Once a risk assessment has been completed and approved, it can be reviewed for the IT infrastructure. A risk assessment includes the following high-level steps:
Next, management reviews the risk assessment. Management can approve, reject, or modify the recommendations. The management decisions are then documented and included in a plan of action and milestones document.
The following step is for the purpose of translating the risk assessment into an actual risk mitigation plan. Before jumping into this, the risk assessment should be reviewed, paying special attention to the following key items:
Another important consideration when reviewing the plan is to determine whether there is any overlap among the countermeasures. One countermeasure may reduce or resolve more than one risk. Additionally, some risks may be mitigated by more than one countermeasure.
The overlap may be purposeful or accidental. In other words, multiple countermeasures may be implemented for a single risk as a defense-in-depth strategy. This ensures that the risk is mitigated even if a countermeasure fails. An accidental overlap occurs when two or more countermeasures mitigate the same risk but the overlap wasn’t intentional. As long as the countermeasures aren’t mitigating the same risk in the same way, this isn’t a problem. However, any countermeasure overlaps should be identified.
If a countermeasure overlaps with another countermeasure, conflicts may occur between the two. Although many security countermeasures work together, some countermeasures may cause problems for other countermeasures.
For example, a vulnerability scanner and an intrusion detection system (IDS) used to protect a server may conflict. The vulnerability scanner could be configured to scan this server on a daily basis. However, the IDS will likely detect this scan and send an alert because it recognizes the scan as a potential attack. This notification could be an email to a group of administrators.
In this example, the IDS alert is a false alert, or false positive. It requires an administrator to investigate and review the alert. Because the internal vulnerability scanner is causing the alert, it clearly isn’t an actual attack. However, it still takes time to investigate.
This doesn’t mean that either of the countermeasures should be avoided, because there may be ways to avoid the conflict. Perhaps the IDS could be programmed so that it doesn’t detect scans from the vulnerability scanner. Maybe the IDS detects only one specific scan. Perhaps the scanner can be programmed to skip this scan. If the conflict can’t be avoided, personnel should at least be educated about the conflict. They should know what is causing the alert and that other alerts should be investigated thoroughly.
As long as two countermeasures don’t conflict with each other, overlapping countermeasures are OK. In fact, a defense-in-depth strategy encourages having more than one countermeasure for different risks. If one countermeasure fails or is circumvented, the other countermeasure still provides protection.
One of the methods that can be used to determine whether countermeasures overlap is to conduct a risk assessment, which maps the countermeasure to threats, vulnerabilities, and the assets being protected. This helps to paint a complete picture of risk, which is often represented with the following formula:
Risk = Threat × Vulnerability × Asset
A vulnerability is a weakness; by itself, it doesn’t present a risk. Similarly, threats by themselves don’t present a risk. Risk is the probability of a threat taking advantage of a vulnerability to cause loss, damage, or harm to an asset. Countermeasures either reduce or eliminate the impact of the threat or the vulnerability on the asset.
Risk = Threat × Vulnerability × Asset isn’t a mathematical formula. In other words, numerical values are not assigned to threats and vulnerabilities to determine a numerical value for risk. Instead, the formula shows that risks occur when both threats and vulnerabilities are combined to harm an asset.
According to NIST 800-30, a risk assessment is used to identify, estimate, and prioritize risk to the operations of a business or organization. The risk assessment helps decision makers in these organizations identify and evaluate how these threats impact them and what countermeasures can be implemented to reduce vulnerabilities and harm to their assets. The eventual outcome is a determination of risk.
Nonrepudiation prevents individuals from denying they took an action. By logging usernames, audit logs include details on who performed an action. Because the activity is logged, users can’t deny they took the action. Effective nonrepudiation is lost if one user can use another user’s account. The same goes for shared accounts where all team members use, for example, “admin.” Some logs include Internet Protocol (IP) addresses and computer names. This audit trail helps an investigator determine what actually happened.
For example, consider user accounts of terminated employees. As a best practice, accounts should be disabled but not deleted when the employee leaves. If necessary, administrators can enable the account later with a different password. This allows a supervisor to access the ex-employee’s data. After the supervisor reviews and copies important data, administrators delete the ex-employee’s account.
Imagine that a company doesn’t do anything to old accounts. As long as the account is enabled, anyone can access it.
If previous employees have physical access to the network, they can log on. Some networks will even allow them to log on remotely. They would have the same permissions as if they had never left the job. They could then access all the same data as if they were an employee. They could read, modify, or delete the data.
Perhaps a previous employee still has friends on the job. The previous employee could give his or her credentials to a friend, and the friend could log on using the ex-employee’s credentials. At this point, nonrepudiation is lost. If any of the activity is logged, it looks as if the ex-employee is taking the action. For example, Bob is an ex-employee, but Sally learns his username and password. With that information, Sally can log on as Bob. Audit logs may record what Sally does, but they record Bob’s username. This might send security personnel on a wild goose chase trying to determine how Bob gained access to the network.
In this situation, the vulnerability is that inactive accounts are still enabled. User accounts aren’t managed, leaving them available even if they aren’t needed. The threat is that a previous employee or someone else may log on and access the account. The assets that could be lost, damaged, or harmed include valuable company information in the accounts.
Risks are mitigated by adding countermeasures. The following countermeasures could be implemented to mitigate the risks from not disabling inactive accounts:
Similarly, the risk assessment may determine that users are not using strong passwords or changing their passwords regularly. The vulnerability is that the passwords are weak because password-cracking tools can easily crack weak passwords. The threat is that an attacker may use one of the many tools available to crack the weak password. Attackers can then use the cracked passwords to log on to a system or network.
The solution is to implement a password policy. A password policy is often part of an overall account management policy. Password policies can be enforced using technical means. For example, Microsoft domains allow IT administrators to enforce strong password practices with Group Policy.
A password policy would specify the following:
Group Policy settings allow an administrator to configure a setting once in a domain. This setting will then apply to all users and computers in the domain. If desired, the administrator can also configure a Group Policy Object to apply to specific users and computers. Once configured, Group Policy works the same in a network with 5 users and computers as it does in a network with 50,000 users and computers.
NIST 800-63B shares valuable tips on passwords:
This list is not exhaustive but is worth reviewing.
At this point, the countermeasures can be matched with the threat/vulnerability pairs. TABLE 11-1 shows the threat/vulnerability pairs matched to recommended countermeasures.
THREAT | VULNERABILITY | COUNTERMEASURE(S) |
---|---|---|
Previous employee | Inactive accounts not disabled | Implement account management policy Write script to deactivate accounts Restrict access to employees only |
Weak passwords | Password-cracking tools launched by attacker | Implement account management policy Implement Group Policy password policy |
The information in the table shows that the account management policy is addressing two threat/vulnerability pairs. This information can be valuable. If administrators recognize that a single countermeasure is addressing multiple risks, they may decide to increase the priority of the countermeasure. While the threat/vulnerability pairing is effective in evaluating threats and vulnerabilities, NIST 800-30’s risk assessment approach is also an effective alternative.