Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat

<< Security of Information System: Security Issues, Objective, Scope, Policy, Program

Control Adjustment: cost effective Security, Roles & Responsibility, Report Preparation >>

Information System (CS507)

LESSON 30

Threat Identification

"A threat is some action or event that can lead to a loss."

Various types of threats may exist that could, if they occur result in information assets being exposed,

removed either temporarily or permanently, lost, damaged, destroyed, or used for un-authorized purposes

are identified. Susceptibility to threats, whether logical or physical are a major risk factor for the data base

and information system of an organization. These risks are to be identified and steps that include physical

and logical controls need to be instituted and monitored on a regular basis. Security measures can be

designed only if we know what kind of threats or risks are to be guarded against. Obviously, we would also

have to determine the frequency of the known and the unknown risks or threats.

Threats and risks are usually used synonymously. These are always there and cannot be avoided but should

be managed to minimize losses and maximize returns. Each level of management and each operational

area perceives risk differently and communicates these perceptions in different terms.

29.1 Types of Threats

· Physical threat This refers to the damage caused to the physical infrastructure of the information

systems, e.g.

· Fire

· Water

· Energy Variations

· Structural damage

· Pollution

· Intrusion

· Logical This refers to damage caused to the software and data without physical presence.

· Viruses and worms

· Logical intrusion

Likelihood of occurrence of Threat:

Having identified the threats, they need to be ranked on the basis of their probability of occurrence.

Sometimes analysis on occurrence of threat is easily available. For example, the insurance company might

be having a study of occurrence of fire incidents in a city for the purposes of fire insurance; however, the

extent of threat resulting from a new virus may not yet have been identified or become known to the users,

etc. In such a situation where no past data or reliable source of probability occurrence is available, users can

be asked to give the best estimate of how frequently the threat is possible to occur. Usually, higher the value

of the information asset identified, higher are the chances for it being susceptible to vulnerability, for

example, an ERP software built up to a high integration level, may need to be provided with high level of

security against potential threats.

29.2 Control Analysis

The goal of this step is to analyze the controls that have been implemented or are planned for

implementation by the organizations to minimize or eliminate the likelihood of occurrence of threat. To

derive an overall likelihood rating that indicates the probability that a potential vulnerability may be

exercised within the construct of the associated threat environment. Security controls encompass the use of

133

Information System (CS507)

technical and non-technical methods. Technical methods are safeguards that are incorporated into

computer hardware, software and firmware such as controls mechanisms, identification and authentication

mechanisms, encryption methods, intrusion detection software, etc. Non technical controls are management

and operational controls such as security policies and operational procedures and personnel, physical and

environmental security. The control categories for both technical and non technical control methods can be

further classified as either preventive or detective. These two sub-categories are explained as follows

Preventive controls inhibit attempts to violate security policy and include controls as access control

enforcement, encryption and authentication

Detective controls warn of violations or attempted violations of security policy which include such

controls as audit trails, intrusion detection methods.

Likelihood Determination

To derive an overall likelihood rating that indicates the probability that a potential value may be exercised

within the construct of the associated threat environment, the following governing factors must be

considered.

o Threat-source motivation and capability

o Nature of the vulnerability

o Existence of effectiveness of current controls

29.3 Impact analysis

The next major step in measuring level of risk is to determine the adverse impact resulting into a successful

exercise of vulnerability. Before beginning the impact analysis, it is necessary to obtain the following

necessary information.

· System mission

· System and data criticality

· System and data sensitivity

The information can be obtained from existing organizational documentation, such as the mission impact

analysis report or asset criticality assessment report. A business impact analysis report or asset criticality

assessment report. The adverse impact of a security event can be described in terms of loss or delay of

any or all of the three security goals.

· Loss of integrity: System and data integrity refers to the requirement that information should be

protected from improper modification. Integrity is lost if unauthorized changes are made to the

data or IT system by either intentional or accidental loss of system or data. Violation of integrity

may be the first step in a successful attack against availability or confidentiality. For all these

reasons, loss of integrity reduces assurance of an IT system.

· Loss of availability: If a mission-critical IT system is unavailable to its end user, the organization's

missions may be affected. Loss of system functionality and operational effectiveness.

· Loss of confidentiality: System and data confidentiality refers to the protection of information from

unauthorized disclosure. The impact of unauthorized disclosure of confidential information can

range from the jeopardizing of national security. Unauthorized, unanticipated, or unintentional

disclosure could result in loss of public confidence embarrassment or legal action against the

organization.

