CSF 4003 Security and Risk Management

Chapter 3: Formulating Risk Exposure

1
Learning Objectives
Upon completion of this material, you should be able to:
Find risk and break down risk to its components
Envision the consequences of risk
Explain who or what the threat is?
Discuss qualitative risk measures
Discuss quantitative risk measures

2
Introduction
A risk assessment needs to have more elements than just a
list of all the worst-case scenarios that you can imagine.
Your job as a Risk Analyst is to educate the organization
about the top risk exposures and help them to set priorities.
Therefore, you must break risk into its individual components
and accurately assess the level of risk exposure.

3
Risk Components
We will start by defining some terms to describe the key
components of a risk, and then we will use these terms as we
analyze some simple risk scenarios. The end goal is a model
that will accurately articulate, categorize, and rate risk
exposure.
Consider this assessment finding:
“Network administrators use Telnet to manage network
devices and their passwords never expire.”

4
Risk Components (cont.)
As a security manager identified this finding, how would you
break down this scenario into risk components?
What is described in the previous statement is certainly a
finding, but does it accurately describe the risk?
For example, you should be able to answer the following
questions from a well-written risk statement:
Who is the threat we are worried about?
Why is the vulnerability causing the exposure?
What is the potential impact on the organization?
5
Risk Components (cont.)
Think of the risk as a description of the consequences.
To break down the risk to its components, we need to define:
Sensitivity of the resource: importance or criticality to the
organization.
Threats, and threat countermeasures.
Vulnerabilities, and vulnerability countermeasures.
Inherent Risk: amount of risk that exists in absence of controls.
Compensating Controls: controls currently in place that
reduce the exploitability.
Residual Risk: remaining risk after implementing controls. 6
Risk Components (cont.)
In simple terms, an information security risk exposure should
describe the outcome of a successful exploit of the
vulnerability by the threat.
A simple way of remembering the differences between the risk
terminologies is that:
- Threat describes the “Who”
- Vulnerability explains the “Why”
- Risk represents the “What” consequences the business
will
experience.
7
Imagine The Consequences
Your risk description should answer:
What would the organization lose upon a successful exploit?
 customer; money; reputation; etc.
Would the organization go out of business?
This is an extreme scenario
Can the organization recover from the breach?
How easy and how fast?
Would the organization need to inform customers?
Example: unauthorized disclosure of information occurred
8
How to Describe A Risk
As a result of <issue>, <consequence> may occur, which
would lead to/cause/require <effect>
Example 1:
As a result of a DDoS, a server shutdown may occur, which
would cause disruption in all intranet services
Example 2:
As a result of lost backup tapes, an unauthorized disclosure of
customer data may occur, which would require notification to
regulators and affected clients
9
Risk Formulating Example
Rewrite the following example into a correct risk description:

“Network administrators use Telnet to manage network

devices and their passwords never expire.”

As a result of using Telnet, an unauthorized access by a

group of hackers to our system may occur, which could
compromise all network devices.

10
Threat Examples
 External mass attacks (e.g. viruses)
 External targeted attacks (e.g. Attackers)
 Internal (e.g. disgruntled employee)
 Accidental damage
 Internal abuse
 Infrastructure failure
 Natural disaster

11
Threat vs Risk
Of the following, which do you think describe a threat source or
activity?
1. Disgruntled employee: Threat
2. Password cracking: Threat
3. Internet-facing router: an asset
4. Internet-facing server: vulnerability
5. Clear text passwords being sent over the Internet:
vulnerability

12
Activity (Threat, Vulnerability, Impact)
Which of these could be considered a threat source?

1. Interruption of operations: Impact

2. Untrained personnel: Threat (also a vulnerability)
3. Loss of data from virus infection: Impact
4. Spear-phishing attack from Hacker Business Network:
Threat
5. Lightning strike on the data center: Threat
6. Use SSLv1 method: vulnerability (weak encryption)
7. Loss of company reputation: impact
13
Qualitative vs. Quantitative
Two approaches to measure and analyze risk:
Qualitative
Simpler to use and visualize
Good when not enough historical data
Use a relative scale (Low, Moderate, High)
Subjective and can be inaccurate
Quantitative
Focus on numbers and calculations
Require accurate historical data
Vary from basic and simple to complex models 14
Quantitative Risk Analysis
Quantitative analysis approaches focus on hard numbers and
calculations to determine the risk exposure.
Many formulas for risk have been proposed, including

Risk Exposure = Sensitivity × Severity x Likelihood

Exposure Rating = Severity2 x Threat

15
Simple Quantitative Risk Calculation
The following is a common calculation formula:
Annualized Loss Expectancy (ALE) = Single Loss
Expectancy (SLE) × Average Rate of Occurrence (ARO)

For example, if you expect to lose 9 laptops this year, and the
cost to replace one laptop is 1000 AED , then
ALE = 1000 × 9 = AED 9000
If you only lost one laptop every 3 years,
ALE = 1000 × (1/3) = AED 333.33 16
Simple Quantitative Risk Calculation (cont.)
Class activity 1: the ALE is estimated at AED 600 and the
cost to replace a laptop is 200. Find how many laptops lost
this year?
ALE = SLE x ARO  600 = 200 x ARO  ARO = 600/200 = 3

Class activity 2: Ali expects to lose 15 laptops every 6 years,

and the cost to replace a laptop is AED 850. Find ALE?
ALE = SLE x ARO = (15/6) x 850 = AED 2125
17
Qualitative Risk Analysis
Risk analysis is like weather forecasting.
 We need to define sensitivity of the resource, severity of
the vulnerability, and likelihood of the threat.
 Each threat/vulnerability pair may have different likelihoods
and severities, so don’t assume that all threat/vulnerability
combinations will have the same risk exposure rating.

