Re: Risk Ranking...

[Woods_Beau () dkmc org]

I think the first step in the process is to get a good definition of 
"threat", "vulnerability", and "risk".  See Bejtlich's blog for that, or 
get his book The Tao of Network Security Monitoring.  His discussions 
largely pull on his US Military training and their definitions of these 
terms.  Here, you really need to get your head around what you are trying 
to do, in general terms.  What is the scope of the project, what are you 
really attempting to address, do you have policies regarding this kind of 
thing, etc.

Then you need to decide what is most important to you.  In Healthcare, a 
virus on a medical device could result in death of one or many people, 
whereas a virus on a workstation could just mean wiping out the 
installation.  Find a level of protection you want to have and work 
backwards from there.  You'll have to put a good bit of time into it to do 
it right, but it will be worth it.  You will most likely have to speak to 
the Compliance people and determine what their views are for this.  Do not 
work in a silo!  Think of this as a part of your business continuity plan. 
 Use that plan to determine your most important assets and to help in 
figuring out what assets have the highest value to your enterprise.

Next, you'll need to see where you are now -- what devices do you have, 
what patch levels are they, who maintains them, are any patches known to 
break the apps, what are the risks associated with the computers.  This is 
a real pain, it will take a massive effort, and you'll continually have to 
update.  Do it in waves or cycles.  Start with a quick nmap scan or 
something to see what devices you have and what they're running.  You may 
be surprised to find that you have some things you can't identify.  Then 
go into more detail as you get your head around what you have to begin 
with.

Then you will want to take a look at where you want to end up.  People are 
fond of saying that security isn't an end-state, and they're right.  But 
you have to have a plan to work towards as a goal.  When you have hit that 
target, and even as you progress towards it, you will revise that plan. 
After you've made up your plan, you need to think backwards to where you 
are now.  That way, you can chart out a timeline and minor goals and 
identify areas where you can consolidate projects, etc. 

I had the same problem as you when I was trying to come up with some risk 
metrics.  Specifically, I was looking for a way to assess ouside threats 
and internal vulnerabilities that would allow for some decisionmaking.  I 
found Richard Bejtlich to be informative (taosecurity.blogspot.com), as 
well as SANS (isc.sans.org and www.sans.org).  However, this is a limited 
subset of the real issue, which is keeping the environment secure.  This 
larger goal includes issues like privacy leaks, insider threats, natural 
disasters, physical threats, etc.  As I don't typically deal with those, I 
can't really speak to them all. 

But by and large, I just created my own.  I haven't had much time to 
refine it to the point where I can create a mathematical score, but here 
is what I came up with.  The value to the left of the description is the 
assigned risk value.  The theory is that by adding or multiplying these 
values, I should be able to give a general idea of how much risk each 
vulnerability or threat poses.  The scale is exponential, so that as the 
severity of the threat/vulnerability increases, the the total risk 
increases faster than linearly.  The idea is that each escalation is more 
than just an incremental increase in risk.  However, I have not played 
with the numbers to see if they are realistic in practice.

I'm publishing this here, and licensing this entire post under the 
Creative Commons Attribution-ShareAlike 2.5 License so anybody can use it 
as long as they share their derivations.  Hopefully this will help people 
who are looking for this kind of thing and can't find it anywhere else.

Distribution Method Ratings
1       Physical Presence
Delivery:       The vulnerability must be exploited locally.
2       User Interaction
Delivery:       The computer user must directly interact with the system 
in order for the vulnerability to be exploited (such as a trojan horse).
4       Mobile Code
Delivery:       The vulnerability is exploitable without direct user 
interaction (such as a mobile code exploit or mass mailer virus).
8       Internal Propagation
Delivery:       The vulnerability can be exploited with no user 
interaction whatsoever (such as a network worm).
Note:  If a piece of malware is a blended threat (able to exploit multiple 
vectors), each method will be taken into consideration.

