CHAPTER
6
Managing Risk
79
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
S
ecurity is about managing risk. Without an understanding of the security risks to an
organization’s information assets, too many or not enough resources might be used
or used in the wrong way. Risk management also provides a basis for valuing of
information assets. By identifying risk, you learn the value of particular types of informa
-
tion and the value of the systems that contain that information.
WHAT IS RISK?
Risk is the underlying concept that forms the basis for what we call “security.” Risk
is the potential for loss that requires protection. If there is no risk, there is no need for
security. And yet risk is a concept that is barely understood by many who work in
the security industry.
Risk is much better understood in the insurance industry. A person purchases insur
-
ance because a danger or peril is felt. The person may have a car accident that requires sig
-
nificant repair work. Insurance reduces the risk that the money for the repair may not be
available. The insurance company sets the premiums for the person based on how much
the car repair is likely to cost and the likelihood that the person will be in an accident.
If we look closely at this example, we see the two components of risk. First is the
money needed for the repair. The insurance company needs to pay this amount if an acci-
dent occurs. This is the vulnerability of the insurance company. The second component is
the likelihood of the person to get into an accident. This is the threat that will cause the
vulnerability to be exploited (the payment of the cost of repair).
When risk is examined, we therefore must understand the vulnerabilities and the
threats to an organization. Together, these two components form the basis for risk.

Figure 6-1 shows the relationship between vulnerability and threat. As you can see
from the figure, if there is no threat, there is no risk. Likewise, if there is no vulnerabil
-
ity, there is no risk.
Vulnerability
A vulnerability is a potential avenue of attack. Vulnerabilities may exist in computer sys
-
tems and networks (allowing the system to be open to a technical attack) or in administra
-
tive procedures (allowing the environment to be open to a non-technical or social
engineering attack).
A vulnerability is characterized by the difficulty and the level of technical skill that is
required to exploit it. The result of the exploitation should also be taken into account. For
instance, a vulnerability that is easy to exploit (due to the existence of a script to perform
the attack) and that allows the attacker to gain complete control over a system is a
high-value vulnerability. On the other hand, a vulnerability that would require the
attacker to invest significant resources for equipment and people and would only allow
the attacker to gain access to information that was not considered particularly sensitive
would be considered a low-value vulnerability.
80
Network Security: A Beginner’s Guide
TEAMFLY























































Team-Fly
®

Vulnerabilities are not just related to computer systems and networks. Physical site
security, employee issues, and the security of information in transit must all be examined.
Threat
A threat is an action or event that might violate the security of an information systems
environment. There are three components of threat:
▼
Targets The aspect of security that might be attacked.
■
Agents The people or organizations originating the threat.
▲
Events The type of action that poses the threat.
To completely understand the threats to an organization, all three components must

be examined.
Targets
The targets of threat or attack are generally the security services that were defined in
Chapter 3: confidentiality, integrity, availability, and accountability. These targets corre
-
spond to the actual reason or motivation behind the threat.
Confidentiality is targeted when the disclosure of information to unauthorized individuals
or organizations is the motivation. In this case, the attacker wishes to know something that
Chapter 6: Managing Risk
81
Figure 6-1.
The relationship between vulnerability and threat
would normally be kept from him, such as classified government information. However,
information that is normally kept private within commercial organizations, such as salary
information or medical histories, can also be a target.
Integrity is the target when the threat wishes to change information. The attacker in
this case is seeking to gain from modifying some information about him or another—for
example, making a change to a bank account balance to increase the amount of money in
the account. Others may choose to attack the transaction log and remove a transaction
that would have lowered the balance. Another example might be the modification of
some data in an important database to cast a doubt on the correctness of the data overall.
Companies that do DNA research might be targeted in such a manner.
Availability is targeted through the performance of a denial-of-service attack. Such
attacks can target the availability of information, applications, systems, or infrastructure.
Threats to availability can be short-term or long-term as well.
Accountability is rarely targeted as an end unto itself. When accountability is targeted
by a threat, the purpose of such an attack is to prevent an organization from reconstruct
-
ing past events. Accountability may be targeted as a prelude to an attack against another
target such as to prevent the identification of a database modification or to cast doubt on

