Complete risk assessment
RA1-Example.pdf 123Measuring and Managing Information Risk. http://dx.doi.org/10.1016/B978-0-12-420231-3.00008-7 Copyright © 2015 Elsevier Inc. All rights reserved. CHAPTER Risk Analysis Examples 8 OVERVIEW We could have written an entire book containing nothing but example analyses. Instead, we have tried to provide some examples that will reinforce the concepts and methods we’ve introduced thus far in the book. If we haven’t included an example that is similar to a scenario you are wrestling with, feel free to drop us a note through LinkedIn. We may have one on file that we can share or we might be able to provide an idea that will be helpful. You are not alone. Please note that you don’t have to read all of these example analyses before mov- ing on and reading the rest of the book. These are here as a guide and reference that you will hopefully find valuable as you begin to use FAIR. INAPPROPRIATE ACCESS PRIVILEGES PURPOSE Determine the level of risk associated with inappropriate access privileges in a cus- tomer service application. BACKGROUND During a recent audit, it was discovered there were active accounts in a customer service application with inappropriate access privileges. These accounts were for employees who still worked in the organization, but whose job responsibilities no lon- ger required access to this information. Internal audit labeled this a high risk finding. ASSET(S) AT RISK The account privileges in question permit access to the entire customer database, comprised of roughly 500,000 people. This information includes customer name, address, date of birth, and social security number. No banking, credit, or other finan- cial information exists in these records. TCOM(S) The primary threat community (TCom) is made up of employees whose accounts have inappropriate privileges in the account. Given that this group of people has CHAPTER 8 Risk Analysis Examples124 access and experience with the application, they are considered privileged insiders for the purpose of this analysis. You will sometimes get an argument that they aren’t supposed to have access, so they shouldn’t be labeled privileged insiders. Keep in mind that the label “privileged insider” is not about whether their privileges are approved or not, it’s about the fact that they have logical or physical proximity to the assets in question, and they don’t have to overcome resistive controls in order to do whatever you are concerned about them doing. Another potential TCom to consider in this analysis would be nonprivileged insiders who gain illicit access to one of these accounts and leverage the inappro- priate access in a malicious act. For example, John, who sits across from Debbie, might not have access to this application, but he knows that Debbie does. He knows this because she mentioned the other day how odd it was that her account could still get into the application 3 months after changing roles. He wants to gain access to the application, so he shoulder surfs Debbie’s password the day before she’s supposed to go on vacation. The next day, he logs into her account and looks up personal information on a handful of people. He sells this information to someone he met in a bar. This scenario is certainly a possibility and can be scoped into the analysis as well. Another potential TCom is cyber criminals. The thinking here is that one of these accounts could be compromised via malware that gives remote access to a cyber criminal. The cyber criminal leverages the inappropriate access to steal customer data. We’ll discuss some considerations regarding each of these TComs in the Analy- sis section below. THREAT TYPE(S) The primary type of threat event here is clearly malicious. It is difficult to realisti- cally imagine that someone with inappropriate access to an application they’re no longer supposed to have access to would accidentally log into that application, and do something that would inappropriately disclose customer information. However, there is a twist here. What about the possibility of an employee with inappropriate access logging into the application and just rummaging around looking up customer information out of boredom or curiosity but not with an intent to harm—snooping, as it were? That is absolutely a realistic scenario, and it’s something that the organization is not okay with, so the question boils down to whether we scope that separately from the truly malicious event. Deciding whether to combine or separate scenarios like this typically boils down to whether there is likely to be a significant difference in the: • Frequency of one scenario over the other • Capability between the threat agents in one scenario versus the another • Losses that would occur, or • The controls that would apply Inappropriate access privileges 125 In this analysis, the capability of the threat agents is the same, so that wouldn’t be a good differentiating factor. Likewise, the applicable controls should be the same. The losses that would occur might be different, as a malicious actor might on aver- age take more information, and there’s a much greater chance for customers to actu- ally experience loss, which would increase secondary losses. There is also likely to be a higher frequency of the events involving nonmalicious actors, because truly malicious acts tend to be less frequent than acts of misbehavior (there are more jay- walkers in the world than there are serial killers). For these reasons, it makes