Malware Damage Levels
1       Light Damage
Potential:      The malware may change configuration settings, deliver 
pop-up ads, or redirect web searches.
Repair Time:    Less than one man-hour.  Anti-Virus or other programs may 
do this automatically
2       Moderate Damage
Potential:      The malware may do any of the above.  Additionally, it may 
log and send information from the computer, attempt to send mass amounts 
of email, close or crash programs, and/or change important configuration 
settings.
Repair Time:    Between one and two man-hours.  Anti-Virus and other 
automatic programs may help, but much of the work will be done manually.
4       High Damage
Potential:      The malware may do any of the above.  Additionally, it may 
reboot, slow down, or crash the computer, prevent programs from 
functioning normally, delete or overwrite system files, prevent the 
computer from starting, and/or remotely infect other computers through the 
network.
Repair Time:    Between one and four man-hours.  The computer may have to 
be reimaged.  If the computer has compromised others, the repair time will 
escalate due to the volume of computers infected.
8       Extreme Damage
Potential:      The malware may do any of the above.  Additionally, it may 
delete or overwrite important data, transmit confidential or patient data, 
and/or generate massive amounts of network traffic.
Repair Time:    Unknown number of man-hours.  The computer will most 
likely have to be reimaged.  Any locally stored data may have to be 
recreated; any data stored on the network may need to be restored.  If the 
computer has compromised others, the repair time will escalate due to the 
volume of computers infected.

System Exposure Levels
1       No Exposure
Prevalence:     No computers have exposure or are likely to be compromised 
in a widespread event, but the organization may be indirectly affected by 
other organizations? exposure.
2       Low Exposure
Prevalence:     Exposure exists on less than 20% of our systems are 
vulnerable or are likely to be compromised in a widespread event.
4       Moderate Exposure
Prevalence:     No more than 60% of our systems are vulnerable or are 
likely to be compromised in a widespread event.
8       High Exposure
Prevalence:     More than 60% of our systems are vulnerable or are likely 
to be compromised in a widespread event.

Vulnerability Threat Levels
2       Minor Threat
Viability:      No Proof of Concept (POC) code or working exploits are 
thought to be available.
4       Escalating Threat
Viability:      POC code is available, but no working exploit is thought 
to exist.
8       Known Threat
Viability:      A working exploit is thought to exist.

Importance Levels
1       None
Systems:        None of the following
2       Desirable
Systems: 
 4      Essential
Systems: 
 8      Mission Critical
NOTE:  This should closely resemble your Business Continuity Plan for 
which apps, servers, etc. are most important.


This metric was designed specifically for Microsoft patches on Black 
Tuesday, but it may apply to other events with minor adjustments.
Patch Installation Determinations
        Disallowed
Explanation:    The patch is known to cause programs to function 
incorrectly.  The risk of not patching is low.
        Discouraged
Explanation:    The patch may have unknown effects even though the patch 
has been tested.
        Recommended
Explanation:    The patch will probably not cause any unintended 
side-effects because it only affects software not required for business 
use.
        Encouraged
Explanation:    Significant risks exist by not patching; the patch does 
not break critical applications.
        Essential
Explanation:    There is a high risk to the organization if the patches 
are not applied.  The risk may even dictate that the patch be applied 
immediately, and without testing.





"Barrick, Chanda B" <cbbarric () iupui edu> 
08/28/2006 09:41 PM

To
<security-basics () securityfocus com>
cc

Subject
Risk Ranking...






I am trying to figure out how to develop a risk ranking methodology for 
incident reporting in a healthcare environment.  I don't even really know 
where to begin.  I've been googleing, but I'm not finding much that is 
helpful.  Anyone have any suggestions?
 
Thanks
Chanda 

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec 
management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed 
degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CONFIDENTIALITY NOTICE: This e-mail, including attachments, is for the sole use of the individual(s) to whom it is 
addressed, and may contain confidential and privileged information, including HIPAA protected PHI. Any unauthorized 
review, use, disclosure, distribution, or reproduction is prohibited. If you have received this e-mail in error, please 
notify the sender by reply e-mail and destroy this message and its attachments in its entirety.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------