Shield's damaged! What is the risk level Scotty?

Understanding Security Risk Level

Security Risks are like having a hole in your shield: no matter the side, the hole is still there. You can raise your shields, but until you fix the hole, you are living under a false sense of security.

IT folks enter risk conversations much like the blind men describing an elephant (https://en.wikipedia.org/wiki/Blind_men_and_an_elephant). Each person is trying to convince everyone else and each one's statement is true to their perception but may be missing the overall perspective. A security professional is required to think through all stacks, layers, phases, control standards, and baselines. It is not optional. 

They may know the elephant, but they may not know its purpose and value! Add the daunting task of keeping up with rapidly-evolving technologies and you have a very difficult task. How do we help all stakeholders get onto the same page and reduce risk due to miscomprehension? One good starting point is to educate one’s self and their universal knowledge about the security risk. So, let’s give it a shot. 

Consider this case: Lament of a security engineer who just suffered a breach:

I risk losing my Salary and my reputation. I put the company I work for, at HIPAA non-compliance and patient privacy violation because there was the theft of patient confidential data. 

Further, malicious changes made to the key performance indices made the Board mad. The Project Managers are mad because their documents were deleted, and the Incident Response is mad because our mistake made it so that there is no way for them to find out what was stolen, modified, or deleted. 

All of this because my team and I left an easy to discover Apache directory traversal vulnerability unpatched and allowed dangerous HTTP methods/operations. There are exploit kits making it easy to exploit these vulnerabilities and hackers are aware of these kits. And to add to that, we forgot logging and now do not have the means to detect their attacks. 

Man-o-man, my company is very well known and is a juicy target for even script-kiddies who would want to brag about hacking us, and, since this webserver is on the internet they could easily get to it and there are many of these kiddies. 

Scotty! That was a costly mistake and no amount of beer can drown it :!(

Now imagine the other side! Give it a shot, write the perspective of the company.

You see, in the above lament, he just applied the OWASP Risk Rating Methodology (ORRM) (https://owasp.org/www-community/OWASP_Risk_Rating_Methodology). To be more technical, you just used the ORRM 16 parameters' values in the lamentation above.

Now, let us build toward a visualization for similar lamentations. We are going to use an online radar charting tool for this purpose. There are many ways to combine these values, but let's do this differently (keep it simple and straight-forward). Let's consider all of these as equally important and let's pull them together to represent the size of the hole in the shield protecting us. 

Run through the following steps: 

1.     Head over to this URL: https://www.onlinecharttool.com/graph?selected_graph=radar and just click Next. 

2.     Leave everything above the Data Set section as is. 

3.     Leave Groups value and Color as such. 

4.     Then under Data Set select the number of items to be 16. You will see 16 lines added in the data section. 

5.     Go to the Item section (under Group label) and do the following:

·       Note: Ignore the detailed test in parentheses in the bullet list below.

·       Enter the variable name and value in the 16 lines and click.  

·       Tip 1: It is easier to work by ‘tab’ing between fields to move the mouse. 

·       Tip 2: Use the short identifiers unless you have the patience to type the longer names. 

·       Here are values to enter:

1. fdam = 5  (financial damage)
2. rdam = 5  (reputational damage)
3. cdam = 5  (compliance damage)
4. pdam = 5  (privacy damage)
5. closs = 5  (confidentiality loss)
6. iloss = 5  (integrity loss)
7. aloss = 5  (availability loss)
8. wloss = 5  (accountability loss, who did it? loss)
9. dease = 5  (discovery of vulnerability ease)
10. xease = 5  (exploit ease)
11. vease = 5  (awareness - in dark webs - of this vulnerability)
12. eease = 5   (ease of escaping detection)
13. nthreat = 5  (reverse of knowledge level needed to hack)
14. mthreat = 5  (motivation level)
15. othreat = 5   (opportunity level to hack)
16. sthreat = 5  (number of cyber criminals attracted to attack this target)

Once you click next, you should see a diagram like below.

 

You see, even when you are average you still have a big a hole in your shield! 

This is why your friendly CyberSecurity Spiderman wants you to keep the web tight! Captain America wants you to keep the shield well maintained!!, and Captain Kirk says to Scotty-from-engineering, please give the shield more power. 

A few last thoughts: 

·       This article is a starting point, experiment with case studies to understand risk better.  

·       Remember, when an IT project is on time, financial advantage is gained. So, one needs to ‘subtract’ the financial advantage from financial damage to arrive at the net effect. 

·       Also, when an IT project is on time as announced by say senior leadership, the reputational advantage is gained. So, one needs to ‘subtract’ the reputational advantage from reputational damage to arrive at the net effect. 

·       The variable values change over time change or if external situations change. 

It’s now time to assess the Shield you are holding!!!  

Happy Learning!

Srini Kasturi 

https://www.linkedin.com/in/skasturi/

https://www.banyanlogic.com/Classes/