Home > Articles

Why Risk Assessment

This chapter is from the book

With industry compliancy and information security laws and mandates being introduced in the past four years, the need for conducting a vulnerability and risk assessment is now paramount. These recent laws and mandates include the following:

  • The Healthcare Information Privacy and Portability Act (HIPPA) is driving the need for vulnerability and risk assessments to be conducted within any health-care or health-care-related institution.
  • The recent Gramm-Leach-Bliley Act (GLBA) is driving the need for vulnerability and risk assessments to be conducted within any banking or financial institution in the United States.
  • The recent Federal Information Security Management Act (FISMA) is driving the need for vulnerability and risk assessments to be conducted for all United States federal government agencies.
  • The recent Sarbanes-Oxley Act affects all publicly traded companies within the United States that have a market cap greater than $75 million; they are now subject to compliance with the Sarbanes-Oxley Act, Section 404, which also is driving the need for vulnerability and risk assessments to be conducted for publicly traded companies.
  • The recent Canadian Management of Information Security Standard (MITS) requires regular security assessments for all Canadian federal government agencies.

The need to conduct vulnerability and risk assessments is being driven by these new laws and mandates. Organizations must now be information security conscious and must develop and implement proper security controls based on the results of their internal risk assessment and vulnerability assessment. By conducting a risk assessment and vulnerability assessment, an organization can uncover known weaknesses and vulnerabilities in its existing IT infrastructure, prioritize the impact of these vulnerabilities based on the value and importance of affected IT and data assets, and then implement the proper security controls and security countermeasures to mitigate those identified weaknesses. This risk mitigation results in increased security and less probability of a threat or vulnerability impacting an organization’s production environment.

Risk Terminology

With any new technology topic, terminology, semantics, and the use of terms within the context of the technology topic can be confusing, misused, and misrepresented. Risk itself encompasses the following three major areas: risks, threats, and vulnerabilities.

Risk is the probability or likelihood of the occurrence or realization of a threat. There are three basic elements of risk from an IT infrastructure perspective:

  • Asset—An IT infrastructure component or an item of value to an organization, such as data assets.
  • Threat—Any circumstance that could potentially cause loss or damage to an IT infrastructure asset.
  • Vulnerability—A weakness in the IT infrastructure or IT components that may be exploited in order for a threat to destroy, damage, or compromise an IT asset.

An IT asset or data asset is an item or collection of items that has a quantitative or qualitative value to an organization. Examples of IT assets that organizations may put a dollar value or criticality value on include the following:

  • Workstations—Hardware, software, and data assets stored at the end user’s workstation location (PCs, PDAs, phones, and so on).
  • Operating systems software—Operating system software, software updates, software patches, and their configuration and deployment on production services and workstations.
  • Application systems software—Application software such as databases, client/server applications, software updates, software patches, and their configuration on production servers.
  • Local area network hardware and software—Local area network infrastructure, TCP/IP, LAN switches, routers, hubs, operating system and application software within the LAN CPE equipment.
  • Wide area network hardware and software—Wide area network infrastructure, TCP/IP, routers, operating system and application software within the WAN CPE equipment.
  • Network management hardware and software—SNMP network management infrastructure, operating system and NMS application software, production NMS servers, data collection SNMP polling servers, network-monitoring CPE devices, SNMP MIB I and MIB II data collection and archiving.
  • Telecommunication systems—Voice communication systems (PBX or IP Telephony), telephone CPE devices on desktops, operating system and application software (IP Telephony), voice-mail systems, automated attendants, and so on.
  • IT security hardware and software—Operating system and security application software, production servers, DMZs, firewalls, intrusion detection monitoring systems, security monitoring, and alarm notification systems.
  • Systems and application servers, hardware, and software—Operating systems, application software, client/server application software, production servers, and software code/intellectual property.
  • Intellectual property—Customer data, customer databases, application data, application databases, information, and data assets. Intellectual property may have an intrinsic value to an organization depending on what the intellectual property is and whether the organization generates revenue from this intellectual property.
  • IT infrastructure documentation, configurations, and backup files and backup data—Complete and accurate physical, logical, configuration, and setup documentation of the entire IT infrastructure, including backup files, backup data, disk storage units, and data archiving systems.

