For an information security analyst or security consultant, it is your primary mission to identify and prioritize risk and then focus your efforts on getting the greatest risk return.
Before we discuss how to rank security findings, let’s elaborate on the idea of ‘risk-return’.
Risk Return
Let’s say you perform a vulnerability assessment within a company and as a result, you get the following:
- 1 HIGH severity findings
- 1,000 LOW severity findings
Personally, I’m tempted to focus on that one high severity finding. If I can take care of that, I can tell leadership they have no ‘critical’ or ‘high’ severity findings at this time due to my efforts! The glory. And that will last between one and thirty days… But if we approach it from a risk-return perspective and drill down on these vulnerability findings we might discover the following observations:
- HIGH finding:
- Is an XSS finding on an internal only network that requires authentication before the web interface
- No sensitive data in the application.
- It was developed by a no longer used, outsourced development company and we have no contract with them anymore.
- Hiring a developer will cost between $50k and $250k to update the code
- The application will be decommissioned within the next ninety days
- A change to application code could break the system
- LOW findings:
- All the 1,000 LOW findings are the exact same
- The patch is available
- It can be deployed via the patch management system
- No reported outages or issues with the patch
- All can be remediated within thirty days with zero risk
When we look at these findings in this new light we can quickly see that the best ‘risk-return’ is on focusing on the remediation of the 1,000 low severity findings. This is an oversimplified case, and I’ve never witnessed this situation in my life, but it’s meant to be used as a model to see that efforts need to consider more than the ‘severity’ of the finding. They also need to include the efforts, cost, and ongoing ‘RISK’.
Risk Treatment
The term ‘risk treatment’ means what it says; how you treat a risk. This can be, and often is, different than the ‘severity’ of the original finding. Penetration testers, vulnerability scanners, dynamic code analyzers, and other frameworks have a system of ranking the finding severity. This finding severity is usually associated with a commonly accepted framework like the ‘Common Vulnerability Scoring System’ or CVSS for short.
https://www.first.org/cvss/
Severity does not equal risk.
Risk Treatment can be thought of as ‘cat treatment’. If you live in the country you know rouge barn cats are all over the place. If the cat you provide for and lives in your house is hungry you will feed it. If a stray cat comes over you might even feed that cat. But if that cat comes over every single day, there might come a time you decide to no longer be its food source. (I need to be gentle here and as I know there are different ‘sensitivity’ levels around cats). But if that same rouge barn cat, that you already decided not to feed comes back one day after a while and you can see it’s pregnant,… well maybe you feed it again – just this once. But if that same rouge pregnant barn cat shows up again, and brings it’s thirty other rouge pregnant barn cat friends,… well I’ll let you decide what to do. My point is a hungry cat does not equal a cat getting fed.
Defense in depth is a great framework to leverage when considering the risk. It can help you consider other security controls that are in place that help adjust the risk. The idea of measuring the risk based on the components, or quality, is called a ‘Qualitative approach’. This is commonly used when considering the risk, and most often used due to the lack of ‘quantitative’ tools.
Some companies have been able to implement a more quantitative approach by implementing risk catalogs. These catalogs set a risk, or sometimes classification level on different components of the architecture. These might include:
- Network environment (external / DMZ / internal)
- Application (high / medium / low)
- Data (restricted / sensitive / internal / public)
A very mature security environment might even digest the catalog information and perform algorithms to help computer risk. Even then, this should be reviewed individually and only used as a tool.
Summary
Learning how to appropriately treat risk is something you want to become great at. Because machines and security tools can’t do it. To be great at it you need to know the business, their assets, and their unique risk. Taking security findings and analyzing the risk of them makes you incredibly valuable because you’re focusing your attention and efforts on the great risk-return for the business.
Recent Comments