18
Risk Variables
 Severity
 It is a measure of the degree of damage or how universal the
exploit is.
 Example: A DDoS may result in a full loss of service availability.
 Likelihood
 The probability that a specific risk occurs. It includes the
probability of a successful exploit and the frequency of the exploit.
 Sensitivity:
 A measurement of the resource’s tolerance for risk exposures.
 Example: Disruption of connectivity to the data center may result
in revenue loss of 1,000,000 per hour 19
Estimating Severity
Some questions that can help estimate severity:
1. What is the scope after exploitation (full, users,
departments, etc.)?
2. How much data will be disclosed?
3. Will the breach allow for modification/destruction or just
viewing of data?
4. Can the attacker execute any code or are they limited to
certain functionality?

20
 Qualitative Severity Scale
Level Description

Low May be a deviation from recommended practice or an emerging

standard. May lack a security governance process or activity, but
have no direct exposure.
Moderate May indirectly contribute to unauthorized activity or just have
no known attack vector. May result in a degradation of service
and/or a noticeable decrease in service performance.
High May allow limited access to or control of the application,
system, or communication, including all data and functionality.
May result in a short disruption or service and/or denial of
service for part of the user community.

Critical May allow full access to or control of the application, system, or

communication, including all data and functionality. May result
in a prolonged outage affecting all users of the service.
21
Estimating Severity – Class Activity
 Assume the current process for on-boarding (conduct
orientation) a new employee is to send his initial password for
the Expense Reporting Application (ERA) to them by e-mail,
but the e-mail use MD5 encryption. How would you rate the
Vulnerability severity? Moderate
However, if the vulnerability was a weak login page for ERA
itself, which could allow anyone to bypass the login controls.
It will be rated as High [we can see only account of that
employee = certain data]
22
Qualitative Severity Example
Assume you work for a regional bank that offers a web portal
for clients to perform online banking and this customer portal
is hosted by a third-party provider:
 Example 1: A weakness in a web form could allow for the
website to be defaced.
 This weakness directly puts the integrity of the Website at risk. It
does not allow an attacker full control of the web server. So, it
will be rated as High since it allows limited access to one file
(home.html) on the server.
23
Qualitative Severity Example (cont.)
Example 2: Due to storage limitations, audit logs for the
backend server that stores client financial transaction
data are only retained for 1 day.

 This lack of data may hinder an investigation into a security

breach if audit logs aren’t available, but it won’t directly
cause a compromise. Therefore, it is rated as Moderate.

24
Qualitative Severity Example (cont.)
Example 3: The hosting company does not employ an
independent third-party audit function to evaluate their
information security program.
 It doesn’t present a direct opportunity to compromise the
customer portal, nor will the absence of such a function
hinder the operations of the security team. The organization
may have a strong internal audit function. So, it is rated as
Low.

25
Qualitative Severity Example (cont.)
Example 4: Default administrator passwords are being
used on a system that is used to manage server
configuration.
 The use of default administrator passwords may allow for full
administrator access to the management server and, likely,
privileged access to the servers that it manages. In most cases,
this would also include access to any sensitive data on the
servers. So, it is rated as Critical.

26
Qualitative Severity Example (cont.)
Example 5: The client support staff at the bank set up
customer accounts for portal access manually, and
human error sometimes results in data disclosures
between customers.

 The exposure would likely be limited to one client accidentally

getting access to another client’s data. Since the disclosure
would be limited to a subset of data, and not the entire database.
So, it is rated as High.
27
Defining Likelihood
Likelihood is a rating of both the probability that a threat will
successfully exploit a vulnerability as well as how often that
might occur.
It depends on the following factors:
Size of the threat universe (scope)
Example: for the HCT, threat universe includes students,
faculty, and staff (threat may come from these entities).
Motivation of threat actor
Sophistication of attack or skill level required
Existing controls 28
 Qualitative Likelihood Scale
Level Description
Negligible The threat source is part of a small and trusted group; controls
prevent exploitation without physical access to the target; significant
inside knowledge is necessary, or purely theoretical.
Low The threat source lacks motivation or capability, or controls are in
place to prevent, or at least significantly impede, the vulnerability
from being exploited.
Moderate The threat source motivated and capable, but controls are in place
that may impede the successful exploitation of the vulnerability.

High The threat source highly motivated and very capable, and controls to
prevent the exploitation of the vulnerability are ineffective.
Very High Exposure is apparent through casual use or with publicly available
information, and the weakness is accessible publicly on the internet.

29
Estimating Likelihood
Some questions that can help estimate likelihood:

1. What is the size of the population?

2. What skill level is required for exploit?
3. Can the vulnerability be exploited anonymously?
4. How attractive is the target?

30
Qualitative Likelihood Example
A skilled attacker is planning to hack the information
system of HBL institution. The implemented controls are
strong to impede the successful exploitation of any
vulnerability. What likelihood scale you rate this case?

 Likelihood will be rated as moderate

31
Defining Risk Sensitivity
 Not all resources are created equal, meaning you may want
to patch your domain controllers before you patch the
workstation in the mail room. Thus, risk sensitivity comes
back into calculations.
There are two ways to include the sensitivity of the resource
in the qualitative assessment of risk exposure:
Sensitivity factors can either be included in the definition of
severity (difficult since we mix two independent conditions)
Mapping table can be expanded to include all three
variables. 32
Estimating Risk Exposure

33