Security Risk Management
Building an Information Security Risk Management Program from the Ground Up
By Evan Wheeler
Copyright © 2011 Elsevier Inc.
All right reserved.
The Security Evolution
INFORMATION IN THIS CHAPTER
How We Got Here
A Risk-Focused Future
Information Security Fundamentals
The Death of Information Security
Before even starting to think about the various steps required to design a program to assess and evaluate information security risks, it is important to briefly review the history of the field and take a quick look at Information Security as a discipline. Even those of you who are already familiar with some advanced risk assessment techniques can benefit from reviewing how we got here or you risk repeating the same mistakes. Information Security (or Information Assurance) needs to be viewed through the lens of business context to see the added value of basing your security program on a risk model. Risk management is by no means a ubiquitous foundation for information security programs, but many visionaries in the field recognize that the future of information security has to be focused on risk decisions if we are to have any hope of combating the ever-changing threat landscape and constantly increasing business demands. From an outsider's perspective, risk management may seem like an obvious fit for information security, but, amazingly, within the profession, there are still debates regarding its merit.
HOW WE GOT HERE
If you attend any industry conference or pick up any information security trade magazine, you will certainly see many references to risk assessments, risk analysis, and risk management. So, how is it possible that many security professionals are still arguing about the value of a risk-based approach to information security? Certainly, all the security products and service vendors have jumped on the risk bandwagon in full force. As a profession, have we fallen behind the vendors or are they contributing to the false perception of risk management? In fact, walking on the expo floor of any major information security conference, the number of vendors touting their so-called "risk management" solutions has increased significantly compared to even 1 year prior. Hopefully, as you look at each vendor's offerings, you will start to ask yourself questions like "is a vulnerability scanner really a risk management solution?" The answer is no, not really; but, the vendors are positioning it that way, and many people are more than happy to follow blindly if they can cross risk management off their compliance checklist. This example highlights a great misunderstanding within the field about what risk management really is. Let's face it—risk management is not a new concept. Several other industries (for example, insurance, economics, finance) have implemented very robust and precise risk models to handle even complex scenarios. Unfortunately, the information security field itself is rather young compared with these other industries, and when you try to apply a mature discipline like risk management to an evolving practice, there will be gaps that need to be overcome. This book is focused on addressing those gaps by providing a solid foundation upon which information security professionals can build a world-class risk management program that is aligned with the business objectives of the organization.
Banning Best Practices
In order to start the transformation into a risk mind-set, we first have to shed some of the baggage of outdated approaches to information security and dispel several misconceptions about how an information security function should operate. A growing problem in the information security field is the emphasis and reliance on checklists and so-called "best practices" as the only basis for many decisions. For the sake of simplicity and consistency, the security field has evolved into a cookbook-type approach. Everyone gets the same recipe for security and is expected to implement it in the exact same way. The fundamental flaw with this strategy is that we don't live in a one-size-fits-all world. Instead of blanketly applying best practices across the board, we should be using some risk analysis techniques to identify the critical focus areas and to select the most appropriate solutions for our organizations.
The motivation behind this cookbook mentality and the value of security checklists are clear when you look at how the information security field has evolved. There has always been a heavy technology focus in the field, and much of the security community got their start in an Information Technology (IT) role. As the discipline developed, implementations of security principles and concepts were inconsistent at best and the need to provide more standardized guidance to the practitioners who were battling it out in the trenches every day resulted in several generic security frameworks, some basic standards, and a lot of operationally focused training. Moreover, there are a wide variety of training options available at the practitioner level, but almost nothing focused on how to build and lead an information security program; most programs are aimed at teaching management activities, but there aren't many educational programs focused on true leadership.
Let's look at a quick example of this problem in practice. A typical information security standard might be that sensitive data needs to be encrypted wherever it is stored. Suppose that you found a database within your organization where sensitive data isn't encrypted. Before you confront the business owner and ask them to implement encryption, start by asking yourself why encryption is necessary. What problem are you trying to solve? What risk are you trying to mitigate? Encryption may not be necessary or appropriate every time. In some cases, it may even conflict with other security needs, such as the desire to inspect all communications in and out of the organization for malicious content or data leakage. Security controls need to provide business value and shouldn't be applied without first analyzing the problem. Your boss may attend an industry presentation, likely by a vendor, where the speaker recommends database encryption for all sensitive data. So, they run back to the office and you find yourself suddenly scoping out the effort to encrypt all your databases, but have you defined the problem you are trying to solve? This book is specifically focused on providing a risk model that will allow you to evaluate the threats and the vulnerabilities for your organization, and make educated decisions about how to address the most critical risks.
