Assessing Technical Risk

June 2, 2009

Technical risk for the purposes of A Simple Security Risk Assessment refers to the probability that an attacker will exploit a vulnerability in the software related to a specific configuration item, or that a misconfiguration of the configuration item will result in the same or a similar level of Impact.  Let’s see how we can go about rating it.

To remain consistent with the risk evaluation methods discussed in AS/NZS 4360 and NIST SP 800-30, Likelihood and Impact criteria have been developed to facilitate the calculation of risk as the sum of these two values.  The scale has been simplified to three levels, namely Unlikely, Likely and Almost Certain for Likelihood and Low, Medium and High for Impact.

The description of Likelihood and Impact levels in AS/NZS 4360 and NIST SP 800-30 are general and more specific information is required to assign values when examining configuration items.  Therefore, a summary of each level of Likelihood and Impact has been provided and is supported by a number of technical examples based on the DREAD method.

Likelihood

Used as a qualitative description of probability or frequency[1]

  • Unlikely (1) – No known vulnerabilities and no known exploits
    • Reproducibility[2] – Very hard or impossible, even for administrators
    • Exploitability[2] – Advanced knowledge and attack tools required
    • Discoverability[2] – Requires source code or administrative access
  • Likely (2) Known vulnerabilities and no known exploits, OR Known vulnerabilities, known exploits and partial compensating controls
    • Reproducibility[2] – Need to be an authorised user
    • Exploitability[2] – Attack tools are publicly available
    • Discoverability[2] – Can be guessed or discovered by monitoring network
  • Almost Certain (3) – Known vulnerabilities and known exploits (and no compensating controls)
    • Reproducibility[2] – No authentication necessary
    • Exploitability[2] – No specific attack tools required
    • Discoverability[2] – Exploits exist and require little to no effort to execue

To assist in the discovery of known vulnerabilities the following resource(s) may be useful:

Impact

The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event[1]

  • Low (1) – Little to no noticeable affect on server operations (noise)
    • Damage potential[2] – An individual Information Asset
    • Affected users[2] – A single user (i.e. 1)
  • Medium (2) – Moderate breach of confidentiality, integrity or availability (tolerable)
    • Damage potential[2] – A small number of Information Assets
    • Affected users[2] – A small number of users (e.g. <10)
  • High (3) – Significant breach of confidentiality, integrity or availability (intolerable)
    • Damage potential[2] – A significant number of Information Assets
    • Affected users[2] – A significant number of users (e.g. > 10)

Technical risk

The chance of something happening that will have an impact upon objectives. It is measured in terms of consequences [impact] and likelihood[1]

Technical_Risk_Chart

Example

In this example it has been assumed that the system is internet facing and NetBIOS is enabled, therefore successful exploitation of a known vulnerability in NetBIOS would have a critical effect on Confidentiality and Availability of the server.  Therefore, the highest technical risk rating (9) is applied.

  • Reference: 1
  • Title: NetBIOS
  • Description: NetBIOS is a protocol for communicating of a network.
  • Likelihood (1-3): 3
  • Impact (1-3): 3
  • Impact Category
    • Confidentiality: Yes
    • Integrity: No
    • Availability: Yes
    • Non-Repudiation: No
  • Technical Risk Rating (1-9): 9

A Simple Security Risk Assessment

This article is part of a five part series on A Simple Security Risk Assessment:

1. Evaluating Industry Standard Risk Methodologies
2. Categorising Threats by Information Asset attributes
3. Assessing Technical Risk
4. Assessing Business Risk
5. Calculating Overall Risk

[1] AS/NZS 4360

[2] DREAD

Posted by awrobinson
Filed in Management System
Tags: , , , ,
4 Comments »

4 Responses to “Assessing Technical Risk”

  1. Calculating Overall Risk « Information and Technology Security Says:

    June 2, 2009 at 12:44 am

    [...] Industry Standard Risk Methodologies 2. Categorising Threats by Information Asset attributes 3. Assessing Technical Risk 4. Assessing Business Risk 5. Calculating Overall Risk Posted by awrobinson Filed in Management [...]

    Reply
  2. Industry Standard Risk Methodologies « Information and Technology Security Says:

    June 2, 2009 at 12:48 am

    [...] Industry Standard Risk Methodologies 2. Categorising Threats by Information Asset attributes 3. Assessing Technical Risk 4. Assessing Business Risk 5. Calculating Overall Risk Possibly related posts: (automatically [...]

    Reply
  3. Information Asset Attributes « Information and Technology Security Says:

    June 2, 2009 at 12:56 am

    [...] Industry Standard Risk Methodologies 2. Categorising Threats by Information Asset attributes 3. Assessing Technical Risk 4. Assessing Business Risk 5. Calculating Overall Risk [1] ISO [...]

    Reply
  4. Assessing Business Risk « Information and Technology Security Says:

    June 2, 2009 at 1:00 am

    [...] Industry Standard Risk Methodologies 2. Categorising Threats by Information Asset attributes 3. Assessing Technical Risk 4. Assessing Business Risk 5. Calculating Overall Risk Possibly related posts: (automatically [...]

    Reply

Leave a Reply