A threat is any agent, condition, or circumstance that could potentially cause harm, loss, damage, or compromise to an IT asset or data asset. From an IT infrastructure perspective, threats may be categorized as circumstances that can affect the confidentiality, integrity, or availability of the IT asset or data asset in terms of destruction, disclosure, modification, corruption of data, or denial of service. Examples of threats in an IT infrastructure environment include the following:

  • Unauthorized access—The owner of the access rights, user ids, and passwords to the organization’s IT systems and confidential information is compromised, and unauthorized access is granted to the unauthorized user who obtained the user ids and passwords.
  • Stolen/lost/damaged/modified data—Loss or damage of an organization’s data can be a critical threat if there are no backups or external archiving of the data as part of the organization’s data recovery and business continuity plan. Also, if the data was of a confidential nature and is compromised, this can also be a critical threat to the organization, depending on the potential damage that can arise from this compromise.
  • Disclosure of confidential information—Disclosure of confidential information can be a critical threat to an organization if that disclosure causes loss of revenue, potential liabilities, or provides a competitive advantage to an adversary.
  • Hacker attacks—Unauthorized perpetrator who purposely and knowingly attacks an IT infrastructure and/or the components, systems, and data.
  • Cyber terrorism—Because of the vulnerabilities that are commonplace in operating systems, software, and IT infrastructures, terrorists are now using computers, Internet communications, and tools to perpetrate critical national infrastructures such as water, electric, and gas plants, oil and gasoline refineries, nuclear power plants, waste management plants, and so on.
  • Viruses and malwareMalware is short for malicious software, which is a general term used to categorize software such as a virus, worm, or Trojan horse that is developed to damage or destroy a system or data. Viruses are executable programs that replicate and attach to and infect other executable objects. Some viruses also perform destructive or discrete activities (payload) after replication and infection is accomplished.
  • Denial of service or distributed denial of service attacks—An attack on a TCP/IP-based network that is designed to bring the network and/or access to a particular TCP/IP host/server to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, system administrators can install software fixes to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers.
  • Acts of God, weather, or catastrophic damage—Hurricanes, storms, weather outages, fires, floods, earthquakes, and total loss of IT infrastructures, data centers, systems, and data.

A vulnerability is a weakness in the system design, a weakness in the implementation of an operational procedure, or a weakness in how the software or code was developed (for example, bugs, back doors, vulnerabilities in code, and so on). Vulnerabilities may be eliminated or reduced by the correct implementation of safeguards and security countermeasures.

Vulnerabilities and weaknesses are common with software mainly because there isn’t any software or code in existence that doesn’t have bugs, weaknesses, or vulnerabilities. Many vulnerabilities are derived from the various kinds of software that is commonplace within the IT infrastructure. This type of software includes the following:

  • Firmware—Software that is usually stored in ROM and loaded during system power up.
  • Operating system—The operating system software that is loaded in workstations and servers.
  • Configuration files—The configuration file and configuration setup for the device.
  • Application software—The application or executable file *.exe that is run on a workstation or server.
  • Software Patch—A small piece of software or code snippet that the vendor or developer of the software typically releases as software updates, software maintenance, and known software vulnerabilities or weaknesses.

Herein lies the fundamental problem—software has vulnerabilities, hackers and perpetrators know there are vulnerabilities, and organizations attempt to put the proper software patches and updates in place to combat this fundamental problem before being attacked. The key word here is before being attacked. Many organizations lack sufficient funds for securing their IT infrastructure by mandating a vulnerability window of 0 days or 0 hours, thus eliminating any software vulnerability potential threats. Achieving a vulnerability window of 0 days or 0 hours is virtually impossible given that software vendors cannot provide software patches fast enough to the general public after a vulnerability is exposed. In addition, the time required to deploy and install the software patch on production servers and workstations exposes an organization’s IT infrastructure to potential threats from that vulnerability.

This gap in time is reality in IT infrastructures, especially because a majority of IT assets and devices have some kind of software loaded in them. Remember, vulnerabilities in software extend to firmware, operating systems, configuration files, and applications, and must be combated with a software maintenance, update, and patch maintenance plan. This encompasses the entire software, operating, and application software environment exposing potential vulnerabilities in any device that houses and runs this vulnerable software. In large organizations, combating the software vulnerability issue requires an enterprise, automated software patch-management solution.

The Computer Emergency Response Team (CERT) is an organization sponsored by Carnegie-Mellon University’s Software Engineering Institute. Until 2003, CERT was the organizational body that was responsible for collecting, tracking, and monitoring vulnerability and incident reporting statistics. CERT can be found at http://www.cert.org. CERT publishes statistics for the following:

  • Vulnerabilities Reported—This compilation is for vulnerabilities reported, not those that go unreported.
  • Vulnerability Notes Published—These notes are published by CERT from data that is compiled from users and the vendor community describing known and documented vulnerabilities.
  • National Cyber Alert System Documents Published—Information previously published in CERT advisories, incident notes, and summaries are now incorporated into National Cyber Alert System documents.
  • Security Alerts Published—The total number of validated security alerts published by CERT.
  • Mail Messages Handled—The total number of email messages handled by CERT.
  • Hotline Calls Received—The total number of phone calls handled by CERT.
  • Incidents Reported—Given the widespread use and availability of automated attack tools, attacks against Internet-connected organizations are common given the number of incidents reported.