Having checklists and baselines does make it easy for security practitioners, and even people outside of security, to apply a minimal level of protection without having to understand the intricacies of information security, but at what expense? How can a single list of best practices possibly apply to every organization in the same way? There are "common practices," yes, but none of us is in the position to claim "best practices." There is too much potential to be lulled into a false sense of security if we base evaluations of security posture solely on a checklist.
To be effective, senior security professionals need to learn how to perform a true risk assessment and not just accept the established security checklists. Even the US federal government seems to be moving in this direction with the latest revision of the NIST SP800-37 guide  for managing the security of federal information systems (formerly focused on Certification and Accreditation), which has been overhauled to use a risk-based approach. It is hard to deny that risk management is the future of the information security field, though some still try to argue against it. A risk-based model can provide a more dynamic and flexible approach to security that bases recommendations on the particular risks of each scenario, not just a single pattern for the entire field. Just look at the Payment Card Industry (PCI), given all the breaches in the retail space, it is clear that the PCI requirements have not made retail companies any more secure, just more compliant.
Looking Inside the Perimeter
Another important development in the information security field is the shift from focusing purely on securing the perimeter. Traditional information security practices were primarily concerned with keeping the "bad guys" out. The assumption was that anything outside your network (or physical walls) was un-trusted and anything inside could be trusted. Although this perspective can be very comforting and simplifies your protection activities (in an "ignorance is bliss" kind of way), unfortunately, it is also greatly flawed. As environments have grown more complex, it has even become necessary to separate different portions of the internal environment based on the sensitivity of the resources. It is hard to deny the statistics (according to the 2010 Verizon Data Breach Investigations Report , 48 percent of the breaches were caused by insiders) regarding the large percentage of security breaches initiated by malicious insiders or compromises resulting from attackers leveraging exploits on mobile devices to launch attacks on more sensitive internal resources. At this point, it would be hard even to draw a meaningful perimeter line around your organization. You can't assume that the other systems on your internal networks can be trusted or that not being directly Internet-facing excludes a system from needing to worry about external threats.
Early attempts by many organizations to address these issues without a common security framework have lead to the implementation of point solutions and ad hoc levels of protection, which in many cases have not been the best solutions to address the organization's greatest risk areas. We all have seen organizations that spend a lot of money on technology or spend all their time trying to keep up with the bleeding-edge hacking techniques, but miss the big gaping holes that end up being exploited. Critical exposures are overlooked, and breaches occur despite the expensive controls in place. Technology won't fix process and procedural weaknesses, which are what typically contribute to the major disclosures. As the threat landscape continues to shift, the old paradigms for information security just aren't going to cut it anymore.
A RISK-FOCUSED FUTURE
No one can deny that keeping up with the pace of change in this field is challenging at best, and can, at worst, feel impossible. As soon as you feel like you have a good handle on the major threats to your organization, three new threats pop up. So how can you keep up? If you want to stay ahead or even just keep pace, you need not only to understand the fundamental principles of a solid information security program but also to understand how to apply them to mitigate your organization's specific risks.
A New Path Forward
There are many good security advisory services available that can provide a steady feed of intelligence about the latest threats and vulnerabilities, but you will soon discover that keeping up with the pace of information can quickly become overwhelming. Along the same lines, try running a vulnerability scan of any average-sized environment for the first time and see how many hundreds of findings you get back; even if your organization has a mature security program, a typical scan will generate volumes of raw data that need to be analyzed. Unfortunately, many new security managers will start with this approach instead of first establishing the foundation for their program on a robust risk model, so they get lost in the race to combat the latest threats or close out vulnerabilities as quickly as possible without any prioritization. The result is that resource administrators spend all of their time responding to every new vulnerability report and applying every security patch; meanwhile, the security folks spend all of their time processing and tracking every new vulnerability when they should be focusing on prioritizing risks and developing a security strategy. It's easy to get caught up in trying to address each risk finding as soon as you discover it, and in doing so, you lose sight of the big picture. If you don't identify and address the root causes and systemic issues, then you will just keep killing time and resources fixing the same symptoms over and over again.
Excerpted from Security Risk Management by Evan Wheeler Copyright © 2011 by Elsevier Inc.. Excerpted by permission of SYNGRESS. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.