Monday, October 27, 2003

The Dynamic Duo Discuss Digital Risk

I've been reading books and looking at product literature which discuss "security," "risk," "threat," and "vulnerability," each with a different definition. I don't think these terms are difficult to understand. I wrote the hopefully amusing vignette below to communicate my understanding of these terms. At least it won't bore you!

Meanwhile, at the Hall of Justice...

BATMAN: Robin, why the puzzled look?

ROBIN: Sorry, Batman.

B: Are my Bat Ears crooked again?

R: No Batman. I've been reading some books and vendor marketing literature on security, and I'm confused by their definitions of risk, vulnerability, and threat.

B: Oh, you've been researching to protect the Hall of Justice computer? Good for you. Tell me why you're confused.

R: I see so many people calling "vulnerabilities" and "threats" the same thing.

B: That's certainly not right. A vulnerability is a weakness in an asset which could lead to exploitation. A threat is a party with the capabilities and intentions to exploit a vulnerability in an asset.

R: Huh?

B: Let's try a few examples. Consider Superman.

R: I do, often.

B: I don't want to hear about that. Superman is an asset to the Hall of Justice, true?

R: He's definitely an asset.

B: I bet you think so. Think of Superman as an asset of the Hall of Justice's crime fighting arsenal. What is his weakness?

R: Kryptonite?

B: Close. Superman's weakness -- his vulnerability -- is the fact that Kryptonite nullifies the effect of the Earth's yellow sun, removing his super powers.

R: So what is Kryptonite?

B: Kryptonite is a weapon, or tool. But on its own it's nothing -- unless used by an evil party.

R: Like Lex Luthor?

B: Exactly. Lex Luthor is a threat, but only if he's carrying Kryptonite.

R: Lex Luthor is the threat, because his intentions are to harm Superman and his capability is instantiated by possession of Kryptonite. How does risk fit into this?

B: Let's define risk. Risk is the possibility of suffering harm or loss. It's a measure of danger. The loss of Superman would deal a crushing blow to the Hall of Justice's ability to fight crime.

R: That means we're talking about the risk of loss of Superman's crime fighting abilities, or more generally the loss of Superman. I don't know how to express that formally.

B: Let me help. Risk is the product of multiplying measurements of threat by vulnerability by cost of replacing an asset, also called that asset's value. So, R = T x V x C.

R: You did say risk was a measurement of the probability of loss. I don't know what the numbers should be for any of those factors.

B: It's ok to assign arbitrary values, say 1 to 5 for each factor, as long as you use the same scale when measuring different risks. How would you assess the risk to the Hall of Justice now?

R: I would assign a Kryptonite-equipped Luthor as threat 4, with Superman's vulnerability as 4, and cost as 5, for a total of 80.

B: Why didn't you assign the threat and vulnerability to each be 5? A Kryptonite-equipped Luthor has capabilities and intentions, and Superman's weakness can kill him.

R: I assessed the threat as 4 because I know Luthor has Kryptonite, but I don't know if he has enough to kill Superman.

B: That is prudent. His capability to exploit Superman could be diminished. You're factoring in uncertainty. How about the vulnerability rating?

R: Superman isn't completely vulnerable, since we fellow Super Friends would protect him if Lex appeared.

B: So you mean we Super Friends could be considered countermeasures to Superman's vulnerability?

R: Yes! Is that why the risk equation doesn't explicitly mention countermeasures?

B: You catch on quickly Robin. Although countermeasures could be included in the risk equation, they complicate the issue mathematically. Better to decrease the vulnerability rating if the countermeasure effectively mitigates the asset's weakness.

R: Batman, I'm starting to understand. What is security then?

B: Security is the process of maintaining an acceptable level of perceived risk.

R: That seems awfully specific.

B: Let me explain with another example. You know Fort Knox? And the gold it protects?

R: Of course. Gold is the asset protected by Fort Knox.

B: Let's assess the risk of theft of Fort Knox's gold. Risk is the probability of loss, remember? Assume that Fort Knox is so well protected, it has no vulnerabilities capable of exploitation by any human, Super Friend, or Legion of Doom member. Only a force of nature could damage Fort Knox, like a meteorite from space wiping out Kansas.

