Risk Management a la Archer

This post is a continuation of the risk management concepts that started with the Han and Chewie articles. You may enjoy reading those ones first before jumping into this one. Today we talk about risk management using examples from Archer.

archer embezzle

Malory Archer is the CEO of the International Secret Intelligence Service, which provides covert services for government and private clients. During a recent risk assessment she discovered that her top scoring risk in both likelihood and business impact was the possibility of her lead field agent, Sterling, embezzling millions of dollars from his operations fund so he can run away to a tropical honeymoon destination to enjoy an early retirement tending bar for young newlyweds. Because Malory is keen on risk management practices, she knows there are 4 possible ways she can address this risk. She can accept the risk, mitigate the risk, avoid the risk, or transfer the risk.

If Malory accepts the risk it means she will choose to do nothing about it and will live with the consequences of the impact if the risk is realized. In this scenario it seems silly that she would accept the most impactful risk to her organization. However, accepting risk happens every day. Organizations have thousands of known risks but have finite time, budget, and manpower to address them. The risks with the lowest likelihood and/or impact may be accepted because the organization prefers to dedicate resources to addressing higher priority risks. The organization’s overall risk appetite as well as regulatory requirements both play a big factor in deciding which risks get accepted and which are addressed. Given the risk in this scenario is the highest priority for Malory she can’t accept it.

archer-cant-wont

Malory could also choose to mitigate the risk. This means she will take steps to reduce the likelihood and/or impact of the risk being realized. In this example of Sterling’s embezzlement, Malory could enforce a new policy stating all operations fund transactions must be submitted to the company’s accountant, Cyril Figgis, for review and approval. This will reduce the likelihood that Sterling is able to embezzle large amounts of funds as he will be quickly discovered. She may also add to the policy that all operations spending above $3 million will require director approval to reduce the risk of Sterling and Cyril collaborating to embezzle the money.

Another choice Malory has is to avoid the risk. This means she would change her organizational strategy in a way that stops the potential risk from being a valid concern going forward. In this example, she could decide that field agents are no longer allowed to manage their own operations budget. Sterling would lose access to his funds so the risk of him embezzling those funds would be greatly decreased. However, Malory needs to be aware of the risks associated with her change in strategy before deciding whether this is the right approach or not. Field agents not being able to access funds while in the field could present new risks!

The final choice Malory has is to transfer the risk. This means she passes the impact of the risk being realized from her organization to another entity. The most common type of transferring risk is insurance coverage. For example, Malory could upgrade her company’s insurance policy to include coverage for insider fraud and embezzlement. If Sterling does embezzle the money, the insurance company feels the impact instead of Malory’s company.

Note that these options are not mutually exclusive. For example, Malory could mitigate the risk partially, transfer the remaining risk to another agency, and accept any leftover risk that the outside agency won’t cover. Knowing that you could accept, mitigate, avoid, or transfer risk how would you handle the issue if you were in Malory’s shoes?

Advertisements

Quantitative Risk Decisions with Chewie

We previously talked about how Han Solo makes risks decisions. Han considers the risks he faces and decides if they are high-risk, moderate-risk, or low-risk. This is a qualitative way of thinking about risk. His partner, Chewbacca, looks at risk a little differently. A Mathlete in high school, Chewie likes to see the numbers. He adopts a quantitative view of risk.

chewbacca1

Chewie is trying to decide if he should purchase a deflector shield from a vendor for $80,000. This deflector shield is industry approved and is proven to block 100% of all lasers fired at the ships it is installed on. Chewie is wondering if it is a worthwhile investment to install one of these shields on his ship.

Chewie and Han get into a lot of close calls that usually result in an exchanging of lasers. They predict, based on their previous trends, that they get shot by lasers 42 times a month. This means that per year, they estimate that they will be shot 504 times (42 times a month multiplied by 12 months). This is the annualized rate of occurrence (ARO), or the estimated amount of times Chewie’s ship will get shot each year. They also know that they have to repair the ship after being hit by a laser. The repair bill usually runs about $30 per laser shot. This is the single loss expectancy (SLE), or the cost of a laser shot occurring one time.

They can now establish an annualized loss expectancy (ALE) to discover how much they will have to spend on repairs per year for laser shots. To do this, they multiply the ARO by the SLE.

annualized rate of occurrence x single loss expectancy = annualized loss expectancy

504 x 30 = $15,120.

Chewie risks $15,120 a year by not protecting against lasers and the vendor wants $80,000 to protect him against lasers. This isn’t to say that Chewie should or shouldn’t buy the shield, this just allows him to make an educated risk decision based on potential loss.

