even in face-to- face cash transactions; the purchaser trusts that they are getting what they are paying for and the seller trusts that the cash is and will remain valid (at least long enough for them to spend it (a real problem in some parts of the world)). This brings us to the Internet and the advent of large scale consumer e-commerce. How can a commercial web site tell if the person browsing it is who they claim and how can a consumer looking to purchase a product know that the site they are browsing is legitimate and that the data they transfer (i.e. credit card number) is secure?

In the early 1976 Whitfield Diffie and Martin Hellman published a paper describing "public-key cryptography (Zimmerman, p. 111)." This concept has become a key factor in the development of a usable Internet encryption and authentication system. In either DES or RSA a pair of keys (A and B) are generated such that a message encrypted using A can only be decrypted by applying B and visa-versa. This allows the holder of this A-B pair to publish a key (the public key) A so that any one who wants to can send them a private message readable only by applying the private key B. Similarly the holder of the A-B key pair could use the public key C of his correspondent to reply in private. When the holder of the public key C receives the message they can apply their private key D to read it. This works fine for the casual exchange of private messages, but it does not ensure that the two participants know for sure with whom they are communicating; authentication requires us to go a step or two further.

II. Digital signature implementation and electronic commerce

The first step in authenticating a message is to ensure that it has not been tampered with. The holder of the A-B key pair (SAM) can use a hash/check sum function to compute a message digest of the data he wishes to send to the holder of the C-D key pair (PAM). This digest is difficult to forge (that is to reproduce from a meaningful altered message) so when SAM uses his private key B to encrypt the digest he has, in effect, created a stamp (digital signature (DS)) that, when attached to the message, will attest that the message has not been altered in transit. SAM then appends the DS to the message and encrypts the signed message using PAM's public key C sending it on its way to PAM. When PAM receives the message she first decrypts it with her private key D and then decrypts the digest using SAM's public key A. Finally, PAM uses the same hash/check sum software to create her own message digest. If PAM's digest matches SAM's digest, PAM knows with a high degree of certainty that the message has not been tampered with since it was sent. However, PAM is still not completely sure who sent the message because she only has SAM's word that he is "SAM", the legal holder of the A-B key pair.

The final step in authentication of the message between SAM and PAM must be supported by a trusted third party who has the authority to certify that SAM and PAM are who they say they are and legitimately hold their encryption key pairs A-B and B-C. This certificate authority (CA) accepts each of the public keys along with some other data about SAM and PAM and produces a digital certificate (DC) for each of them consisting of their public keys A and C, and some identifying data (say name and eamil address) encrypted by the CA's private key F. Now SAM can append his DC to the message digest and encrypt them both with his private key B to create a certified digital signature (CDS). He then attaches the CDS to his message and encrypts the whole file using PAM's public key C. Now when PAM receives the message she can decrypt it with her private key D, decrypt the CDS with SAM's public key A and compare the digest portion with the digest she computes as before proving that the message has not been altered, then PAM can use the CA's public key E to decrypt SAM's DC proving (at least to the level that PAM trusts the CA) that the message came from SAM. This same process can be used to certify the CA with a higher level authority (if required to several additional levels), but the whole process still hinges on trusting a CA at some level.

Digital certificates are a key technology in the large scale implementation of electronic commerce. The ability to send secure, authenticated messages that DCs and public key encryption confer ensure that private communications will remain private and that on-line fraud will be kept under control. Given the privacy, content verification, and source authentication conferred by DCs and CDSs it remains only to work out the implementation details.

III. Issues constraining digital signature use in the United States

As it turns out the implementation details are not trivial. In the U.S., the federal government has concerns about "unbreakable" encryption schemes being used to circumvent law enforcement and national security authorities. Each individual State has its own laws governing what constitutes a legally binding form of identification. Nascent CAs have a large number of important business rule issues to work out. Individuals worry about the reliability of certifying authorities (not to mention the whole convoluted scheme). And there is a lack of a standard approach to the implementation both within the U.S. and internationally

At the federal level, the ongoing concern has been that strong encryption can be put to use by criminals and enemies of the state to hide wrong doing and promote terrorism. Because of these issues the U.S. has chosen to treat strong encryption as munitions and placed it under tight controls on the one hand, and encouraged the adoption of various "back door" laden schemes to allow law enforcement access to encrypted data with a warrant (clipper chip, key escrow, etc...). These issues are causing restraint of trade at the national border as products containing sufficiently strong encryption methods are not permitted for export, restraint of implementation as software vendors and CAs wait to see how the issue is sorted out, and reduced consumer confidence as they consider the possibility that their messages might be read by any government official whose access and ethics were great enough and flexible enough to allow it. Finally, should the government serve as the central certifying authority or should that be left in the hands of the private sector.

At the state level laws and precedents need to be establish defining what a DC and CDS may be used for, and who may serve as a legally recognized CA. Any or all of these issues may also be superseded by events at the federal level. Major disagreements in law between states would also greatly constrain the quick adoption of DCs, as commerce would be restrained at the state line until differences were worked out.

Certifying authorities have a number of sticky issues to deal with over and above the question of federal and state law and regulation. The central issues revolve around how the CA is to deal with its customers and manage digital certificates:

Initial user authentication. What must be required of a customer to positively identify them to the CA? Do they need to appear in person or can a sufficient level of surety be reached via indirect contact?
Certificate revocation. Under what conditions will a digital certificate's validity be revoked?
Certificate expiration. How long should a digital certificate be permitted to last under normal conditions?
Certificate renewal. Can a digital certificate be renewed more easily than when it was first obtained or is the same level of authentication required for each renewal.
Authority reciprocity. To what degree can and will CAs honor each other's DCs? Will statutes require it? will standards support it?
Authority certification. Who will certify and police the CAs, ensuring reliable and ethical performance of a key public service.

Consumers also must come to trust and use the DC/DS structure, public key cryptography, and the CAs; ultimately the most used and best promoted (rather than the best technical solution) standard will come to dominate the market. It is clear that electronic commerce is growing at an incredible rate even without the security provided by this structure; however, the adoption of this methodology will ensure continued rapid growth while reducing the chances that fraud and abuse will cause a trade stifling loss of confidence in the internet as a medium for commerce.

Secure Network Implementation

Scenario:

Your company has decided to put in a Local Area Network to interconnect several computer systems located on several floors in an office building. The building is shared by several organizations. You have been assigned responsibility for security of the LAN system. The computer systems being linked together process a great deal of sensitive information that is limited to employees with a demonstrated "need to know" as well as some administrative and generic applications that are available to all employees. Several of the users on the LAN system require interconnection with the INTERNET: Approach, considerations, tradeoffs, roles of the company Communications and Computer Security Officers on this project.

I. Considerations and Assumptions

The addition of a LAN, particularly one conneted to the Internet, to a business environment that handles sensitive information raises a number of issues. First, there is the security of the network from outside access; even if the network were not connected to the Internet, a single unregistered modem could compromise the organization's entire computing infrastructure. Second, now every desktop machine on the LAN has, at least conceptually, access to the sensitive systems and data. Third, there is the physical security of the new network to consider: if the building has multiple tenants and the organization's office space is non-monolithic, then controlling physical access to LAN hardware (particularly floor to floor cable runs) becomes a critical issue. Finally there is the need to bring the organization's culture up to speed with the new capabilities and requirements offered to and demanded of the user community. In a network environment the weakest security link determines the overall security level of the system.

II. Internet Issues

Securing the LAN from the internet is one of the more difficult areas to deal with. One approach is to not actually connect the LAN to the Internet, but provide each user who needs Internet access with a modem, browser, security software, an ISP account and phone number, and instruction on modem security and internet ethics. This has the advantage that it isolates the LAN from the Internet and puts the onus for Internet security on the ISP, but it also greatly reduces the ability of the organization to track and control how Internet access and resources are being used. The other solution is to establish a proprietary connection to the Internet either through an ISP or by setting up a server directly on the LAN with a firewall and all security and administration handled on-site. The decision of which option to select is one that is properly based more on such business concerns as the volume and type of Internet services required or planned rather than what security head aches it might entail.

