Anticipate Attack and Arm Your Systems
There are several important questions that should concern every business, but two stand out: “What is the risk to the business information infrastructure?” and “What are the threats and vulnerabilities to the flow of sensitive business information?” Security professionals must be able to conduct comprehensive risk analyses and document their findings for executive management review. Businesses must realize that a threat to the secure flow of sensitive information is a threat to the business itself.
Keep in mind that your business may be impacted by legislative and compliance requirements to conduct a risk analysis. For example, risk analysis and information system activity review are required implementation specifications defined in the Security Rule of the Health Information Protection and Accountability Act (HIPAA). Related to risk analysis is a business impact analysis—a critical initial step in contingency planning that identifies and prioritizes critical systems and components. Risk analysis and business impact analysis must be conducted on a regular basis to identify infrastructure vulnerabilities as well as gaps related to compliance requirements.
Definition and Scope
Risk analysis identifies areas that need to be addressed for compliance, such as the HIPAA or Sarbanes-Oxley legislation, as well as all gaps that may be exploited by insider and outsider attacks. Organizations must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of sensitive business information, such as financial records or electronic protected health information (ePHI).
Each entity needs to identify and prioritize risks and threats. Risk analysis is a process whereby relevant assets and threats are identified, and cost-effective security and control measures are identified or engineered to effectively balance the costs of various security, risk mitigation and control measures against the losses that would be expected if these measures were not in place.
A thorough risk assessment should identify the system vulnerabilities, threats and current controls, and attempt to determine the risk based on the likelihood and threat impact. These risks should then be assessed and a risk level assigned, such as high, medium or low.
Getting Started: Project Phases
A business’s risk analysis activities can typically be organized around three phases:
1. Documentation Phase: Identifies all critical systems that process sensitive information and documents the purpose of these systems and the flow of information.
2. Risk Assessment Phase: Identifies threats and vulnerabilities to determine the likelihood and impact of risk.
3. Safeguards Determination Phase: Determines safeguards by determining the residual likelihood of risk and the residual impact and establishing the remaining risk that must be addressed.
As part of a risk analysis, security professionals must:
- Conduct vulnerability assessment.
- Identify contingency requirements.
- Conduct information system activity review.
- Identify critical assets and the threats to those assets.
- Identify the vulnerabilities that expose those threats.
Business Security Goals
Security professionals understand that business leaders are driven by shareholders, customers, lenders, regulators, lawmakers and others to:
- Ensure the confidentiality, integrity and availability of all sensitive business information, including its creation, receipt, storage and transmission.
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- Protect against any reasonably anticipated uses or disclosures of such information.
- Ensure compliance with the security policy by all members of the business workforce.
Vulnerability Assessment Tools
A number of tools may be used to assess the vulnerability of a business’s systems and networks. Security professionals need to be familiar with these tools and their capabilities. To address the area of vulnerability assessment, the business must create an inventory of all vital enterprise assets, systems and communications. The risk analysis team must create a pre-assessment checklist to document information about all critical systems and applications that process or store sensitive information.
Vulnerability tools, such as scanning software, checklists and scripts, may be used to identify weaknesses in the security of the organization. Scanning and testing tools of the following types also may be run to determine gaps in the enterprise security architecture. These include:
- Web Server Vulnerability Scanners: These tools look for common vulnerable scripts and files within Web sites. Attacks on Web applications are growing in popularity.
- Network Sniffers: These tools may be used to examine traffic in and out of the network to look for instances where passwords or important information are sent unencrypted.
- War Dialers: These products may be used to search for rogue modems on systems.
- Wireless Tools: These may be used to search for rogue access points and to determine the difficulty with which someone outside the company could connect to the wireless network.
Remember that vulnerability assessment tools are simply snapshots of your network. The processes governing access to technology and information are often the most vulnerable to exploitation. When an individual calls a support engineer, administrator or database analyst for access to confidential information, are there processes and controls in place to ensure that only appropriate access is granted? Are there alerts when an individual’s activities violate access-control policy? Are there frequent reports and audit trails in place to track process compliance? It is also important to manage physical and software changes carefully so that vulnerabilities are not injected into your procedural and technical infrastructure.
Most vulnerability assessment tools can be misused. Even without misuse, they can impair or interrupt communications or corrupt the information held in your networked systems. It is not uncommon for a new user to configure a system so that a scanning session accidentally “leaks” outside the target network. Test your tools in an isolated environment before using them on a production network. Test them again after every upgrade.
Always get formal, written authorization to perform vulnerability assessments from all organizations involved in the ownership or operations of your network infrastructure. For an intranet scan, at a minimum, get this authorization from a very senior executive. When scanning your Internet-facing equipment, review your plans with your ISP and any partners that might have equipment in your environment. Never perform vulnerability assessments on networks for which you do not have explicit, written permission. Unsanctioned vulnerability assessments can easily rise to the level of a federal felony.
Business Impact Analysis
Within the scope of a risk analysis, security professionals also should complete a business impact analysis. This is a critical step in contingency planning. A business impact analysis helps identify and prioritize critical IT systems and components. As part of the process, information is collected, analyzed and interpreted. This information provides the basis for defining contingency requirements and priorities. The end result is the creation of a report to identify requirements for contingency planning.
Information System Activity Review
The security team also must conduct an informati