Skip to content

Page043

Risk Analysis

All information security professionals assess risk: we do it so often that it becomes second nature. A patch is released on a Tuesday. Your company normally tests for 2 weeks before installing, but a network-based worm is spreading on the Internet that infects un-patched systems. If you install the patch now, you risk downtime due to lack of testing. If you wait to test, you risk infection by the worm. What is the bigger risk? What should you do? Risk Analysis (RA) will help you decide.

The average person does a poor job of accurately analyzing risk: if you fear the risk of dying while traveling, and drive from New York to Florida instead of flying to mitigate that risk, you have done a poor job of analyzing risk. It is far riskier, per mile, to travel by car than by airplane when considering the risk of death while traveling.

Accurate Risk Analysis is a critical skill for an information security professional. We must hold ourselves to a higher standard when judging risk. Our risk decisions will dictate which safeguards we deploy to protect our assets, and the amount of money and resources we spend doing so. Poor decisions will result in wasted money, or even worse, compromised data.

Assets

Assets are valuable resources you are trying to protect. Assets can be data, systems, people, buildings, property, and so forth. The value or criticality of the asset will dictate what safeguards you deploy. People are your most valuable asset.

Threats and Vulnerabilities

A threat is a potentially harmful occurrence, like an earthquake, a power outage, or a network-based worm such as NotPetya (see https://www.microsoft.com/security/blog/2018/02/05/overview-of-petya-a-rapid-cyberattack/), which began attacking Microsoft Windows operating systems in 2017. A threat is a negative action that may harm a system.

A vulnerability is a weakness that allows a threat to cause harm. Examples of vulnerabilities (matching our previous threats) are buildings that are not built to withstand earthquakes, a data center without proper backup power, or a Microsoft Windows system that has not been patched in a few years.

Using the worm example, the threat is the NotPetya worm. NotPetya spreads through a number of vectors including the lack of the MS17-010 patch (see https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010). A networked Microsoft Windows system is vulnerable if it lacks the patch. A Linux system has no vulnerability to NotPetya, and therefore no direct risk to NotPetya.