THE UNIVERSITY OF MARYLAND UNIVERSITY COLLEGE
GRADUATE SCHOOL
Some Issues and Activities in
Information Risk Assessment and
Security
for
CSMN - 655 - 1141: Information Risk Assessment and Security
by
David R. Mapes
dmapes@erols.com
12/10/1998
Risk Assessment
Scenario:
New guidelines have been established and your company has
been mandated to perform a risk analysis on a major
sensitive information system. The Board of Directors of
your organization wants to know the purpose and value of a
risk analysis, the extent of resources required, and the
options and methodologies available to perform the risk
analysis. You have been asked to prepare a briefing for the
Board and to address their concerns. What will you tell
them.
I. Purpose of a risk analysis
The purpose of a risk analysis could be said to be to
identify and quantify risks, determine the frequency with which
they will occur, establish the cost or impact if they do occur,
and determine alternative courses of action to control them;
however, it might be better to put it to management that risk
analysis is performed to help control costs and reduce the
uncertainty of business operations by identifying those areas
where a loss is likely to occur and determining ways of avoiding
or mitigating it. While this clearly defines the purpose of a
risk analysis with regard to a high level business justification,
it hardly provides sufficient detail for a practical
implementation of risk analysis across an actual organization; to
do that requires a procedural breakdown focusing as much upon how
the risk analysis is carried out as on what it is. To start with
one needs a usable definition of risk against which to apply the
analysis: for a risk to exist there must be some asset or
activity of value to the organization that has an exposed
vulnerability to which a threat exists with some likelihood of
being actualized. Having established a working definition of
risk one can carry on the process of analysis and finally of
delineating and selecting among alternative means of avoiding or
mitigating a risk.
The first step in a risk analysis is to identify those
assets and activities of the organization having the most value
or highest cost if they are lost, impaired, or fail. The list of
assets is not limited to physical plant and equipment and may
extend to data, people, software, contracts, business activities
and to things as insubstantial as time, ideas, and good will.
Identifying assets requires imagination and observation. Check
lists, or automated tools that supply them, help with asset
identification, as does having a team perform the analysis rather
than a single individual; in an organization of any size a team
approach becomes essential as no one person is likely to have the
breadth and depth of knowledge and experience required to perform
this type of analysis for the entire organization.
Having identified the key assets and activities of the
organization one can start trying to assess their vulnerabilities
and the threats likely to exploit those vulnerabilities.
Identifying asset vulnerabilities is a mental and observational
exercise that ranges in complexity from the application of common
sense (my favorite oxymoron) to the use of game theory, "what-if"
scenarios, and simulation to find what could happen to damage,
destroy, or impede a key asset or activity. Vulnerabilities can
range from poor control over access to key portions of the
organization's physical plant, to poor personnel practices that
could lead to the hiring of incompetent or overtly dangerous
employees, to the locating of a key organizational operation
(unnecessarily) atop an active fault line. Once key assets and
activities are paired with vulnerabilities one can proceed by
trying to identify threats that might exploit them. Threats can
be posed by entities as impersonal as the weather, the economy,
or seismic activity or as intimate as an over zealous competitor,
a disgruntled employee, or an unethical corporate officer. Some
of these threats are not universally addressable because, while
you can try to locate physical plant in safe, stable areas, hedge
your economic bets with conservative financial management, and
institute an ethics program, acts of God can still happen.
However, each of the possible steps mentioned above can form a
part of a more comprehensive corporate security and management
plan that deals with the threats we can address.
Having established a set of threatened, vulnerable, and
valued assets and activities one must, finally, establish the
likelihood for each threat that it will successfully exploit a
vulnerability. This risk probability can be used in a
quantitative framework with the value or cost of the asset to
establish a risk exposure (RE = probability/year * value (Boehm,
p 4)) in annual terms or, in a qualitative framework, to place a
given risk in the low, medium, or high category. Whether one
speaks of RE or category, the essential point is to establish a
hierarchy that allows for the selection risks for avoidance or
mitigation on a rational basis. Even if one's overall approach
to risk analysis is qualitative those assets and activities of
greatest value to the organization should be evaluated from a
quantitative perspective to better enable evaluation of various
avoidance and/or mitigation strategies.
