In my article – “How to assess risk – Part I: Asking the right questions”, I talked about using attack modeling as a tool to collect data instead of using self-assessment check lists. In this article, I’ll drill down into some of the details and provide some guidelines on how to actually use attack modeling to assess risk.
Read achieving HIPAA compliance using threat modeling for a step-by-step tutorial on how to use the popular PTA (Practical Threat Analysis) Professional software in order to perform quantitative risk assessment for a data security and compliance. Software Associates specializes in HIPAA data security and compliance. The concepts and techniques described here can be implemented for any regulatory area of compliance such as PCI DSS 2.0 or security certification such as ISO 27001. You can obtain a free download of the PTA Professional software from the PTA Technologies download page.
The first guideline I will lay down, is to estimate value of risk in Dollar/Euro/Ruble values – whatever currency you like.
Attack modeling is based on the notion that any system or organization has assets of value worth protecting. These assets have certain vulnerabilities. It is a given that internal and external attacks exist, that may exploit these vulnerabilities in order to cause damage to the assets. An additional given is that appropriate countermeasures exist that mitigate the damage caused by internal or external attackers.
With attack modeling, you make future risk scenarios vivid, tangible, and measurable in dollar terms, countering the tendency to ignore threats and do nothing. Attack modeling gives you and your employees a practical language of assets, threats, vulnerabilities and countermeasures.
Here are 6 rules for effective attack modeling –
If you’re bought into the traditional approach of consultants looking at your watch and telling you what time it is, then don’t let me stop you, but if you don’t mind considering some new ideas for cracking the risk assessment problem, here are a few ideas inspired by Tom Peters “In pursuit of Luck”:
1. Do something new. Don’t bother with the same old trade shows, talking with the same old security salespeople about the same old stuff. The first time you do attack modeling, it may take several months – and take you into unfamiliar territory of having to valuate assets and anticipate the probability of threat occurrence.
2. Listen to everyone. Ask your senior managers what are your most valued assets – customer lists, product IP, ontime delivery. Ask the CFO how much those assets are worth in dollar terms. Ask your 22 year old customer service agents how they would attack your assets.
3. Try out options. Don’t stop with the annual IT security audit. With attack modeling you can test many mitigation plans, implement countermeasures and measure effectiveness on the fly.
4. Ready, Fire, Aim. (instead of ready, aim, fire). Experiment with new attack models. Test the ramifications of turning off personal anti-viru software or opening a field office with contract technicians. Attack modeling lets you test without threatening the operation.
An ERP systems integrator maintained their own corporate messaging systems. Although they felt that security required them to keep corporate mail inhouse; the costs of content security maintenance were skyrocketing. An attack model showed a reduced dollar level of risk to their digital assets at a lower ongoing security cost; they are now using Google Apps, freeing up valuable internal resources and management attention at the cost of swallowing their pride and admitting that Google can provide better message security then their own internal IT operations team.
5. Make odd friends. Strangers can best help you see new attack scenarios, providing fresh ideas unprejudiced by your corporate judgment. Find advisors through social and professional networks who can help you anticipate the unexpected.
6. Smash functional barriers. Many companies separate IT security, fraud and physical security functions. What difference does it make if a notebook with sensitive M&A data is stolen from an executive’s desk by a competitor posing as a FedEx messenger? Attack modeling is a holistic practice that can help mitigate risk in all areas of your business.