the security mechanisms actually in place within an organization.
A threat may have multiple targets. For example, accountability may be the initial tar-
get to prevent a record of the attacker’s actions from being recorded, followed by an
attack against the confidentiality of critical organizational data.
Agents
The agents of threat are the people who may wish to do harm to an organization. To be a
credible part of a threat, an agent must have three characteristics:
▼ Access The ability an agent has to get to the target.
■
Knowledge The level and type of information an agent has about the target.
▲
Motivation The reasons an agent might have for posing a threat to the target.
Access
An agent must have access to the system, network, facility, or information that
is desired. This access may be direct (for example, the agent has an account on the system)
or indirect (for example, the agent may be able to gain access to the facility through some
other means). The access that an agent has directly affects the agent’s ability to perform
the action necessary to exploit a vulnerability and therefore be a threat.
A component of access is opportunity. Opportunity may exist in any facility or net
-
work just because an employee leaves a door propped open.
Knowledge
An agent must have some knowledge of the target. The knowledge that is
useful for an agent includes
▼
User IDs
■
Passwords
82
Network Security: A Beginner’s Guide

■
Locations of files
■
Physical access procedures
■
Names of employees
■
Access phone numbers
■
Network addresses
▲
Security procedures
The more familiar an agent is with the target, the more likely it is that the agent will
have knowledge of existing vulnerabilities. Agents that have detailed knowledge of
existing vulnerabilities will likely also be able to acquire the knowledge necessary to
exploit those vulnerabilities.
Motivation
An agent requires motivation to act against the target. Motivation is usually
the key characteristic to consider regarding an agent as it may also identify the primary
target. Motivations to consider include
▼ Challenge A desire to see if something is possible and be able to brag about it.
■ Greed A desire for gain. This may be a desire for money, goods, services, or
information.
▲ Malicious Intent A desire to do harm to an organization or individual.
Agents to Consider
A threat occurs when an agent with access and knowledge gains the
motivation to take action. Based on the existence of all three factors, the following agents
must be considered:
▼
Employees have the necessary access and knowledge to systems because of their

jobs. The question with regard to employees is whether they have the
motivation to do harm to the organization. This is not to say that all employees
should be suspected of every event but employees should not be discounted
when conducting a risk analysis.
■
Ex-employees have the necessary knowledge to systems due to the jobs that
they held. Depending on how well the organization removes access once an
employee leaves, the ex-employee may still have access to systems. Motivation
may exist depending upon the circumstances of the separation, for example, if
the ex-employee bears a grudge against the organization.
■
Hackers are always assumed to have a motivation to do harm to an
organization. The hacker may or may not have detailed knowledge of an
organization’s systems and networks. Access may be acquired if the
appropriate vulnerabilities exist within the organization.
■
Commercial rivals should be assumed to have the motivation to learn
confidential information about an organization. Commercial rivals may have a
Chapter 6: Managing Risk
83
84
Network Security: A Beginner’s Guide
motivation to do harm to another organization depending on the circumstances
of the rivalry. Such rival organizations should be assumed to have some
knowledge about an organization since they are in the same industry.
Knowledge and access to specific systems may not be available but may be
acquired if the appropriate vulnerabilities exist.
■
Terrorists are always assumed to have a motivation to do harm to an
organization. Terrorists will generally target availability. Therefore, access to

