Security-risk assessment, reinvented

InfoWorld Security Adviser Roger A. Grimes offers a tool for more accurately ranking the threat levels at your organization

I'm forever reinventing the wheel, and this time around, I'm focusing my efforts on the oh so exciting field of risk assessment. In the process, I try to put aside conventional wisdom and cultivate useful, independent observations that would not have been considered without the additional hard thinking. When going on my squirrel logic trails, I try to forget the older, acknoweldged model; I don't like it polluting my thoughts.

Regarding risk assessment, the well-publicized, traditional quantitative model -- R=L x %, or risk equals potential loss times likelihood of occurrence -- is a great place to start, but it's too simple. Its optimized ease-of-memorization summary also leaves out a lot of detail necessary for real-life threat modeling in the computer security environment. The more accurately you assess a risk, the easier it is to prioritize which one to tackle first.

[ Looking for more security tips? Start with the basics in Roger Grimes's guide to the seven types of malicious hackers. | Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

When I hear of a new threat or discover an exploited client, my mind begins to frame the risk with a bunch of common questions. I've never documented the mental questions on paper before, but this column is the result of my first attempt. The only problem? I possibly came up with too many questions to consider. The simple R= L x % model is starting to make more sense now.

Still, I want to share my risk-ranking model, in case it generates a better way of ranking real risk inside your environment. It starts with the following nine risk-assessment categories and their subsets:

Knowledge of exploit by possible attackers

  • Publicly known and not popularly used (higher risk)
  • Publicly known and actively used in wild (higher risk)
  • Privately known and not being used against customer (lower risk)
  • Privately known and being used against customer (highest risk)

Level of access required for attack

  • External access (higher risk)
  • Internal network access needed (medium to lower risk)
  • Truly remote (no end-user involvement needed) and cannot be easily automated (high risk)
  • Truly remote and can be easily automated (wormable) (highest risk)
  • Conventional remote (end-user involvement required) (medium risk)
  • Requires access to local network (low to medium risk)
  • Can only be accomplished using physical, local, logged-on interactive access (lowest risk)

Level of requires authentication of begin attack

  • Highly privileged account (admin, root, and so on) (lower risk)
  • Standard user (medium to high risk)
  • Anonymous user (high risk)
  • No authentication needed (highest risk)

Reliability of exploit code against intended target systems

  • Unstable, rarely successful (low risk)
  • Relatively stable, usually successful (high risk)
  • Highly stable, almost always successful (highest risk)

Ease of detecting exploited system

  • Easy-to-detect problems (lower risk)
  • Moderate signs and symptoms (medium risk)
  • Invisible or silent, system functions apparently normal (high risk)

Payload for successful attack (detailed version)

  • Full compromise (highest risk)
  • Privilege escalation (high to highest risk)
  • Session hijacking (medium to highest risk)
  • Access to protected information (medium to highest risk)
  • Denial of service (medium to highest risk)
  • Damage to low number of assets (lower risk)
  • Access to large number of additional assets (high risk)
1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies