The Assessment (Threat Community A – Zero Day Malware)
In part one of “Hidden Field / Sensitive Information” the Initech Novelty Inc. Security Manager was notified of a potential security vulnerability within the Initech Novelty Inc. ecommerce website. The Security Manager was able to validate that there is indeed a vulnerability and wants to perform a risk assessment as part of the risk management process.
Note: For the “Hidden Field / Sensitive Information” Assessment, I am choosing to perform two assessments; one for each threat community. Usually, I would choose the most likely TCOMM and focus on that, but because there are PCI compliance implications with this scenario – it is appropriate to address that as well.
1. Identify the Asset(s) at Risk: (Page 3 of the FAIR Basic Risk Assessment Guide; aka BRAG)
a. Consumer payment card information. Specifically, the payment card primary account number (PAN) and CVV2/CID/CVC2 values, expiration dates, and cardholder name information.
b. The state of Initech Novelty Inc.’s PCI Compliance.
2. Identify the “Threat Community” (TCOMM); (Page 3 of the FAIR BRAG): There are multiple threat communities that pose a threat to the assets described above. For this scenario, the first two communities that come to mind are zero-day malware and Initech Novelty Inc. itself.
a. Zero-Day Malware. I am choosing this as a TCOMM because most of the INI consumers are accessing the INI ecommerce portal from their home or what they consider to be a trusted PC. The most likely threat to these types of machines / users is malware.
b. Initech Novelty Inc. (INI). I am selecting INI as a TCOMM for several reasons. First, The INI Security Manager thinks that the security vulnerability no longer makes INI 100% compliant with PCI-DSS. The security manager will be updating the INI PCI Self-Assessment Questionnaire (SAQ) to reflect a gap with requirement 6.5 (specifically 6.5.7). Thus, INI is its own threat because declaring non-compliance subjects them to non-compliance implications.
** The remainder of this post will be focused on TCOMM A – Zero Day Malware **
3. Threat Event Frequency (TEF); (Page 4 of the FAIR BRAG): TEF is the probable frequency, within a given timeframe, that a threat agent will come into contact and act against an asset. For this step, I am going to select MODERATE or between 1 and 10 times per year. Here is why:
a. Internet browsing continues to be popular. More and more consumers are accessing commercial, leisure, and social web sites which increases the probability of coming into contact with malware.
b. Phishing and SPAM continue to be a significant attack vector by which links to malicious websites or malware itself can be distributed and even exploited.
c. An argument could be made that the TEF should be higher, but again, INI’s consumers indicate that they are online aware and maybe less likely to engage in riskier online behaviors.
*NOTE – It may make more sense to skip to Step Five and then come back to Step Four.
4. Threat Capability (TCAP); (Page 5 of the FAIR BRAG): The probable level of force that a threat agent (within a threat community) is capable of applying against an asset. Now keep in mind that we are focused on the TCOMM zero day malware – not the threat population – malware in general. For this step I am selecting a value of HIGH; meaning that at least 84% of the threat community is capable of applying force against the consumer’s PC. Here is my reasoning:
a. Zero day malware usually has a one or two day period where existing security controls are not able to detect the malware.
b. In “Control Resistance” we reasoned that the consumers do not have advanced anti-malware products on their PCs and that they more then likely do not have other security controls that may prevent infection or loss of information.
5. Control Resistance (CR; aka Control Strength); (Page 6 of the FAIR BRAG): The expected effectiveness of controls, over a given timeframe, as measured against a baseline level of force. The baseline level of force in this case is going to be the greater threat population. So we can have malware as a threat population; but we have narrowed our focus in this scenario to a small subset of the population – zero day malware. For this scenario, I am selecting a Control Resistance value of MODERATE; or stated otherwise, the controls on the consumer’s PC are resistant up to 84% of the threat “population”. Here is my reasoning:
a. Recent studies reflect that a high percentage of American PCs have anti-malware software (AV / Spyware), but a large number of consumers still do not have firewall software installed, anti-spam, or anti-phishing capabilities.
b. The INI survey results would indicate that INI’s consumers are security aware and probably vigilant when it comes to online security practices.
c. Finally, since most home consumers are price conscience, I am assuming that they are purchasing lower priced or freely available anti-malware products – most of which are effective against most known viruses / Trojans but are not sophisticated enough to do heuristics and other advanced forms of malware detection.