III. Current Systems Sceuruty and Computer Security

A primary concern for the new LAN administration staff and role for the current Computer Security Officer will be establishing access control and tracking on the sensitive systems and data that are now being made available over the network. Each of these sensitive systems must be reviewed with an eye to ensuring their secure function within the LAN milieu: does each system maintain "front door" security in the form of encrypted and logged user ID and password access control; is there any back door through which a user or hacker might stumble or break to access the system or its data directly; what modifications need to be instituted to adequately audit user access and activity over the LAN for each system; what type of backup and recovery protocols are being used and do they need to be updated or tested; do the current systems adequately enforce the organizations "need-to-know" data access control rules and is the process used to hire or select the new LAN staff sufficiently rigorous to ensure their trustability; and if these systems are to be accessible over the internet, what types of firewall, encryption and authentication protection must be establish to secure their content.

IV. Physical Installation Security

The physical installation of such LAN assets as cable or fiber runs, routers, bridges, and servers is also a concern. Servers and other hardware should be situated in locked but well ventilated and monitored areas, cable should run through walls and, especially in areas of the building not occupied by the organization, be protected by steel conduit. Ideally, in a new installation or where the budget will permit, all LAN transmission medium should be fiber optic. Even if the money is not available for a full fiber implementation, careful consideration should be given to using fiber through conduit to pass data across areas of the building not under the physical control of the organization. For security, fiber optic cable and steel conduit have two major advantages: for the moment at least, fiber is much more difficult to tap undetected, and it has no electromagnetic emissions that might be detectable from a distance; steel conduit will help contain conventional cable's electromagnetic emissions, shield it from outside sources, and protect both types of transmission media from accidental or deliberate tampering.

V. Human Factors and Corporate Culture

The most important security concern for the new LAN installation, and one that is frequently down played or overlooked, is the training or the LAN user community in the practices, ethics, and etiquette required in the new medium. It is not enough to train them in good password practice and show them how to access the LAN resources they need. Users must come to understand that they are ultimately responsible for ensuring the safety and availability of the information and resources the LAN makes so accessible. The user population must be made aware of copyright rules, come to appreciate the threat posed by viruses and other malicious code and understand how they may be prevented, be given instruction on how to handle normal network problems and be shown how to determine when it is time to call for support, and be made aware of other potential security breaches that they might stumble into (like installing an unregistered modem or program).

Corporate policy must also support the new LAN environment and written handbooks should be updated and disseminated (ideally made available in electronic form as well). Policies needing to be created or updated include software acquisition and copyright, computer use, Internet access, computer security, and physical security. Each of these areas will should also be covered in the updated training programs and become a regular part of the acculturation of new employees.

VI. Communications Role

Depending upon structure of the organization the Communications Officer's (CMO) role in this effort may be limited to acquiring additional phone service to support the Internet connection and any additional dial-up phone lines required for remote access; however, the CMO's role may extend to supervising the installation and administration of the LAN, making them a full partner in the establishment and maintenance of the security infrastructure of the system with the Computer Security Officer (CSO). A likely role for the CMO in this environment would be to partner with the CSO in the development of LAN user training programs (an area the CMO is likely to be familiar with from supporting phone system and security training), and then take on the responsibility for presenting and running the training program.

References


Boehm, Barry W.  (1989).  Software risk management.  IEEE
          Computer Society Press.  Los Alomitos, CA.

Down, Alex. Coleman, Michael. Absolon, Peter.  (1994).  Risk
          management for software projects.  McGraw-Hill Book Company
          Europe.  Maidenhead, Berkshire, England.

Flyzik, James. (1998) Scenarios for this paper.

Zimmermann, Philip R,  (October, 1998).  Scientific American.  
          Cryptography for the internet.  p. 110-115.