But this isn’t the only factor to consider when making quantitative risk decisions. Chewie has to spend the time repairing his ship after each shot. How valuable is Chewie’s time? The ship can’t be flown on jobs while being repaired. How much is he losing when he has to disable the ship for maintenance? How comfortable is Chewie with the idea of getting shot by lasers…is he able to accept that risk?

How does this apply to protecting business assets? Think of Chewie’s ship as a business asset, the vendor’s shield as a security control, and the lasers as threats trying to exploit vulnerabilities in the business asset. By looking at the cost of a vulnerability being realized and the frequency of that vulnerability being realized each year, a security professional can decide how serious the vulnerability is and can establish cost-effective controls to keep risk within the organization’s accepted level.

Risk Decisions with Han

Han Solo, captain of the Millennium Falcon, is trying to decide if he should smuggle two strangers and their droids to the planet Alderaan from the planet Tatooine. He knows that the Empire’s fleet is looking for these strangers, so making the trip could be risky. Since Han is well versed in Information Security risk decision-making, he uses a tiered approach when considering risks, meaning he breaks risks down into high risk, moderate risk, and low risk. The strangers are paying well, but Han values his own well-being and only takes jobs that are low or moderate risk, refusing any work that he deems as high risk. This is Han’s risk appetite, or the amount of risk that is acceptable to him.

Han-Chewie-and-the-Falcon-hyperspace

 But how does he know what risk level to assign to this trip? First he identifies what threat actors he could encounter during the trip. A threat actor is anyone that could cause harm to the asset needed for this journey: his ship the Millennium Falcon. Since the Empire is searching for these strangers, there is a chance Han will encounter small scout ships known as TIE fighters or large battleships known as Star Destroyers. He also knows that there is a bounty on his own head, meaning there is a chance that he may encounter bounty hunters who have been searching for him.

Now that Han has identified possible threat actors he may encounter, he has to decide if the Falcon has any vulnerabilities, or characteristics able to exploited for these threat actors to achieve their goal of causing harm. Han knows the reflector shields on his ship are limited and taking frequent shots from other ships could blow him out of the sky.

Now that Han knows how he is vulnerable, he needs to decide how much risk each of these threat actors poses to the Falcon. He is going to evaluate the likelihood, or the chance of encountering the threat actor, as well as the impact, the negative result of an encounter with, each of these threat actors. Using this information, he will assign an overall risk to each threat actor.

Han knows that space is littered with TIE fighters and contact with them is almost inevitable. Thus, he assigns a high likelihood to a TIE fighter encounter. These ships are small and lightly armed and will most likely not penetrate the Falcon’s reflector shields before being able to be taken out so Han assigns a low impact to a TIE fighter encounter. High likelihood x low impact = low risk, so a TIE fighter encounter is low risk. (There is a formula for combining likelihood x impact. It is included at the end of the post).

Bounty hunter’s are more rare than TIE fighters, but are not unheard of. Han knows there is a moderate likelihood he will encounter a bounty hunter. Bounty hunter ships are lightly armed with a few special gadgets so an encounter with one would have moderate impact. Moderate likelihood x moderate impact = moderate risk. A bounty hunter encounter is medium risk.

The Empire has a limited supply of Star Destroyers so encountering one is rare. Han assigns the likelihood of encountering one to low. Han knows that Destroyers are ridiculously well armed and capable of blowing up the Falcon in just a few shots. The impact of an encounter is high. Low likelihood x high impact = low risk. A Star Destroyer encounter is low risk.

Because there were no high-risk threats, this job is within Han’s risk appetite and he decides to take the passengers.

Do note, however, this is just based off of overall risk. Han can choose to make the decision that he is most concerned with high likelihood threats, regardless of the impact. This would cause TIE fighters to be of high concern for him. He could also choose to value the highest impact encounters more than anything else, making him most concerned with Star Destroyers. These are all considerations that must be made when making risk decisions.

As Information Security professionals, we have limited resources, limited time, and endless vulnerabilities. Attempting to remedy every single vulnerability and implement controls against every possible threat actor would be nearly impossible and not at all cost effective. Being able to assign a risk rating to the threats we face gives us an idea of which vulnerabilities need our immediate attention, which need to be addressed at some point, and which can be accepted as low enough risk to not be of concern (based on the organization’s risk appetite). This also helps us identify which threat actors are worth noting and implementing controls against and which are too unlikely or too low impact to expend resources on combating. In short, being able to identify and analyze risks allows us to make educated decisions in regards to Information Security strategies.

Details for risk analysis:

For each vulnerability on a system, determine if there is a threat actor that could exploit that vulnerability.

Determine the likelihood that a threat actor could exploit that vulnerability. Then determine the impact that would be caused if the vulnerability were to be exploited.

There is a simple formula for determining overall risk rating:

Likelihood x Impact = Risk Rating

High likelihood receives a value of 1.0, medium a value of .5, and low a value of .1

High impact receives a value of 100, medium a value of 50, and low a value of 10

So for example high likelihood x low impact = 1.0 x 10 = 10.

Risk ratings of 51-100 are high, 11-50 are medium, and 1-10 are low. This means in the above example of 1.0 x 10 = 10 the overall risk rating is low.

The WW1 Flying Ace, Authentication, and You

Authentication is simply proving a claimed identity. I can tell you that I am Kody and I can show you a driver’s license to prove it. If I claim to be John Smith but have no means of verifying my claim, I lack proper authentication. There are three factors used in authentication: knowledge factors, possession factors, and inherence factors. Let’s take a look at what these different factor types mean:

red baron 1

Snoopy, the World War I Flying Ace, has finally figured out how he is going to shoot down the Red Baron. He has developed a new propeller that will allow his plane to maneuver twice as fast. He hides this propeller in his doghouse and wants to be sure that only he can ever have access to it.

To accomplish this goal, he builds a giant steel door at the entrance of his doghouse. This door only opens when a single specific code is typed into its electronic keypad. Snoopy shares this code, his password, with no one. A password is a knowledge factor, meaning it is something Snoopy knows. So far Snoopy has implemented single-factor authentication, meaning that only one of the three factors is being used.

Snoopy is security savvy and knows that relying on single-factor authentication is not good enough when protecting a propeller that could change the entire course of the war. He adds a lock to the door. This lock can only be opened with a unique key that only he has. This key is a possession factor, meaning it is something Snoopy has. Snoopy has now implemented two-factor authentication, meaning two different authentication factors are being used to secure his asset; to gain entrance to the doghouse someone would have to type in the correct password and then use the correct physical key.

Snoopy still isn’t satisfied with his doghouse’s security. He wants to implement three-factor authentication using all three authentication factors to ensure that he, and only he, can enter his doghouse. He adds a paw-print reader to the door. This reader only recognizes Snoopy’s paw. Snoopy’s paw is an inherence factor, meaning it is something that Snoopy is.

The door only opens when the person seeking entry can provide something Snoopy knows, something Snoopy has, and something Snoopy is.

We are all familiar with how authentication relates to information systems. Every time you put in a password after your username you are using single-factor authentication. Whenever you make a withdrawal at an ATM and swipe your card and enter a PIN you are using two-factor authentication. Picture what would happen without authentication: anyone could go to your email claiming to be you and read or write as many messages as they want or could go to an ATM and withdraw as much money from your account as they want!

Calvin’s (or is it Hobbes’s?) CIA Triad

The CIA triad is the foundation that all Information Security concepts are built on, making it a great starting place for learning about InfoSec. CIA stands for confidentiality, integrity, and availability. But what do these concepts mean?

To illustrate how these principles work, let’s look at Calvin and Hobbes.

gross-color

Calvin and Hobbes create a super-secret club called the “Get Rid Of Slimy girlS (G.R.O.S.S.)” club. During their very first treehouse meeting, they draft a document entitled “member list” and write the names “Calvin” and “Hobbes” on the list. This list is the club’s most valuable asset so Calvin and Hobbes need to maintain the CIA of the asset.

The confidentiality of the list is critical as the exposure of the secret member list would cause the entire super-secret club to lose its purpose. The integrity of the list is also important to ensure that unauthorized modifications of the list can’t be made. It would be terrible if Susie’s name were to make it on the list or if Calvin’s name were to be removed. Lastly, the availability of the list is important. When the club meets to have their secret meetings, they need the list do roll call and to ensure that those in attendance are listed.

So now that we’ve got the idea, we can explain how CIA works for business assets. The confidentiality of the asset is necessary to ensure that only those with appropriate privileges and appropriate need can see the asset. The integrity of the asset is necessary to ensure that the data has not been changed and, if it has, a log of changes is kept. The availability of the asset is necessary because it is not of any value if no one can interact with it for its intended purpose.

Welcome!

Thanks for stopping by my blog! I have decided to use this space to share key Information Security (InfoSec) concepts with those who may be interested. I will be starting from the absolute basics so  even if you’ve never heard of InfoSec you can still use this as a resource. There will not be anything too terribly technical posted here as I would like my posts to be understandable and interesting for those of any experience level.

I still have much to learn myself. If you would like to expand on my ideas or offer your own personal experiences please leave me a comment. It would be terrific to be able to learn from you!

Please note that the ideas shared in this blog are strictly my own. They do not necessarily reflect the views of any past, present, or future employers.

Linkedin: https://www.linkedin.com/in/kody-mclaughlin-cissp-4533b92b