“Conditional complexity” (also called cyclomatic complexity) is a term used to measure the complexity of software. The term refers to the number of possible paths through a program function; a higher value means higher maintenance and testing costs.
Borrowing that concept in risk modeling, we can apply conditional complexity when calculating the risk severity of security vulnerabilities by evaluating the preconditions necessary for a vulnerability to be exploited.
When doing a security assessment recently, I came across an ugly vulnerability. An attacker who exploited this vulnerability would be able to hijack a victim’s session and impersonate that victim on the system. That sort of thing is generally undesirable.
Business owners typically don’t want something like that to happen, so a knee-jerk reaction is to fix this issue immediately and at all costs. But when is it time to sound the alarm?
The thing is, this particular problem really wasn’t that bad. Sure, the impact to the business would certainly be bad, but it likely wouldn’t happen. To understand why the sky wasn’t falling, let’s take a step back and look at what risk and risk management are.
Brief Background on Risk Management
NIST’s definition of risk is “a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”
In other words, risk is the measure of something undesirable occurring. One model for calculating risk is:
risk = impact x likelihood
The simplicity of the equation is somewhat deceiving, because impact and likelihood really comprise many other considerations.
Impact, in basic terms, is the amount of damage to an organization caused by the compromise of an asset. Typical considerations that contribute to the impact are based on the data classification of the asset: Is the asset confidential? Proprietary? Public? Compliance can be a primary factor if the asset is governed by legislative regulation (U.S. state privacy laws, HIPPA, SOX, etc.) or industry compliance (PCI).
It is necessary, and is often overlooked, to understand the value of an asset not only as it applies to the organization, but also as it applies to an outsider (e.g., hacker, competitor, or foreign government). For example, an asset that has a “medium” value to an organization might be highly coveted by a competitor, which contributes to an elevated effect on the overall impact should the asset be compromised.
In 2002, Princeton admissions officers gained access to Yale’s student admissions data. This student admissions list is obviously a valuable asset to Yale, but it’s just as–if not more–valuable to Princeton admissions officers for focusing recruiting efforts on students not already committed to other schools.
Often, though, the impact can’t be easily measured. An attack that brings down an e-commerce site can be quantitatively measured by the loss of orders. But how much does brand damage cost? Accurately calculating brand damage is difficult and potentially impossible to do in any meaningful way.
Likelihood, the other primary risk factor, comprises characteristics such as sophistication complexity (Does the attacker need special tools or knowledge?), access complexity (Does a user need to be first authenticated and authorized?), and discoverability (Is the vulnerability publicly known?). Like assessing impact, the likelihood is more qualitative than quantitative and is generally done on a relative scale.
Calculating the risk impact and likelihood is key to managing that risk. In economic terms, risk management is a cost justification for securing an asset. This means that when a vulnerability is identified, the organization (the business stakeholders) must determine how to address the risk:
- Remove the risk – eliminate the asset or access to it
- Reduce the risk – add security controls that minimize access to the asset
- Transfer the risk – outsource the control of the asset or purchase insurance
- Accept the risk – do nothing (cross your fingers and hope nothing happens)
The approach to addressing risk is typically a cost/benefit decision (it’s called “gambling” in Vegas). Choosing any one of the above risk mitigation approaches has a cost associated with it, and that cost should not exceed the value of the asset.
As security practitioners, we must realize that the results of our risk assessments can have a material impact on business decisions and budgets, because decisions are generally based on the risk severity of the findings.
In the next installment, the author covers the Conditional Complexity Equation for Risk Models…
About the Author: Rob Barnes writes for Infosec Institute and is a software security architect specializing in web application security, pen testing, risk management, and threat modeling. He holds CISSP, CSSLP, and CEH certifications and has a master’s degree in information security. His passion is helping customers understand and manage risk by framing security in the context of business impact.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Amar Singh on How CISOs Can Connect Security to the Business
- Michael Santarcangelo on the Value Imperative Mindset in Security
- Four Things You Should Teach Your CEO about IT Security
- Infosec Gurus on Positioning Security as a Business Enabler
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock
http://www.kb.cert.org/vuls/html/fieldhelp (Note that the CERT scoring system includes precondition as a characteristic of impact instead of likelihood.)