CS507 - Information Systems - Lecture Handout 30

User Rating:  / 0
PoorBest 

Related Content: CS507 - VU Lectures, Handouts, PPT Slides, Assignments, Quizzes, Papers & Books of Information Systems

Threat Identification

“A threat is some action or event that can lead to a loss.”

Various types of threats may exist that could, if they occur result in information assets being exposed, removed either temporarily or permanently, lost, damaged, destroyed, or used for un-authorized purposes are identified. Susceptibility to threats, whether logical or physical are a major risk factor for the data base and information system of an organization. These risks are to be identified and steps that include physical and logical controls need to be instituted and monitored on a regular basis. Security measures can be designed only if we know what kind of threats or risks are to be guarded against. Obviously, we would also have to determine the frequency of the known and the unknown risks or threats.

Threats and risks are usually used synonymously. These are always there and cannot be avoided but should be managed to minimize losses and maximize returns. Each level of management and each operational area perceives risk differently and communicates these perceptions in different terms.

Types of Threats

  • Physical threat – This refers to the damage caused to the physical infrastructure of the information systems, e.g.
    • Fire
    • Water
    • Energy Variations
    • Structural damage
    • Pollution
    • Intrusion
  • Logical – This refers to damage caused to the software and data without physical presence.
    • Viruses and worms
    • Logical intrusion

Likelihood of occurrence of Threat:

Having identified the threats, they need to be ranked on the basis of their probability of occurrence.
Sometimes analysis on occurrence of threat is easily available. For example, the insurance company might be having a study of occurrence of fire incidents in a city for the purposes of fire insurance; however, the extent of threat resulting from a new virus may not yet have been identified or become known to the users, etc. In such a situation where no past data or reliable source of probability occurrence is available, users can be asked to give the best estimate of how frequently the threat is possible to occur. Usually, higher the value of the information asset identified, higher are the chances for it being susceptible to vulnerability, for example, an ERP software built up to a high integration level, may need to be provided with high level of security against potential threats.

Control Analysis

The goal of this step is to analyze the controls that have been implemented or are planned for implementation by the organizations to minimize or eliminate the likelihood of occurrence of threat. To derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment. Security controls encompass the use of technical and non-technical methods. Technical methods are safeguards that are incorporated into computer hardware, software and firmware such as controls mechanisms, identification and authentication mechanisms, encryption methods, intrusion detection software, etc. Non technical controls are management and operational controls such as security policies and operational procedures and personnel, physical and environmental security. The control categories for both technical and non technical control methods can be further classified as either preventive or detective. These two sub-categories are explained as follows

  • Preventive controls inhibit attempts to violate security policy and include controls as access control enforcement, encryption and authentication
  • Detective controls warn of violations or attempted violations of security policy which include such controls as audit trails, intrusion detection methods.

Likelihood Determination

To derive an overall likelihood rating that indicates the probability that a potential value may be exercised within the construct of the associated threat environment, the following governing factors must be considered.

  • Threat-source motivation and capability
  • Nature of the vulnerability
  • Existence of effectiveness of current controls

Impact analysis

The next major step in measuring level of risk is to determine the adverse impact resulting into a successful exercise of vulnerability. Before beginning the impact analysis, it is necessary to obtain the following necessary information.

  • System mission
  • System and data criticality
  • System and data sensitivity

The information can be obtained from existing organizational documentation, such as the mission impact analysis report or asset criticality assessment report. A business impact analysis report or asset criticality assessment report. The adverse impact of a security event can be described in terms of loss or delay of any or all of the three security goals.

  • Loss of integrity: System and data integrity refers to the requirement that information should be protected from improper modification. Integrity is lost if unauthorized changes are made to the data or IT system by either intentional or accidental loss of system or data. Violation of integrity may be the first step in a successful attack against availability or confidentiality. For all these reasons, loss of integrity reduces assurance of an IT system.
  • Loss of availability: If a mission-critical IT system is unavailable to its end user, the organization’s missions may be affected. Loss of system functionality and operational effectiveness.
  • Loss of confidentiality: System and data confidentiality refers to the protection of information from unauthorized disclosure. The impact of unauthorized disclosure of confidential information can range from the jeopardizing of national security. Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence embarrassment or legal action against the organization.

