Assessing Internet Security Risk, Part 1: What is Risk Assessment?
by Charl van der Walt
|Assessing Internet Security Risk, Part One: What is Risk Assessment?
by Charl Van der Walt
last updated June 11, 2002
The Internet, like the Wild West of old, is an uncharted new world, full of fresh and exciting opportunities. However, like the Wild West, the Internet is also fraught with new threats and obstacles; dangers the average businessman and home user hasn't even begun to understand. But I don’t have to tell you this. You’ve heard that exact speech at just about every single security conference or seminar you’ve ever attended, usually accompanied by a veritable array of slides and graphs demonstrating exactly how serious the threat is and how many millions of dollars your company stands to loose. The “death toll” statistic are then almost always followed by a sales pitch for some or other product that’s supposed to make it all go away. Yeah right.
Am I saying the threat isn’t real? Am I saying the statistics aren’t true? No. What I’m saying is that many users fail to see what relevance any of this has to themselves and their company. Should the fact that e-Bay supposedly spent $120,000 dollars recovering from Mafia Boy's DDoS attack really have an impact on the reader's corporate IT policy? Perhaps not.
And yet, users can't afford to ignore these facts completely. That would be just plain dumb. What they need to do is to recognize that there are new threats and challenges and, like the other threats and challenges that businesses have always known, these need to be met and managed. No need to panic. No need to spend any money. Yet.
What users really need to do is to understand what the specific risks are that their company or home network faces from being connected to the Internet. In the same way that you don't borrow your business strategy from e-Bay, you probably shouldn't borrow your IT security strategy from them either. You need to develop an IT security strategy to meet your unique needs. You understand your company's own unique risk profile.
As with so many other things in life, the key to effective information security is to work smarter, not harder. And in this case, working smarter means investing your valuable time, money and human resources on addressing the specific problems that are the most likely to cause the most damage. The math is really quite simple. But before you can do the sums, you have to identify the variables. Here are some of the questions you'll have to ask yourself:
Having answered the five questions above, you can then investigate mechanisms (both technical and procedural) that might address those risks, and then weigh up the cost of each possible solution against the potential impact of the threat. Once again, the math is simple: if the cost of the solution is higher then the potential financial impact of the risk (or risks) being addressed, then one may need to investigate other solutions, consider accepting and living with a part of the risk, or accepting and living with the risk completely.
This article is the first of a series that is designed to help readers to answer questions three and four in the context of Internet-connected systems: What are the threats that my Internet-connected systems face and what are the chances of those threats being realized. Over the next few weeks we will explore the thinking around Internet Security Assessments, not only why they are done, but also how they are done. By the end of this series you should understand how performing an Internet security assessment can contribute to an effective information security strategy, what you should expect from such an assessment and even how you could go about performing such an assessment yourself.
The Reasoning Behind Security Assessments
An Internet Security Assessment is about understanding the risks that your company faces from being connected to the Internet. As already discussed, we go through this exercise in order to effectively decide how to spend time, money and human resources on information security. In this way our security expenditure can be requirement driven, not technology driven. In other words, we implement controls because we know that they’re needed, not just because the technology is available. Some firms refer to security assessments as ethical hacking or penetration testing. Although I also use these terms, I see them as referring to something completely different than risk assessment and thus do not see their use as appropriate in this context.
Security Assessments vs Risk Analysis
Later in this article, I'll show you a diagram of what is know as the "security life cycle", a depiction of the concept that security is a continual cycle with a number of distinct phases being repeated on an ongoing basis. You'll notice that this cycle distinguishes between a risk analysis and a security assessment. You may even have come across both terms before and wondered at the distinction. It's not my intention to argue semantics here. Indeed, I'm not even convinced that there is universal consensus on the precise definition of each term. Here's how I see it, briefly: A risk analysis is typically performed early in the security cycle. It's a business-oriented process that views risk and threats from a financial perspective and helps you to determine the best security strategy. Security assessments are performed periodically throughout the cycle. They view risk from a technical perspective and help to measure the efficacy of your security strategy. The primary focus of this paper is on this kind of assessment.