R: Holy invincibility, Batman! Let me see... I'd say the threat is low, maybe a 1, since there are evil parties with intentions to steal Fort Knox's gold. Since Fort Knox is invulnerable to anything but a force of nature, no party has the capability to harm it. I'd assess the vulnerability as 1, since Fort Knox could still be wiped out by that meteorite from space. The cost of replacement is immense -- definitely 5. That gives is 1 x 1 x 5 = 5. That means...

B: That's right Robin. The risk to the loss of Fort Knox's gold is 5, a very small number.

R: So Fort Knox's gold is secure?

B: It's almost perfectly secure, especially compared to Superman as a Hall of Justice asset. Let's change the equation. Do you know of the Marvel universe?

R: The what?

B: It's the source of better movies than our own DC universe. Anyway, in the Marvel universe, a creature called the Hulk exists.

R: Tell me about this beast.

B: For the purposes of this argument, believe that the Hulk could smash his way into Fort Knox if he so chose.

R: Is the Hulk evil? Does he covet gold?

B: No, he's a powerful but misunderstood creature. Do you know what you just did?

R: Let me guess -- I performed a threat analysis?

B: Excellent Robin. Your shorts aren't too tight after all. Now, on to the next step -- risk analysis.

R: Given the presence of the Hulk, I would assess the threat as a 4, the vulnerability as a 2, and the cost as a 5.

B: Why did you raise the threat level? I told you the Hulk wouldn't harm Fort Knox.

R: Maybe the Legion of Doom could trick the Hulk into breaching Fort Knox? Then the Hulk would have the capabilities and intentions to exploit the Fort.

B: Very good.

R: And I rated the vulnerability as a 2 and not higher, as even a creature like the Hulk would have a tough time powering his way through all that concrete and steel, surely?

B: True enough. You're getting the hang of this, Robin.

R: Thanks Batman. You're swell. Can I try this sort of analysis using the Hall of Justice computer?

B: You bet. We run OpenBSD on the Hall of Justice machine. Do you know if it has any vulnerabilities?

R: Well, I haven't updated OpenSSH yet, so there is a vulnerability. That's a 5. Let me do a threat analysis next. I would identify the threat as the Legion of Doom. Specifically, I bet Brainiac could code an tool that would exploit the vulnerable OpenSSH daemon.

B: That means the Legion of Doom has the capabilities and intentions to harm the Hall of Justice computer. We call that a "current credible threat."

R: I'd rate the threat a 4, since we aren't 100% sure the Legion of Doom has an exploit. They definitely capable of writing it though. That leaves cost of replacement, which I would assess as a 5. The Hall of Justice computer is a piece of critical infrastructure. The risk of loss of the Hall of Justice Computer is 4 x 5 x 5 = 100. That's immense!

B: Get to patching, Robin.

R: How can we reduce risk, Batman?

B: We can't reduce risk directly. We can only affect each of the factors. For the threat component, we could eliminate the party completely. Alternatively, we could try change their intentions by addressing why they hate us. We could also remove their capability to harm us, such as removing their financing or destroying their weapons.

R: That sounds like a way to deal with terrorists.

B: Perhaps. On the vulnerability side, you could patch the weakness directly. You could implement access control or other counter-measures to limit the ability of intruders to exploit the vulnerability. All of these factors decrease the vulnerability rating.

R: You're so smart Batman.

B: Thank you. On the cost side, we could completely replicate the Hall of Justice computer and host it off-site. While exploitation of the Hall of Justice computer would still be devastating, by implementing redundancy we could lessen the cost of replacing a damaged Hall of Justice computer.

R: Thanks Batman. You've really helped me understand risk!

B: You're welcome Robin. I hear the Bat Phone ringing -- to the Bat Poles!

Note: Multiplying numbers together, without any measurement or rank, isn't exactly the "science" one would like to see in risk assessment. The purpose of this exercise is to discuss definitions and show how breaking out individual components of risk (i.e., threat, vulnerability, and asset cost) helps us think about the problem. This is obviously a naive exercise so I prefer to focus attention on the definitions and their translation into a fictional case study.