As of 2004, CERT no longer publishes the number of incidents reported. Instead, CERT is working with others in the community to develop and report on more meaningful metrics for incident reporting, such as the 2004 E-Crime Watch Survey. Figure 3.1 shows the dramatic increase in known and documented vulnerabilities and the number of incidents that have occurred and have been recorded by http://www.cert.org during the past few years. Note that as the number of vulnerabilities increases, the number of incidents has also increased, but this value is misleading because the number of incidents that go unreported is unknown.

Figure 3.1

Figure 3.1 Rise in vulnerabilities and incidents.

Many of the security incidents indicated in 2003 on the http://www.cert.org website were the direct result of software vulnerabilities that were exploited by an attacker. These security incidents can be attributed to the "vulnerability window," which is the amount of time that lapses between when a known vulnerability is identified and documented to when an organization implements the vulnerability fix or deploys the appropriate software patch.

Because of this vulnerability window issue, SQL Slammer, which was a known vulnerability posted by Microsoft in July 2002, affected nearly 90% of the world’s SQL databases on Super Bowl Sunday, January 2003, six months after the vulnerability was exposed.

The stages of vulnerability in software are as follows:

  1. Vendors release software and code with unknown vulnerabilities to the general public.
  2. Vulnerability is discovered, communicated, documented, and published by the vendor. When the vulnerability is identified and communicated to the general public, this defines when the vulnerability window is open. This is referred to as VTopen.
  3. A configuration-based software countermeasure (software patch) is created by the vendor and made available to the public.
  4. The software patch is released and made available to the public.
  5. The software patch is received, deployed, and installed on the affected devices. When the software patch is deployed and installed on the affected device, this defines when the vulnerability window is closed. This is referred to as VTclosed.

In Figure 3.2, the stages in vulnerabilities in software are defined. This gap in time between when a known vulnerability is identified and communicated to when that known vulnerability is mitigated through a software patch is referred to as the vulnerability window.

Figure 3.2

Figure 3.2 The vulnerability window.

From a vulnerability perspective, an IT asset or IT infrastructure is most vulnerable during the vulnerability window exposure time. This exposure time is referred to as vulnerability time:

Vulnerable Time (Vt) = Vt(open) - Vt(closed)

Most organizations, when they first conduct a vulnerability assessment on their IT infrastructure, servers, workstations, and systems, are shocked to realize that they are vulnerable because of software vulnerabilities inherent in the code. Upon realizing this, the ultimate goal for an organization is to prioritize those IT assets and IT infrastructure components to assess which IT assets should have their vulnerability time reduced. Reducing the vulnerability time will assist organizations in minimizing the potential risk and threats caused by software vulnerabilities. Many organizations create internal policies that state the maximum vulnerability time exposure for their mission critical IT assets and systems.

Organizations are now realizing that having an IT security architecture and framework consisting of policies, standards, procedures, and guidelines for their production IT systems, software, and applications is critical. Many organizations are apt to create a policy that defines the maximum acceptable vulnerability window for its mission-critical and production IT systems. This policy then drives the priorities for how funds are to be invested for risk mitigation via an enterprise patch-management solution.

Software vulnerabilities are documented and tracked by the U.S. Computer Emergency Readiness Team (US-CERT) in a public-accessible list called the Common Vulnerabilities and Exposures (CVEs) list. In 1999, the MITRE organization was contracted by the U.S. Computer Emergency Readiness Team to track, monitor, and update the CVE list. Today, the CVE list has grown to more than 7,000 unique documented vulnerability items, and approximately 100 new candidate names are added to the CVE list each month, based on newly discovered vulnerabilities. The CVE list can be found at http://www.cve.mitre.org/.

The CVE is merely a list or dictionary of publicly known information security vulnerabilities and exposures and is international in scope and free for public use. Each vulnerability or exposure included on the CVE list has one common, standardized CVE name. The CVE list is a community effort that encourages the support of hardware and software vendors. The CVE list is free and can be downloaded or accessed online at the previously mentioned website.

Prior to conducting an internal risk assessment, it is important to understand the new laws, mandates, and regulations that are driving organizations to create and implement information systems security plans and conduct vulnerability assessments. These new laws, mandates, and regulations are impacting IT infrastructures and their assets and are driving the need for conducting a thorough risk and vulnerability assessment on an IT infrastructure and its assets.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020