Once a ranked list of risks has been established options for
avoiding or reducing the impact of each risk can be considered in
an orderly fashion taking into account such factors as the
available budget, any ethical considerations, and the need to
show due diligence and fiduciary responsibility. Boehm suggests
computing a risk reduction leverage (RRL = (RE before - RE
after)/cost of option (p. 8)) ratio for each avoidance or
mitigation option for a given risk as a means of directing the
selection process. In quantitative risk analysis these two sets
of data (RE and RRL) can be plugged into a spread sheet to aid in
finding the lowest overall risk for a given set of risks and
budgetary limit. Key points to keep in mind are: management
must buy-in to carrying out the analysis and to acting upon its
results (implementation is key to gaining more than minimal
benefits from the analysis); the analysis should focus across
the breadth of the organization rather than getting bogged down
in the fine details of any one area (don't over analyze); the
scope of the analysis should be the entire organization and tie
into the overall business mission of the organization; and,
while risk analysis will cost time and money, the cost of not
doing it will likely be higher.
II. Value of a risk analysis
The value of risk analysis is in part dependant upon the
type of business the organization is in and the management style
of that organization: some operations work under greater or
lesser conditions of risk; and some managers take risk into
account either subconsciously or as a matter of course while
others do not. Regardless of the business conditions and
management style of the organization, making risk analysis and
management an explicit, visible process will still provide all of
the following benefits:
- Provide a focused, rational basis for security and business
policy planning and decision making.
- Produce a list of key assets and activities.
- Risks are avoided or mitigated reducing their probability
and/or impact.
- Provides focus and justification for the cost of security
and other risk management strategies.
- Consciously and effectively dealing with risk appears to
lead to more successful business operations (Down, Coleman,
Absolon. p 1).
III. Resources/cost of risk analysis
Risk analysis is not a trivial undertaking in any
organization. Knowledge and experience in each area of the
organization are required to identify and assess the risks and
risk management options that apply. Additionally, different
phases of the risk analysis process require different types of
skills and ways of thinking that may not be embodied in any one
person within the organization. These points coupled with the
potential size of the undertaking mandate that a team of people
be used. Some team members will be involved full time, while
others will only work on an as needed basis during a certain
phase or for a certain business area. In addition to in-house
personnel, consultants may need to be hired to provide a degree
of experience and expertise not available locally. Automated
tools (and training in those tools) may have to be purchased.
Finally, a risk analysis will require time to complete, how much
time depends upon the size and complexity of the organization,
its activities, and the business environment. Also, one should
keep in mind that a risk analysis is not a one time effort, it
should be revisited on a regular basis to ensure that changing
business conditions are adapted to and that new risks are
identified and managed as they arise. Because risk analysis is
an ongoing effort, the costs of tools, training, and (to the
extent that they also serve as trainers) consultants can be
amortized over their useful life.
IV. Options and methodologies for risk analysis
The options for carrying out the risk analysis include the
methodologies to be employed, the degree to which automation and
out-sourcing will be used, the breadth and depth used to apply
the analysis across the organization, and the frequency with
which the analysis will be revisited. There are two basic
methodologies that can be used to do risk analysis: quantitative
(as embodied by Federal Data Processing Standard 65), and
qualitative. While a quantitative approach is more cumbersome
and time consuming to apply, it has the advantage of bringing
greater accuracy and rigor to the analysis. Qualitative risk
analysis is relatively easy to apply but does not provide the
positive feedback to the analyst when comparing to alternative
avoidance or mitigation strategies that the quantitative
approach's RRL calculation offers. Because time (all risks tend
to become inevitable over a long enough period) and accuracy are
both important factors in a risk analysis, perhaps the best
approach is to do an initial qualitative analysis and then
revisit those areas of high to medium (depending upon time an
money constraints) risk from within a quantitative framework.
The degree to which the risk analysis is supported by
automated tools is to some degree a factor of the tastes of the
organization, the money available for tools and training, and the
time available for the risk assessment. To the degree to which
the organization habitually and successfully integrates tools
into its overall business activities, is willing to provide
adequate training, and is pressed for time the investment in
automated risk analysis tools can pay off. If the organization
is very pressed for time or short of adequate personnel resources
then out-sourcing some or all of the effort may be the only
option. The down sides of out sourcing include the expense of
consultants, and the need to trust a company outsider with
intimate details about the vulnerabilities of key assets and
activities of the organization. The relationship between a risk
analysis consultant and an organization is one of extreme trust
that must be securely codified in a tightly written and strongly
underwritten contract.