high-profile systems or sites can be assumed (the systems are likely on the
Internet and the sites are likely open to some physical access). Specific
motivation for targeting a particular organization is the important aspect of
identifying terrorists as a probable threat to an organization.
■
Criminals are always assumed to have a motivation to do harm to an
organization. More specifically, criminals tend to target items (both physical
and virtual) of value. Access to items of value, such as portable computers, is a
key aspect of identifying criminals as a probable threat to an organization.
■ The general public must always be considered as a possible source of threat.
However, unless an organization has caused some general offense to
civilization, motivation must be considered lacking. Likewise, access to and
knowledge about the specifics of an organization is considered minimal.
■ Companies that supply services to an organization may have detailed knowledge
and access to the organization’s systems. Business partners may have network
connections. Consultants may have people on site performing development or
administration functions. Motivation is generally lacking for one organization to
attack another but given the extensive access and knowledge that may be held by
the suppliers of services, they must be considered a possible source of threat.
■
Customers of an organization may have access to the organization’s systems
and some knowledge of how the organization works. Motivation is generally
lacking for one organization to attack another but given the potential access
that customers may have, they must be considered a possible source of threat.
■
Visitors have access to an organization by virtue of the fact that they are visiting
the organization. This access may allow a visitor to gain information or
admission to a system. Visitors must therefore be considered a possible source
of threat.
▲

Disasters such as earthquakes, tornadoes, or floods do not require motivation or
knowledge. Access is generally assumed. Disasters must always be considered
possible sources of threat.
Chapter 6: Managing Risk
85
When considering these agents, you must make a rational decision as to whether each
agent will have the necessary access to target an organization. Consider potential ave
-
nues of attack in light of the vulnerabilities previously identified.
Events
Events are the ways in which an agent of threat may cause the harm to an organization.
For example, a hacker may cause harm by maliciously altering an organization’s Web
site. Another way of looking at the events is to consider what harm could possibly be
done if the agent gained access. Events that should be considered include
▼
Misuse of authorized access to information, systems, or sites
■
Malicious alteration of information
■
Accidental alteration of information
■
Unauthorized access to information, systems, or sites
■
Malicious destruction of information, systems, or sites
■ Accidental destruction of information, systems, or sites
■ Malicious physical interference with systems or operations
■ Accidental physical interference with systems or operations
■ Natural physical events that may interfere with systems or operations
■ Introduction of malicious software (intentional or not) to systems
■ Disruption of internal or external communications

■ Passive eavesdropping of internal or external communications
▲ Theft of hardware
Threat + Vulnerability = Risk
Risk is the combination of threat and vulnerability. Threats without vulnerabilities pose
no risk. Likewise, vulnerabilities without threats pose no risk. The measurement of risk is
an attempt to identify the likelihood that a detrimental event will occur. Risk can be quali
-
tatively defined in three levels:
▼
Low The vulnerability poses a level of risk to the organization, however, it is
unlikely to occur. Action to remove the vulnerability should be taken if possible
but the cost of this action should be weighed against the small reduction in risk.
■
Medium The vulnerability poses a significant level of risk to the confidentiality,
integrity, availability, and/or accountability of the organization’s information,
86
Network Security: A Beginner’s Guide
systems, or physical sites. There is a real possibility that this may occur. Action to
remove the vulnerability is advisable.
▲
High The vulnerability poses a real danger to the confidentiality, integrity,
availability, and/or accountability of the organization’s information, systems, or
physical sites. Action should be taken immediately to remove this vulnerability.
When available, the ramification of a successful exploitation of a vulnerability by a
threat must be taken into account. If the cost estimates are available, they should be
applied to the risk level to better determine the feasibility of taking corrective action.
IDENTIFYING THE RISK TO AN ORGANIZATION
The identification of risk is straightforward. All you need to do is to identify the vulnera
-
bilities and the threat and you are done. How do these identified risks relate to the actual

risk to an organization? The short answer is: not very well. The identification of risks to an
organization must be tailored to the organization. Figure 6-2 shows the components of an
organizational risk assessment. As you can see from the figure, I’ve added another com-
ponent to the risk calculation—existing countermeasures.
Figure 6-2.
Components of an organizational risk assessment