Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: 2.1 Planning Your Security NeedsChapter 2
Policies and Guidelines
Next: 2.3 Cost-Benefit Analysis
 

2.2 Risk Assessment

The first step to improving the security of your system is to answer these basic questions:

These questions form the basis of the process known as risk assessment.

Risk assessment is a very important part of the computer security process. You cannot protect yourself if you do not know what you are protecting yourself against! After you know your risks, you can then plan the policies and techniques that you need to implement to reduce those risks.

For example, if there is a risk of a power failure and if availability of your equipment is important to you, you can reduce this risk by purchasing an uninterruptable power supply (UPS).

2.2.1 A Simple Assessment Strategy

We'll present a simplistic form of risk assessment to give you a starting point. This example may be more complex than you really need for a home computer system or very small company. The example is also undoubtedly insufficient for a large company, a government agency, or a major university. In cases such as those, you need to consider specialized software to do assessments, and the possibility of hiring an outside consulting firm with expertise in risk assessment.

The three key steps in doing a risk assessment are:

  1. Identifying assets

  2. Identifying threats

  3. Calculating risks

There are many ways to go about this process. One method with which we have had great success is a series of in-house workshops. Invite a cross-section of users, managers, and executives from throughout your organization. Over a series of weeks, compose your lists of assets and threats. Not only will this process help to build a more complete set of lists, it will also help to increase awareness of security in everyone who attends.

2.2.1.1 Identifying assets

Draw up a list of items you need to protect. This list should be based on your business plan and common sense. The process may require knowledge of applicable law, a complete understanding of your facilities, and knowledge of your insurance coverage.

Items to protect include tangibles (disk drives, monitors, network cables, backup media, manuals) and intangibles (ability to continue processing, public image, reputation in your industry, access to your computer, your system's root password). The list should include everything that you consider of value. To determine if something is valuable, consider what the loss or damage of the item might be in terms of lost revenue, lost time, or the cost of repair or replacement.

Some of the items that should probably be in your asset list include:

Tangibles:

  • Computers

  • Proprietary data

  • Backups and archives

  • Manuals, guides, books

  • Printouts

  • Commercial software distribution media

  • Communications equipment and wiring

  • Personnel records

  • Audit records

Intangibles:

  • Safety and health of personnel

  • Privacy of users

  • Personnel passwords

  • Public image and reputation

  • Customer/client goodwill

  • Processing availability

  • Configuration information

You should take a larger view of these and related items rather than simply considering the computer aspects. If you are concerned about someone reading your internal financial reports, you should be concerned regardless of whether they read them from a discarded printout or snoop on your email.

2.2.1.2 Identifying threats

The next step is to determine a list of threats to your assets. Some of these threats will be environmental, and include fire, earthquake, explosion, and flood. They should also include very rare but possible events such as building structural failure, or discovery of asbestos in your computer room that requires you to vacate the building for a prolonged time. Other threats come from personnel, and from outsiders. We list some examples here:

  • Illness of key people

  • Simultaneous illness of many personnel (e.g., flu epidemic)

  • Loss (resignation/termination/death) of key personnel

  • Loss of phone/network services

  • Loss of utilities (phone, water, electricity) for a short time

  • Loss of utilities (phone, water, electricity) for a prolonged time

  • Lightning strike

  • Flood

  • Theft of disks or tapes

  • Theft of key person's laptop computer

  • Theft of key person's home computer

  • Introduction of a virus

  • Computer vendor bankruptcy

  • Bugs in software

  • Subverted employees

  • Subverted third-party personnel (e.g., vendor maintenance)

  • Labor unrest

  • Political terrorism

  • Random "hackers" getting into your machines

  • Users posting inflammatory or proprietary information to the Usenet

2.2.1.3 Quantifying the threats

After you have identified the threats, you need to estimate the likelihood of each occurring. These threats may be easiest to estimate on a year-by-year basis.

Quantifying the threat of a risk is hard work. You can obtain some estimates from third parties, such as insurance companies. If the event happens on a regular basis, you can estimate it based on your records. Industry organizations may have collected statistics or published reports. You can also base your estimates on educated guesses extrapolated from past experience. For instance:

  • Your power company can provide an official estimate of the likelihood that your building would suffer a power outage during the next year. They may also be able to quantify the risk of an outage lasting a few seconds vs. the risk of an outage lasting minutes or hours.

  • Your insurance carrier can provide you with actuarial data on the probability of death of key personnel based on age and health.[3]

    [3] Note the difference in this estimate between smokers and nonsmokers. This difference may present a strategy for risk abatement.

  • Your personnel records can be used to estimate the probability of key computing employees quitting.

  • Past experience and best guess can be used to estimate the probability of a serious bug being discovered in your vendor software during the next year (probably 100%).

If you expect something to happen more than once per year, then record the number of times that you expect it to happen. Thus, you may expect a serious earthquake only once every 100 years (1% in your list), but you may expect three serious bugs in sendmail to be discovered during the next year (300%).

2.2.2 Review Your Risks

Risk assessment should not be done only once and then forgotten. Instead, you should update your assessment periodically. In addition, the threat assessment portion should be redone whenever you have a significant change in operation or structure. Thus, if you reorganize, move to a new building, switch vendors, or undergo other major changes, you should reassess the threats and potential losses.


Previous: 2.1 Planning Your Security NeedsPractical UNIX & Internet SecurityNext: 2.3 Cost-Benefit Analysis
2.1 Planning Your Security NeedsBook Index2.3 Cost-Benefit Analysis