Humans have been analyzing, assessing, and mitigating risk
since before we climbed up out of the swamp (let alone down out
of the trees). At some level, the identification and assessment
of risks, costs, and benefits is an essential part of animal
behavior. It is perhaps surprising then that the corporate
animals of the business and political environment did not, until
quite recently, indulge more frequently in overt, explicit risk
analysis. This is changing now that most public (Federal)
entities have been mandated to apply risk analysis as a matter of
course.
Digital Signatures
Scenario:
Encryption systems for message authentication and digital
signature system implementiation to facilitate electronic
commerce. Constraints on the use of digital signatures
in the United States?
I. Encryption and message authentication
In any transaction between two parties there is, of a
necessity, a certain level of trust implied. Whether one is
sending an email to an acquaintance to arrange a lunch meeting,
or a credit car number to a vendor to purchase an item the
receiver and sender must both trust that they know who they are
communicating with. This is true to some extent even in face-to-
face cash transactions; the purchaser trusts that they are
getting what they are paying for and the seller trusts that the
cash is and will remain valid (at least long enough for them to
spend it (a real problem in some parts of the world)). This
brings us to the Internet and the advent of large scale consumer
e-commerce. How can a commercial web site tell if the person
browsing it is who they claim and how can a consumer looking to
purchase a product know that the site they are browsing is
legitimate and that the data they transfer (i.e. credit card
number) is secure?
In the early 1976 Whitfield Diffie and Martin Hellman
published a paper describing "public-key cryptography (Zimmerman,
p. 111)." This concept has become a key factor in the
development of a usable Internet encryption and authentication
system. In either DES or RSA a pair of keys (A and B) are
generated such that a message encrypted using A can only be
decrypted by applying B and visa-versa. This allows the holder
of this A-B pair to publish a key (the public key) A so that any
one who wants to can send them a private message readable only by
applying the private key B. Similarly the holder of the A-B key
pair could use the public key C of his correspondent to reply in
private. When the holder of the public key C receives the
message they can apply their private key D to read it. This
works fine for the casual exchange of private messages, but it
does not ensure that the two participants know for sure with whom
they are communicating; authentication requires us to go a step
or two further.
II. Digital signature implementation and electronic commerce
The first step in authenticating a message is to ensure that
it has not been tampered with. The holder of the A-B key pair
(SAM) can use a hash/check sum function to compute a message
digest of the data he wishes to send to the holder of the C-D key
pair (PAM). This digest is difficult to forge (that is to
reproduce from a meaningful altered message) so when SAM uses his
private key B to encrypt the digest he has, in effect, created a
stamp (digital signature (DS)) that, when attached to the
message, will attest that the message has not been altered in
transit. SAM then appends the DS to the message and encrypts the
signed message using PAM's public key C sending it on its way to
PAM. When PAM receives the message she first decrypts it with
her private key D and then decrypts the digest using SAM's public
key A. Finally, PAM uses the same hash/check sum software to
create her own message digest. If PAM's digest matches SAM's
digest, PAM knows with a high degree of certainty that the
message has not been tampered with since it was sent. However,
PAM is still not completely sure who sent the message because she
only has SAM's word that he is "SAM", the legal holder of the A-B
key pair.
The final step in authentication of the message between SAM
and PAM must be supported by a trusted third party who has the
authority to certify that SAM and PAM are who they say they are
and legitimately hold their encryption key pairs A-B and B-C.
This certificate authority (CA) accepts each of the public keys
along with some other data about SAM and PAM and produces a
digital certificate (DC) for each of them consisting of their
public keys A and C, and some identifying data (say name and
eamil address) encrypted by the CA's private key F. Now SAM can
append his DC to the message digest and encrypt them both with
his private key B to create a certified digital signature (CDS).
He then attaches the CDS to his message and encrypts the whole
file using PAM's public key C. Now when PAM receives the message
she can decrypt it with her private key D, decrypt the CDS with
SAM's public key A and compare the digest portion with the digest
she computes as before proving that the message has not been
altered, then PAM can use the CA's public key E to decrypt SAM's
DC proving (at least to the level that PAM trusts the CA) that
the message came from SAM. This same process can be used to
certify the CA with a higher level authority (if required to
several additional levels), but the whole process still hinges on
trusting a CA at some level.
Digital certificates are a key technology in the large scale
implementation of electronic commerce. The ability to send
secure, authenticated messages that DCs and public key encryption
confer ensure that private communications will remain private and
that on-line fraud will be kept under control. Given the
privacy, content verification, and source authentication
conferred by DCs and CDSs it remains only to work out the
implementation details.
III. Issues constraining digital signature use in the United
States
As it turns out the implementation details are not trivial.
In the U.S., the federal government has concerns about
"unbreakable" encryption schemes being used to circumvent law
enforcement and national security authorities. Each individual
State has its own laws governing what constitutes a legally
binding form of identification. Nascent CAs have a large number
of important business rule issues to work out. Individuals worry
about the reliability of certifying authorities (not to mention
the whole convoluted scheme). And there is a lack of a standard
approach to the implementation both within the U.S. and
internationally
At the federal level, the ongoing concern has been that
strong encryption can be put to use by criminals and enemies of
the state to hide wrong doing and promote terrorism. Because of
these issues the U.S. has chosen to treat strong encryption as
munitions and placed it under tight controls on the one hand, and
encouraged the adoption of various "back door" laden schemes to
allow law enforcement access to encrypted data with a warrant
(clipper chip, key escrow, etc...). These issues are causing
restraint of trade at the national border as products containing
sufficiently strong encryption methods are not permitted for
export, restraint of implementation as software vendors and CAs
wait to see how the issue is sorted out, and reduced consumer
confidence as they consider the possibility that their messages
might be read by any government official whose access and ethics
were great enough and flexible enough to allow it. Finally,
should the government serve as the central certifying authority
or should that be left in the hands of the private sector.
At the state level laws and precedents need to be establish
defining what a DC and CDS may be used for, and who may serve as
a legally recognized CA. Any or all of these issues may also be
superseded by events at the federal level. Major disagreements
in law between states would also greatly constrain the quick
adoption of DCs, as commerce would be restrained at the state
line until differences were worked out.
Certifying authorities have a number of sticky issues to
deal with over and above the question of federal and state law
and regulation. The central issues revolve around how the CA is
to deal with its customers and manage digital certificates:
- Initial user authentication. What must be required of a
customer to positively identify them to the CA? Do they
need to appear in person or can a sufficient level of surety
be reached via indirect contact?
- Certificate revocation. Under what conditions will a
digital certificate's validity be revoked?
- Certificate expiration. How long should a digital
certificate be permitted to last under normal conditions?
- Certificate renewal. Can a digital certificate be renewed
more easily than when it was first obtained or is the same
level of authentication required for each renewal.
- Authority reciprocity. To what degree can and will CAs
honor each other's DCs? Will statutes require it? will
standards support it?
- Authority certification. Who will certify and police the
CAs, ensuring reliable and ethical performance of a key
public service.
Consumers also must come to trust and use the DC/DS
structure, public key cryptography, and the CAs; ultimately the
most used and best promoted (rather than the best technical
solution) standard will come to dominate the market. It is clear
that electronic commerce is growing at an incredible rate even
without the security provided by this structure; however, the
adoption of this methodology will ensure continued rapid growth
while reducing the chances that fraud and abuse will cause a
trade stifling loss of confidence in the internet as a medium for
commerce.
Secure Network Implementation
Scenario:
Your company has decided to put in a Local Area Network to
interconnect several computer systems located on several
floors in an office building. The building is shared by
several organizations. You have been assigned
responsibility for security of the LAN system. The computer
systems being linked together process a great deal of
sensitive information that is limited to employees with a
demonstrated "need to know" as well as some administrative
and generic applications that are available to all
employees. Several of the users on the LAN system require
interconnection with the INTERNET: Approach, considerations,
tradeoffs, roles of the company Communications and Computer
Security Officers on this project.
I. Considerations and Assumptions
The addition of a LAN, particularly one conneted to the
Internet, to a business environment that handles sensitive
information raises a number of issues. First, there is the
security of the network from outside access; even if the network
were not connected to the Internet, a single unregistered modem
could compromise the organization's entire computing
infrastructure. Second, now every desktop machine on the LAN
has, at least conceptually, access to the sensitive systems and
data. Third, there is the physical security of the new network
to consider: if the building has multiple tenants and the
organization's office space is non-monolithic, then controlling
physical access to LAN hardware (particularly floor to floor
cable runs) becomes a critical issue. Finally there is the need
to bring the organization's culture up to speed with the new
capabilities and requirements offered to and demanded of the user
community. In a network environment the weakest security link
determines the overall security level of the system.
