Get  PTA ( Practical Threat Analysis) Professional software from our colleagues at Practical Threat Analysis Technologies totally free for one year. After the year is up, just drop them an email, and you’ll get a free license renewal.

When you perform risk assessment with the popular PTA (Practical Threat Analysis) modeling tool, you’re not only joining  thousands of security analysts all over the world who use PTA Professional in their risk and compliance practice, you all also get great software and valuable benefits.

You can perform an unlimited number of quantitative risk assessments for an unlimited number of clients  with their business assets and their  threat scenarios. Download the  free risk assessment software and while you’re at it –  download  the Software Associates Practical Threat Analysis library for ISO 27001 

• It’s quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
• It’s robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
• It’s versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
• It’s effective: helps determine the most effective security countermeasures and their order of implementation, saving you money.
• It’s databased: based on a robust threat data model with the 4 dimensions of threats, assets, vulnerabilities and countermeasures
• It’s management level: with a few clicks, you can product VaR reports and be a peer in the boardroom instead of staffer waiting in the hall.

Read achieving HIPAA compliance using threat modeling for a step-by-step tutorial on how to use the popular PTA (Practical Threat Analysis) Professional software in order to perform  quantitative risk assessment for a data security  and compliance. Software Associates specializes in HIPAA data security and compliance. The concepts and techniques described here can be implemented for any regulatory area of compliance such as PCI DSS 2.0 or security certification such as ISO 27001. You can obtain a free download of the PTA Professional software from the PTA Technologies download page.

The first guideline I will lay down, is to estimate value of risk  in Dollar/Euro/Ruble values – whatever currency you like.

Attack modeling is based on the notion that any system or organization has assets of value worth protecting. These assets have certain vulnerabilities. It is a given that internal and external attacks exist, that may  exploit these vulnerabilities in order to cause damage to the assets. An additional given is that appropriate countermeasures exist that mitigate the damage caused by internal or external attackers.

With attack modeling, you make future risk scenarios vivid, tangible, and measurable in dollar terms, countering the tendency to ignore threats and do nothing. Attack modeling gives you and your employees a practical language of assets, threats, vulnerabilities and countermeasures.

Here are 6 rules for effective attack modeling -

If you’re bought into the traditional approach of consultants looking at your watch and telling you what time it is, then don’t let me stop you, but if you don’t mind considering some new ideas for cracking the risk assessment problem, here are a few ideas inspired by Tom Peters “In pursuit of Luck”:

1. Do something new. Don’t bother with the same old trade shows, talking with the same old security salespeople about the same old stuff. The first time you do attack modeling, it may take several months – and take you into unfamiliar territory of having to valuate assets and anticipate the probability of threat occurrence.

2. Listen to everyone. Ask your senior managers what are your most valued assets – customer lists, product IP, ontime delivery. Ask the CFO how much those assets are worth in dollar terms. Ask your 22 year old customer service agents how they would attack your assets.

3. Try out options. Don’t stop with the annual IT security audit. With attack modeling you can test many mitigation plans, implement countermeasures and measure effectiveness on the fly.

4. Ready, Fire, Aim. (instead of ready, aim, fire). Experiment with new attack models. Test the ramifications of turning off personal anti-viru software or opening a field office with contract technicians. Attack modeling lets you test without threatening the operation.

An ERP systems integrator maintained their own corporate messaging systems. Although they felt that security required them to keep corporate mail inhouse; the costs of content security maintenance were skyrocketing. An attack model showed a reduced dollar level of risk to their digital assets at a lower ongoing security cost; they are now using Google Apps, freeing up valuable internal resources and management attention at the cost of swallowing their pride and admitting that Google can provide better message security then their own internal IT operations team.

5. Make odd friends. Strangers can best help you see new attack scenarios, providing fresh ideas unprejudiced by your corporate judgment. Find advisors through social and professional networks who can help you anticipate the unexpected.

6. Smash functional barriers. Many companies separate IT security, fraud and physical security functions. What difference does it make if a notebook with sensitive M&A data is stolen from an executive’s desk by a competitor posing as a FedEx messenger? Attack modeling is a holistic practice that can help mitigate risk in all areas of your business.

This is a very bad idea.

Business process mapping is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why companies like PwC, IBM, EY and KPMG love business process modeling The added value of modeling data flows inside your organization between people doing their job is arguable. There are much better ways to make your organization robust to a major data loss event without writing out a 7 digit check for professional services and a BPM system from Business Objects, Cognos, Kalido, Oracle, Hyperion, Applix, Pilot, SAS or SAP.