29.4 Risk Determination/Exposure Analysis

This phase relates to analyzing how much the information assets are exposed to various threats identified

and thus quantifying the loss caused to the asset through this threat. This phase relates to analysis of both

physical and logical threats and comprises of four steps. Four steps are usually followed while analyzing the

134

Information System (CS507)

exposure.

· Figure out whether there are any physical or logical controls in place

· Employees are interviewed

· Walk trough's are conducted

· How reliable are these controls

· Check whether the firewall stops a virus from entering the organization's system

· Check whether the antivirus installed stops the virus from execution

· We cannot start an earthquake to see if the building can absorb shocks or not

· What is the probability that occurrence of threat can be successful against these controls

· Compare assets identified with threats identified to see if controls exists

· Estimate the probability of occurrence based on past experience and

future

apprehensions/expectations

· How much loss can occur due to the threat being successful

· scenarios are written to see how an identified potential threat can compromise control

Risk identification is often confused with risk mitigation. Risk mitigation is a process that takes place after

the process of risk assessment has been completed. Let's take a look at various risk mitigation options.

Risk assumption: To accept the potential risk and continue operating the IT system or to

implement controls to lower the risk to an acceptable level.

Risk Avoidance: To avoid the risk by eliminating the risk cause and e.g. forgo certain functions of

the system or shut down the system when risks are identified.

Risk Limitation: To limit the risk by implementing controls that minimize the adverse impact of a

threat's exercising a vulnerability e.g. use of supporting preventive and detective controls.

Risk Planning: To manage risk by developing a risk mitigation plant that predicts implements and

maintains controls.

Research and acknowledgement: To lower the risk of loss by acknowledging vulnerability or flaw

and researching controls to correct the vulnerability.

Risk Transference: To transfer the risk by using other options to compensate loss such as

purchasing insurance.

29.5 Occurrence of threat

When a threat occurs, there can be following consequences.

1. Controls against the threat exists

· Controls can help stop the occurrence of the threat.

· Threat occurs but damage is avoided by the controls

· Threat circumvents controls and causes damage

2. Controls against threat do not exist.

· Threat has not yet been identified

· Threat has been identified but the consequent loss is considered as minor

· Threat occurs, whether identified or not and causes damage to the system.

135

Information System (CS507)

Threat can cause damage whether controls exist or not.

Cumulative amount of loss can be a major threat to the system. There is no international standard on

acceptable level of losses. Materiality of every loss, howsoever determined by management must be written

and backed up by the approval of those who are in charge of the IT Governance. Review of these matters

will be undertaken when a security audit is done in order to ascertain the comfort level the can draw from

the security policy of the organization.

29.6 Computing Expected Loss

In fourth step of the exposure analysis, the amount of expected loss is computed through following formula

A=BxCxD

A = Expected Loss

B = Chances (in %) of threat occurrence

C = Chances (in %) of Threat being successful

D = Loss which can occur once the threat is successful

Control Adjustment

This phase involves determining whether any controls can be designed, implemented, operated. The cost of

devising controls should not exceed the expected potential benefit being en-cashed and the potential loss

being avoided. The controls that could mitigate or eliminate the identified risk appropriate to the

organization's operations are provided. The goal of the recommended controls is to reduce the level of risk

to the IT system and its data to an acceptable level. Following factors should be considered in

recommending controls and alternative solutions to minimize or eliminate identified risks.

· Effectiveness of recommended options

· Legislation and regulation

· Organizational policy

· Operational Impact

· Safety and reliability

The control recommendations are the results of the risk assessment process and provide the risk mitigation

process during which the recommended procedural and technical security controls are evaluated, prioritized

and implemented.

It should be noted that not all possible recommended controls can be implemented to reach and to

determine which ones are required and appropriate for a specific organization, a cost analysis, should be

conducted for the proposed recommendations of controls to demonstrate that the costs of implementing

the controls can be justified by the reduction in the level of risk. In addition, the operational impact and

feasibility of introducing recommended option should be evaluated carefully during the risk mitigation

process.

The above decision takes into account consideration of following factors:

5. Personal judgment of the situation

6. Any information gained on desired/non-existing controls during the previous phases

7. Seek demands of users for an ideal control environment.

Existing controls should not be totally discarded while adjusting controls. They can either be terminated

totally, due to the threats not being there any more or existence of better controls or modification for

betterment, this phase should consider the security to be cost effective, and integrated.

136

Table of Contents: