Tag Archives: PTA

How to assess risk – Part II: Use attack modeling to collect data

In my article – “How to assess risk – Part I: Asking the right questions”, I talked about using attack modeling as a tool to collect data instead of using self-assessment check lists. In this article, I’ll drill down into some of the details and provide some guidelines on how to actually use attack modeling to assess risk.

Read achieving HIPAA compliance using threat modeling for a step-by-step tutorial on how to use the popular PTA (Practical Threat Analysis) Professional software in order to perform  quantitative risk assessment for a data security  and compliance. Software Associates specializes in HIPAA data security and compliance. The concepts and techniques described here can be implemented for any regulatory area of compliance such as PCI DSS 2.0 or security certification such as ISO 27001. You can obtain a free download of the PTA Professional software from the PTA Technologies download page.

The first guideline I will lay down, is to estimate value of risk  in Dollar/Euro/Ruble values – whatever currency you like.

Attack modeling is based on the notion that any system or organization has assets of value worth protecting. These assets have certain vulnerabilities. It is a given that internal and external attacks exist, that may  exploit these vulnerabilities in order to cause damage to the assets. An additional given is that appropriate countermeasures exist that mitigate the damage caused by internal or external attackers.

With attack modeling, you make future risk scenarios vivid, tangible, and measurable in dollar terms, countering the tendency to ignore threats and do nothing. Attack modeling gives you and your employees a practical language of assets, threats, vulnerabilities and countermeasures.

Here are 6 rules for effective attack modeling –

If you’re bought into the traditional approach of consultants looking at your watch and telling you what time it is, then don’t let me stop you, but if you don’t mind considering some new ideas for cracking the risk assessment problem, here are a few ideas inspired by Tom Peters “In pursuit of Luck”:

1. Do something new. Don’t bother with the same old trade shows, talking with the same old security salespeople about the same old stuff. The first time you do attack modeling, it may take several months – and take you into unfamiliar territory of having to valuate assets and anticipate the probability of threat occurrence.

2. Listen to everyone. Ask your senior managers what are your most valued assets – customer lists, product IP, ontime delivery. Ask the CFO how much those assets are worth in dollar terms. Ask your 22 year old customer service agents how they would attack your assets.

3. Try out options. Don’t stop with the annual IT security audit. With attack modeling you can test many mitigation plans, implement countermeasures and measure effectiveness on the fly.

4. Ready, Fire, Aim. (instead of ready, aim, fire). Experiment with new attack models. Test the ramifications of turning off personal anti-viru software or opening a field office with contract technicians. Attack modeling lets you test without threatening the operation.

An ERP systems integrator maintained their own corporate messaging systems. Although they felt that security required them to keep corporate mail inhouse; the costs of content security maintenance were skyrocketing. An attack model showed a reduced dollar level of risk to their digital assets at a lower ongoing security cost; they are now using Google Apps, freeing up valuable internal resources and management attention at the cost of swallowing their pride and admitting that Google can provide better message security then their own internal IT operations team.

5. Make odd friends. Strangers can best help you see new attack scenarios, providing fresh ideas unprejudiced by your corporate judgment. Find advisors through social and professional networks who can help you anticipate the unexpected.

6. Smash functional barriers. Many companies separate IT security, fraud and physical security functions. What difference does it make if a notebook with sensitive M&A data is stolen from an executive’s desk by a competitor posing as a FedEx messenger? Attack modeling is a holistic practice that can help mitigate risk in all areas of your business.

Tell your friends and colleagues about us. Thanks!
Share this

Business process mapping and risk management

Many risk management consultants tell organizations that they must perform a detailed business process mapping and build data flow diagrams of data and users who process data in order to achieve compliance and reduce the operational risk of information security.

This is a very bad idea.

Business process mapping is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why companies like PwC, IBM, EY and KPMG love business process modeling The added value of modeling data flows inside your organization between people doing their job is arguable. There are much better ways to make your organization robust to a major data loss event without writing out a 7 digit check for professional services and a BPM system from Business Objects, Cognos, Kalido, Oracle, Hyperion, Applix, Pilot, SAS or SAP.

There is a simple and effective way of figuring out data value at risk and mitigating data security threats:

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

The financial impact of cyber threats

Kudos to ANSI for publishing a free guide to calculating cyber risk.

Better late than never – thousands of security professionals in the world use the Microsoft Threat Modeling Tool and the popular free threat modeling software PTA, to calculate risk in financial terms – not to mention the thousands of other users of risk calculative methods from dozens of software companies like  Palisade and Countermeasures.

The good news

It’s important that a standards body like ANSI  endorse calculating cyber risk in dollar terms, directing their message to executives.  Any CFO will want to see a brick and mortar calculation for justifying security investment – especially in today’s market where money is scarce and cyber-threats are abundant. I can appreciate the effort that must have been involved in getting Homeland Security Standards Panel (HSSP),  the Internet Security Alliance (ISA) and dozens of industry professionals involved.

The bad news

The ANSI document has a number of fundamental flaws:

a. It doesn’t offer practical ways of building a cost-effective, prioritized program of security countermeasures, although it talks about the multi-dimensional nature of the threats and vulnerabilities in high-level terms:

The key to understanding the financial risks of cyber security is to fully embrace its multi-disciplinary nature. Cyber risk is not just a “technical problem” to be solved by the company’s Chief Technology Officer. Nor is it just a “legal problem” to be handed over to the company’s Chief Legal Counsel; a “customer relationship problem” to be solved by the company’s communications director; a “compliance issue” for the regulatory guru; or a “crisis management” problem. Rather, it is all of these and more.

b, An additional problem with the ANSI document is that it doesn’t a practical risk-calculative method for real life. In a real business the risk calculation is a complex multi-dimensional interplay between threats, vulnerabilities and security countermeasures that simply cannot be performed in a 2 dimensional Microsoft Excel.

c. The real failing of the ANSI method is totally ignoring that risk is caused by damage to assets. Although the document mentions  assets: physical assets, digital assets (that if stolen are really copied…) and intangible assets (such as company reputation)  – it does not acknowledge that  assets have financial value.  Any CFO worth her salt, will be able to make a reasonable judgment of corporate cyber asset asset: for example, availability of the Oracle Applications Financial reporting system at quarter-end  or intellectual property such as mechanical design files of products that the company manufactures.

It’s a step in the right direction, but late in coming and lacking in scope. I hope that the document will receive wide distribution – it’s well written and easy to understand –  most executives should have no problem relating to the material and adopting and adapting it to their business situation.

Tell your friends and colleagues about us. Thanks!
Share this

Risk Assessment is a threat to vendors

I took a couple hours out from work today to pop over to Infosec 2008 in Airport CIty.

I don’t normally go to these events unless I’m invited to speak – but it is a good networking opportunity and chance to reconnect with old friends and colleagues.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat.

Walking the exhibit hall, I realized that Risk Assessment is a threat to security product vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to a vendor salesperson who must make quota.

If you do a risk assessment with Practical Threat Analysis (shameless plug for PTA – download here you systematically collect assets, threats, vulnerabilities …and THEN produce a cost-effective risk mitigation plan. Your vendor wants to sell you a $100,000 database firewall, but it may turn out that your top vulnerability is from 10 Field service engineers with company source code on their notebook computers. You can mitigate the risk of a stolen notebook by installing a simple security countermeasure – Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Vendors often attempt to mitigate the risk assessment threat by using compliance as a universal countermeasure.

This is can approach absurd levels as we shall see in the following example.

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls. I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged. If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it.

Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this