Professional Documents
Culture Documents
Previous screen
Timothy R. Stacey
Ronald E. Helsley
Judith V. Baston
Payoff
The success of an enterprises information security risk-based management program is
based on the accurate identification of the threats to the organization's information systems.
This article presents a structured approach for identifying an enterprise-specific threat
population, which is an essential first step for security planners who are involved in
developing cost-effective strategies for addressing their organizations' information security
risks.
Introduction
In a compliance-based information security program, the information systems are designed
and required to comply with a pre-determined, comprehensive set of security controls.
Recently, it has been shown that this type of security program leads to the incorporation of
expensive safeguards, some of which may be irrelevant to todays changing information
system architectures and threat populations. Simply, an enterprise will waste significant
money on the implementation of inappropriate security controls because it uses a
compliance-based information security program. The government has recognized this area
of potential waste and has mandated that government information systems institute risk-
based information security programs.
The migration from a compliance-based to a risk-based information security program
shifts the responsibility to and places a significant additional burden on the local security
practitioner. The adoption of a risk-based information security program requires the
enterprise to become cognizant of the threats to its information systems and to respond with
safeguards and protection mechanisms appropriate to its set of threats. In addition, the
enterprise must continually review its security posture because of changing technologies
and the dynamic threat population. Thus, it is critical that the enterprise adopt a structured
methodology to determine the pertinent threats, to re-evaluate residual vulnerabilities, and
to identify new threats.
In the NASA community, government directives, such as the Office of Management
and Budget Circular A-130, and NASA Agency directives have placed the responsibility
for the cost effective protection of information systems directly with the “owners”(i.e.,
managers) of the facilities. To provide guidance and support, the NASA centers have
provided security handbooks, such as Johnson Space Centers Automated Information
Systems Security Manual, JSCM-2410.11. These handbooks mandate sets of security
requirements that, if implemented, provide “...a common and adequate baseline ...” and
“... provide adequate AIS security protection, meet the intent of Federal and Agency
guidelines, and be consistent with good business practices.”
· Network.
· Hardware.
· Software.
Within these categories, 21 threats were identified, which were used in weighing the
security posture of the information systems as illustrated in Exhibit 1. From that point,
approximately 450 recommended safeguards were keyed to those threat categories.
Information systems personnel were interviewed to determine their systems level of
compliance to the recommended safeguards. Based on the five threat categories, a security
posture was subjectively determined, additional safeguards to be implemented were
identified to reduce risk, a management-level briefing was prepared, and all findings were
presented.
However, working with the five threat categories raised areas of concern. Although a
quasi-analytical approach in determining the perception of a systems security posture was
attempted, the analyses became increasingly subjective. In reviewing the list of threats,
several anomalies were noticed, which could have questioned the validity of the overall
findings. The specific areas of concern included:
· The threat categories were composed of a differing number of threats (i.e., personnel
and administrative had six threats, software had four threats, and hardware had only
one threat).
· The level of detail of the threats seemed too uneven (e.g., masquerading as an
authorized user versus activity for personal gain).
· Most of the recommended safeguards mapped to the same threat category (i.e., the
majority mapped to personnel and administrative).
· The number of safeguards recommended (and mapped) to the threat categories was
vastly different between threat categories (i.e., personnel and administrative had 254
recommened safegaurds, software had 149 recommended safeguards, and hardware
had 123 recommended safeguards).
· The list should contain a limited number of threats (i.e., between six and 12 to facilitate
management-level presentations).
· The list should use access permission as a major criterion (i.e., insider versus badged
outsider versus outsider).
· The list should use motivation as a criterion (i.e., malicious versus accidental).
Although the threats noted in Exhibit 2 comply with the previously discussed
definitions of threat, these observations are also evident:
· Some of these threats appear too general (e.g., theft, hardware failure, and software
failure), and others seem too specific (e.g., unauthorized access to files by an insider).
· The list seems incomplete (e.g., power failure or fluctuation and sniffing appears to be
missing).
· A single threat has several threat agents (e.g., disaster may have been caused by natural
or human actions).
After reviewing the threat list for the first time, the following should be reconsidered:
Threat
Improper use of Enterprise equipment for non-Enterprise Purposes.
Unauthorized Access to files by an insider.
Unauthorized Access to the system by a badged outsider.
Unauthorized Access to the system by an outsider.
Physical Abuse (malicious destruction of hardware) by insiders or outsiders.
Accidental, undesired, or unauthorized modification by an insider.
Theft.
Software failure.
Hardware failure.
Disater (i.e., Fire, nature, terrorism, etc.).
Threat
Threat events can be initiated by humans. In addition, a distinct set of events triggered
by insiders can be found, and a distinct set of events triggered by outsiders can be found.
Although some threat events may be identical, they are differentiated by the types of
safeguards proposed to protect the information systems. Moreover, there is a collection of
threat events that require the same safeguards regardless of whether they arre initiated by
insiders or outsiders. Upon completion of the above worksheet shown in Exhibit 5, six
threat agents are identified:
· Human (nonspecific).
· Human (insider).
· Human (outsider).
· Hardware.
· Software.
Previous screen
· Environmental.
Step 8—Combine the Threat Event List and Assign the Threat
Names
Once the safeguards have been assigned to the threat events and the threat agents have been
identified, the threat events should be combined based on similar safeguards, agents, and
security concerns. Now, the threat name can be determined. The objective is to combine
similar threat events, where applicable, to reduce the total number of threat events in the
list. Three discriminators can be used in identifying threat events that are candidates for
combining into a single, higher-level event. These discriminators are: the safeguards,
which may be employed in protecting the information systems functionality from the event
(both in preventing, detecting, and recovering from the incident);the agents, which may
cause the incident, and the security concerns (i.e., integrity, availability, or confidentiality),
which may be compromised because of the event.
Once the threat events list is reduced, it is time to collect and group the threat events and
determine the threat name. The major ancillary benefit of this exercise is the development of
a preferred set of safeguards.
Conclusion
This article has described a structured approach to identify a threat population, which
should aid organizations in their quest for cost-effective solutions to their information
security vulnerabilities. These threats are identified by determining the threat events,
protections, security concerns, and threat agents. This should be an eight step process.
Author Biographies
Timothy R. Stacey
Timothy R. Staceyis employed by Science Applications International Corporation, a
division of Rockwell Space Operations Company, Houston, Texas.
Ronald E. Helsley
Ronald E. Helsleyis employed by AlliedSignal Technical Services Corporation, a
division of Rockwell Space Operations Company, Houston, Texas.
Judith V. Baston
Judith V. Baston is employed by Rockwell Space Operations Company, Houston,
Texas.