II. Internet Issues
Securing the LAN from the internet is one of the more
difficult areas to deal with. One approach is to not actually
connect the LAN to the Internet, but provide each user who needs
Internet access with a modem, browser, security software, an ISP
account and phone number, and instruction on modem security and
internet ethics. This has the advantage that it isolates the LAN
from the Internet and puts the onus for Internet security on the
ISP, but it also greatly reduces the ability of the organization
to track and control how Internet access and resources are being
used. The other solution is to establish a proprietary
connection to the Internet either through an ISP or by setting up
a server directly on the LAN with a firewall and all security and
administration handled on-site. The decision of which option to
select is one that is properly based more on such business
concerns as the volume and type of Internet services required or
planned rather than what security head aches it might entail.
III. Current Systems Sceuruty and Computer Security
A primary concern for the new LAN administration staff and
role for the current Computer Security Officer will be
establishing access control and tracking on the sensitive systems
and data that are now being made available over the network.
Each of these sensitive systems must be reviewed with an eye to
ensuring their secure function within the LAN milieu: does each
system maintain "front door" security in the form of encrypted
and logged user ID and password access control; is there any back
door through which a user or hacker might stumble or break to
access the system or its data directly; what modifications need
to be instituted to adequately audit user access and activity
over the LAN for each system; what type of backup and recovery
protocols are being used and do they need to be updated or
tested; do the current systems adequately enforce the
organizations "need-to-know" data access control rules and is the
process used to hire or select the new LAN staff sufficiently
rigorous to ensure their trustability; and if these systems are
to be accessible over the internet, what types of firewall,
encryption and authentication protection must be establish to
secure their content.
IV. Physical Installation Security
The physical installation of such LAN assets as cable or
fiber runs, routers, bridges, and servers is also a concern.
Servers and other hardware should be situated in locked but well
ventilated and monitored areas, cable should run through walls
and, especially in areas of the building not occupied by the
organization, be protected by steel conduit. Ideally, in a new
installation or where the budget will permit, all LAN
transmission medium should be fiber optic. Even if the money is
not available for a full fiber implementation, careful
consideration should be given to using fiber through conduit to
pass data across areas of the building not under the physical
control of the organization. For security, fiber optic cable and
steel conduit have two major advantages: for the moment at
least, fiber is much more difficult to tap undetected, and it has
no electromagnetic emissions that might be detectable from a
distance; steel conduit will help contain conventional cable's
electromagnetic emissions, shield it from outside sources, and
protect both types of transmission media from accidental or
deliberate tampering.
V. Human Factors and Corporate Culture
The most important security concern for the new LAN
installation, and one that is frequently down played or
overlooked, is the training or the LAN user community in the
practices, ethics, and etiquette required in the new medium. It
is not enough to train them in good password practice and show
them how to access the LAN resources they need. Users must come
to understand that they are ultimately responsible for ensuring
the safety and availability of the information and resources the
LAN makes so accessible. The user population must be made aware
of copyright rules, come to appreciate the threat posed by
viruses and other malicious code and understand how they may be
prevented, be given instruction on how to handle normal network
problems and be shown how to determine when it is time to call
for support, and be made aware of other potential security
breaches that they might stumble into (like installing an
unregistered modem or program).
Corporate policy must also support the new LAN environment
and written handbooks should be updated and disseminated (ideally
made available in electronic form as well). Policies needing to
be created or updated include software acquisition and copyright,
computer use, Internet access, computer security, and physical
security. Each of these areas will should also be covered in the
updated training programs and become a regular part of the
acculturation of new employees.
VI. Communications Role
Depending upon structure of the organization the
Communications Officer's (CMO) role in this effort may be limited
to acquiring additional phone service to support the Internet
connection and any additional dial-up phone lines required for
remote access; however, the CMO's role may extend to supervising
the installation and administration of the LAN, making them a
full partner in the establishment and maintenance of the security
infrastructure of the system with the Computer Security Officer
(CSO). A likely role for the CMO in this environment would be to
partner with the CSO in the development of LAN user training
programs (an area the CMO is likely to be familiar with from
supporting phone system and security training), and then take on
the responsibility for presenting and running the training
program.
References
Boehm, Barry W. (1989). Software risk management. IEEE
Computer Society Press. Los Alomitos, CA.
Down, Alex. Coleman, Michael. Absolon, Peter. (1994). Risk
management for software projects. McGraw-Hill Book Company
Europe. Maidenhead, Berkshire, England.
Flyzik, James. (1998) Scenarios for this paper.
Zimmermann, Philip R, (October, 1998). Scientific American.
Cryptography for the internet. p. 110-115.