Internal vs External Assessments
I have further limited this paper to a discussion of Internet Security Assessments. Let me point out right from the start that this is only a part of the picture. An Internet security assessment can consist of one or both of two things: an internal assessment and an external assessment. The company for which I work distinguishes between the two in the following way:
Although an Internet assessment is attractive because it is finite and answers a direct question, the following should be noted at the outset:
Although it's beyond the scope of this discussion, the scope of an Internet Assessment can easily be expanded to include areas like RAS and the Extranet (which is why we actually refer to the service as an external assessment). However, even with the limited scope, there are a number of strong reasons for performing an Internet Security Assessment.
But first, let's remind ourselves why we want to do an assessment in the first place.
Reasons for performing a Technical Security Assessment
I've often thought, at the end of a security assessment project, that I probably could have advised the customer without having to perform the entire analysis. Internet installations are generally fairly similar and one sees the same mistakes being made at different installations all over the world. And yet I haven't quite given up on the idea. There are a number or reasons for my continued faith in technical assessments.
Firstly, a technical assessment allows me to fully familiarize myself with the customer's architecture. By the time the assessment is finished, I usually understand the client's Internet architecture at least as well they do, often even better. This puts me in a unique position to offer then real and useful advice and ongoing technical support.
The technical familiarity I've acquired also very often buys me the respect of the customer's technical personnel. That, in turn, puts me in an even better position to advise them. Because our clients themselves are often non-technical people, such as risk managers and financial managers, it is essential that we also win the trust and respect of the technical team. Penetration testing, a later phase in the assessment methodology during which we actually attempt to breach security and compromise the customer's systems, is particularly effective in this regard. It's hard for someone to argue that their security is sufficient when you've already clearly demonstrated that it can be compromised. The fact that our findings are based on a formal assessment methodology lends weight to the recommendations we make.
Sometimes an organization needs an objective assessment from an independent third party is necessary to convince others that they are taking security seriously. This is becoming more of an issue in certain sectors, where government, shareholders and other regulatory authorities are expecting companies to provide proof of proper information security.
Moreover, the fact is that a properly executed assessment may very well identify problems that otherwise may have gone unnoticed. A single small finger-fault in your firewall configuration may be all that's needed by an attacker and a thorough technical assessment may be the only way of determining this.
But most importantly, an assessment introduces objectivity. With the overwhelming number of security products and vendors in the market, it's important that security-conscious organizations and individuals spend money for the right reasons. A good assessment should help you to understand and prioritize your security requirements, allowing you to invest resources effectively. Very often, the most serious requirements will not be addressed by the simple acquisition of more technology, and it's important for the customer to understand that.
Actually, this last point is nothing new and security assessments have been seen as an important phase in the security lifecycle for as long as there has been information security theory. One version of the lifecycle looks like this:
Notice how the assessment phases (threat/risk analysis and security assessment) are the first and last step in the process. The analysis is used to identify what needs to be done, and the assessment is used to measure how effective the other phases in the cycle have been. A number of companies are even starting to use the outcome of these repeated assessments to measure the performance of their technical personnel. Some companies even use security assessments as a key performance area for regular personnel. Now there's an interesting idea.
Reasons for performing an Internet Security Assessment
Hopefully I've convinced you now of the value of a technical security assessment. But I've also said that this paper is limited to a discussion of Internet security assessments only. Does it make sense to focus on one area of your system like that? Actually, no. But Rome wasn't built in a day, and a complete assessment of a large environment will typically need to be broken up into a number of distinct and manageable phases. The Internet is only one of a number of different areas we could examine. However, Internet-connected systems are the single area we assess more than any other. And, given limited time and resources, it is sometimes the only area we consider for clients. Here is a summary of the reasons that companies still perform Internet security assessments:
In this section I've tried to convince you of the value of doing a technical risk assessment and to explain why we often consider the Internet systems separately from the rest of the infrastructure. In the next installment in this series, I'll give you an overview of the steps that we follow in performing this kind of assessment. The methodology is designed to ensure that our work is complete and consistent.
Charl van der Walt works for a South African company called SensePost that specializes in the provision internationally of information security services, including assessments of the kind discussed in this article. His background is in Computer Science, he is a qualified BS7799 Lead Auditor and he has been doing this kind of work for about five years now. he has a dog called Fish.
To read the next installment in this series, click here.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.