sense to have two distinct threat types for this analysis. We’ll label them “malicious” and “snooping.” THREAT EFFECT(S) The relevant threat effects in this scenario will depend on the type of privileges an account has. If an account has inappropriate read-only privilege, then the only threat effect in play is confidentiality. If an account has change or delete privileges, then integrity and availability come into play. As a result, unless you already know that inappropriate privileges are limited to read-access, you’ll need to include all three threat effect types. SCOPE Based on the considerations above, our scope table at this point looks like this (Table 8.1): You’ll notice that snooping is limited to confidentiality events. This is because we assume that as soon as someone illicitly changes or deletes a record, they’ve crossed the line into malicious intent. Table 8.1 The Scope Table for Level of Risks Associated with Inappropriate Access Privileges Asset at Risk Threat Community Threat Type Effect Customer PII Privileged insiders Malicious Confidentiality Customer PII Privileged insiders Snooping Confidentiality Customer PII Privileged insiders Malicious Availability Customer PII Privileged insiders Malicious Integrity Customer PII Nonpriv insiders Malicious Confidentiality Customer PII Nonpriv insiders Malicious Availability Customer PII Nonpriv insiders Malicious Integrity Customer PII Cyber criminals Malicious Confidentiality Customer PII Cyber criminals Malicious Availability Customer PII Cyber criminals Malicious Integrity CHAPTER 8 Risk Analysis Examples126 At this point, the scoping table consists of 10 scenarios. It would be nice if we could slim this down a bit by eliminating a few of these. The first and most obvious way to accomplish this is to find out whether the inappropriate privileges are limited to read-only, or whether they have change and delete privileges as well. Let’s say for the purposes of this example that none of these accounts have delete privileges. This being the case, our scope table now looks like this (Table 8.2): There’s another very important consideration, though, that can help you skinny- down the number of scenarios you need to analyze in a situation like this. Ask your- self what question these analyses are trying to answer. We know that inappropriate access privileges aren’t a good thing, so that’s not in question. In this case, what we are trying to understand is the level of risk associated with these inappropriate privi- leges so that we can accurately report it to management and appropriately prioritize it among all of the other risk issues the organization is faced with. Our next step, then, is to look at the scenarios in our scope table and try to identify one or more scenarios that are likely to be much more (or less) frequent and/or much more (or less) impactful than the others. This is where your critical thinking muscles can get some serious exercise. The first scenario that catches our eye in this regard is the one about cyber crimi- nals/integrity. In our minds, there’s very little likelihood that a cyber criminal is going to benefit from damaging the integrity of customer records. It’s possible that their purpose is not financial gain, but rather to simply harm the company or indi- viduals, but it seems a very remote probability that an actor with sufficient skills to gain this kind of access is going to have that focus. Furthermore, damaging or delet- ing records is much more likely to be recognized and reacted to than simply steal- ing data, and it seems especially unlikely that a cyber criminal would sacrifice their hard-won access in this manner. If the scenario were different, however, and instead of customer PII, the information at stake was something a cyber criminal or other threat community would gain significantly from by damaging or deleting, then this scenario might make perfect sense. We are going to delete it from our scope, though. As we look at our scenarios, it also seems to us that the frequency of nonprivi- leged insiders hijacking an account that has inappropriate privileges is likely to be much smaller than the malicious or abusive acts of privileged insiders. It also occurs Table 8.2 The Slimmed Scope Table Asset at Risk Threat Community Threat Type Effect Customer PII Privileged insiders Malicious Confidentiality Customer PII Privileged insiders Snooping Confidentiality Customer PII Privileged insiders Malicious Integrity Customer PII Nonpriv insiders Malicious Confidentiality Customer PII Nonpriv insiders Malicious Integrity Customer PII Cyber criminals Malicious Confidentiality Customer PII Cyber criminals Malicious Integrity Inappropriate access privileges 127 to us that illicit actions by nonprivileged actors would take place against accounts with appropriate access privileges roughly 85% of the time, because there would be little reason for them to single out and attack an account that had inappropriate privileges. For these reasons, we suspect the frequency of privileged insider actions to be much higher than the frequency of nonprivileged insiders, so we’ll remove the nonprivileged insider scenarios from scope, too. Now our table looks like this (Table 8.3): It’s looking better all the time. At this point, we aren’t sure we’re comfortable removing any more scenarios from our scope. That doesn’t mean, however, that we have to analyze all four of these. Our approach now is to choose one that we believe will represent the most risk