There is a simple and effective way of figuring out data value at risk and mitigating data security threats:

1. Select the 5 most valuable data assets that your company owns. For example – proprietary designs of products,  due diligence reports of a public company being acquired, and details of competitive contracts with large accounts.
2. Ask 5 finance, operations, IT, sales and engineering staffers – what is their biggest threat to their most important asset and how badly the threat can damage the asset – on a scale of 1 to 5. Call that “Damage”.
3. Ask them how often the threat materializes – once a month, once/year or once a decade. Call that “Probability of occurence”.
4. Quantify the asset value. Schedule 1 hour with your CFO and ask her how much each asset is worth in dollars. The dollar value of a digital, reputational, physical or operational asset to a business can be established fairly quickly by the CFO – in terms of replacement cost, or impact on sales and operations. Call that “Asset value”
5. Calculate your value at risk = Sum (Asset Value * Damage * Probability of occurrence)

More about bad ideas in 10 steps for protecting customer data

Kudos to ANSI for publishing a free guide to calculating cyber risk.

Better late than never – thousands of security professionals in the world use the Microsoft Threat Modeling Tool and the popular free threat modeling software PTA, to calculate risk in financial terms – not to mention the thousands of other users of risk calculative methods from dozens of software companies like  Palisade and Countermeasures.

The good news

It’s important that a standards body like ANSI  endorse calculating cyber risk in dollar terms, directing their message to executives.  Any CFO will want to see a brick and mortar calculation for justifying security investment – especially in today’s market where money is scarce and cyber-threats are abundant. I can appreciate the effort that must have been involved in getting Homeland Security Standards Panel (HSSP),  the Internet Security Alliance (ISA) and dozens of industry professionals involved.

The bad news

The ANSI document has a number of fundamental flaws:

a. It doesn’t offer practical ways of building a cost-effective, prioritized program of security countermeasures, although it talks about the multi-dimensional nature of the threats and vulnerabilities in high-level terms:

The key to understanding the financial risks of cyber security is to fully embrace its multi-disciplinary nature. Cyber risk is not just a “technical problem” to be solved by the company’s Chief Technology Officer. Nor is it just a “legal problem” to be handed over to the company’s Chief Legal Counsel; a “customer relationship problem” to be solved by the company’s communications director; a “compliance issue” for the regulatory guru; or a “crisis management” problem. Rather, it is all of these and more.

b, An additional problem with the ANSI document is that it doesn’t a practical risk-calculative method for real life. In a real business the risk calculation is a complex multi-dimensional interplay between threats, vulnerabilities and security countermeasures that simply cannot be performed in a 2 dimensional Microsoft Excel.

c. The real failing of the ANSI method is totally ignoring that risk is caused by damage to assets. Although the document mentions  assets: physical assets, digital assets (that if stolen are really copied…) and intangible assets (such as company reputation)  – it does not acknowledge that  assets have financial value.  Any CFO worth her salt, will be able to make a reasonable judgment of corporate cyber asset asset: for example, availability of the Oracle Applications Financial reporting system at quarter-end  or intellectual property such as mechanical design files of products that the company manufactures.

It’s a step in the right direction, but late in coming and lacking in scope. I hope that the document will receive wide distribution – it’s well written and easy to understand -  most executives should have no problem relating to the material and adopting and adapting it to their business situation.

I don’t normally go to these events unless I’m invited to speak – but it is a good networking opportunity and chance to reconnect with old friends and colleagues.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat.

Walking the exhibit hall, I realized that Risk Assessment is a threat to security product vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to a vendor salesperson who must make quota.

If you do a risk assessment with Practical Threat Analysis (shameless plug for PTA – download here you systematically collect assets, threats, vulnerabilities …and THEN produce a cost-effective risk mitigation plan. Your vendor wants to sell you a $100,000 database firewall, but it may turn out that your top vulnerability is from 10 Field service engineers with company source code on their notebook computers. You can mitigate the risk of a stolen notebook by installing a simple security countermeasure – Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Vendors often attempt to mitigate the risk assessment threat by using compliance as a universal countermeasure.

This is can approach absurd levels as we shall see in the following example.

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls. I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged. If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it.

Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.

But the best part is the piece on the NetClarity Web site that claims that their product will help “Deter auditors from finding and writing up IT Security flaws on your network”.

And I suppose this really proves my point best of all.

Security vendors like NetClarity do not have economic incentive in reducing data leakge and mitigating risk since that would reduce their product.