Risk Determination/Exposure Analysis

This phase relates to analyzing how much the information assets are exposed to various threats identified and thus quantifying the loss caused to the asset through this threat. This phase relates to analysis of both physical and logical threats and comprises of four steps. Four steps are usually followed while analyzing the exposure.

  • Figure out whether there are any physical or logical controls in place
    • Employees are interviewed
    • Walk trough’s are conducted
  • How reliable are these controls
    • Check whether the firewall stops a virus from entering the organization’s system
    • Check whether the antivirus installed stops the virus from execution
    • We cannot start an earthquake to see if the building can absorb shocks or not
  • What is the probability that occurrence of threat can be successful against these controls
    • Compare assets identified with threats identified to see if controls exists
    • Estimate the probability of occurrence based on past experience and future apprehensions/expectations
  • How much loss can occur due to the threat being successful
    • scenarios are written to see how an identified potential threat can compromise control

Risk identification is often confused with risk mitigation. Risk mitigation is a process that takes place after the process of risk assessment has been completed. Let’s take a look at various risk mitigation options.

  • Risk assumption: To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level.
  • Risk Avoidance: To avoid the risk by eliminating the risk cause and e.g. forgo certain functions of the system or shut down the system when risks are identified.
  • Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising a vulnerability e.g. use of supporting preventive and detective controls.
  • Risk Planning: To manage risk by developing a risk mitigation plant that predicts implements and maintains controls.
  • Research and acknowledgement: To lower the risk of loss by acknowledging vulnerability or flaw and researching controls to correct the vulnerability.
  • Risk Transference: To transfer the risk by using other options to compensate loss such as purchasing insurance.

Occurrence of threat

When a threat occurs, there can be following consequences.

  1. Controls against the threat exists
    • Controls can help stop the occurrence of the threat.
    • Threat occurs but damage is avoided by the controls
    • Threat circumvents controls and causes damage
  2. Controls against threat do not exist.
    • Threat has not yet been identified
    • Threat has been identified but the consequent loss is considered as minor
    • Threat occurs, whether identified or not and causes damage to the system.

Threat can cause damage whether controls exist or not.

Cumulative amount of loss can be a major threat to the system. There is no international standard on acceptable level of losses. Materiality of every loss, howsoever determined by management must be written and backed up by the approval of those who are in charge of the IT Governance. Review of these matters will be undertaken when a security audit is done in order to ascertain the comfort level the can draw from the security policy of the organization.

Computing Expected Loss

In fourth step of the exposure analysis, the amount of expected loss is computed through following formula

A = B x C x D

  1. A = Expected Loss
  2. B = Chances (in %) of threat occurrence
  3. C = Chances (in %) of Threat being successful
  4. D = Loss which can occur once the threat is successful

Control Adjustment

This phase involves determining whether any controls can be designed, implemented, operated. The cost of devising controls should not exceed the expected potential benefit being en-cashed and the potential loss being avoided. The controls that could mitigate or eliminate the identified risk appropriate to the organization’s operations are provided. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. Following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks.

  • Effectiveness of recommended options
  • Legislation and regulation
  • Organizational policy
  • Operational Impact
  • Safety and reliability

The control recommendations are the results of the risk assessment process and provide the risk mitigation process during which the recommended procedural and technical security controls are evaluated, prioritized and implemented.

It should be noted that not all possible recommended controls can be implemented to reach and to determine which ones are required and appropriate for a specific organization, a cost analysis, should be conducted for the proposed recommendations of controls to demonstrate that the costs of implementing the controls can be justified by the reduction in the level of risk. In addition, the operational impact and feasibility of introducing recommended option should be evaluated carefully during the risk mitigation process.

The above decision takes into account consideration of following factors:

  1. Personal judgment of the situation
  2. Any information gained on desired/non-existing controls during the previous phases
  3. Seek demands of users for an ideal control environment.

Existing controls should not be totally discarded while adjusting controls. They can either be terminated totally, due to the threats not being there any more or existence of better controls or modification for betterment, this phase should consider the security to be cost effective, and integrated.