6. Vulnerability (VULN); (Page 7 of the FAIR BRAG): The probability that an asset will be unable to resist the actions of a threat agent. The basic FAIR methodology determines vulnerability via a look-up table that takes into consideration “Threat Capability” and “Control Resistance”.
a. In step four – Threat Capability (TCAP) – we selected a value of HIGH.
b. In step five – Control Resistance (CR) – we selected a value of MODERATE.
c. Using the TCAP and CR inputs in the Vulnerability table, we are returned with a vulnerability value of HIGH.
7. Loss Event Frequency (LEF); (Page 8 of the FAIR BRAG): The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset. The basic FAIR methodology determines LEF via a look-up table that takes into consideration “Threat Event Frequency” and “Vulnerability”.
a. In step three – Threat Event Frequency (TEF) – we selected a value of MODERATE; between 1 and 10 times per year.
b. The outcome of step 6 was a VULN value of HIGH.
c. Using the TEF and VULN inputs in the Loss Event Frequency table, we are returned with a LEF value of MODERATE.
*Note: the loss magnitude table used in the FAIR BRAG and the loss magnitude table for the Initech, Inc. scenarios are different. The Initech loss magnitude table can be viewed at the Initech, Inc. page of this blog.
8. Estimate Worst-Case Loss (WCL); (Page 9 of the FAIR BRAG): Now we want to start estimating loss values in terms of dollars. For the basic FAIR methodology there are two types of loss: worst case and probable (or expected) loss. The BRAG asks us to: determine the threat action that would most likely result in a worst-case outcome, estimate the magnitude for each loss form associated with that threat action, and sum the loss magnitude. For this step, I am going to select DISCLOSURE in the threat action columns and RESPONSE / REPUTATION, in the loss form columns, with a WCL value of MODERATE (between $5000 and $20,000). Here is why:
a. Due to the randomness of malware and the variability between one consumer’s security posture and another, it is unreasonable to assume that all INI consumers would experience a loss at the same time.
b. However, because this is “worst case” loss – it is not unreasonable for us to estimate a scenario where a few consumers are taken advantage of and the source of unauthorized disclosure is tied back to Initech Novelty Inc.
c. Thus for LOSS FORM: RESPONSE I am quickly estimating $5,000 and for LOSS FORM: REPUTATION I am quickly estimating $2,500. For reputation, I am assuming that loss event knowledge would be contained to the consumer and their social networks and maybe minimal local coverage of the incident. For response, I am assuming lost INI internal productivity, legal expenses, and maybe some hard dollars to provide the consumers credit monitoring or other protections.
9. Estimate Probable Loss Magnitude (PLM); (Page 10 of the FAIR BRAG): In step eight, we focused on worst-case loss. Now we are going to focus on probable loss. Probable loss is for the most part always going to be lower then “worst case” loss. The BRAG asks us to: determine the threat action that would most likely result in an expected outcome, estimate the magnitude for each loss form associated with that threat action, and sum the loss magnitude. For this step, I am going to select DISCLOSURE in the threat action columns and RESPONSE / REPUTATION, in the loss form columns, with a PLM value of LOW (between $1000 and $5,000).:
a. Due to the randomness of malware and the variability between one consumer’s security posture and another, it is unreasonable to assume that all INI consumers would experience a loss at the same time – but we should expect at least one consumer to be impacted by this vulnerability in a given year.
b. Since this is “probable loss”, I cannot envision INI having to incur greater then $5,000 to address an incident with one consumer.
c. Thus for LOSS FORM: RESPONSE I am quickly estimating $1,000 and for LOSS FORM: REPUTATION I am quickly estimating $1,000. For reputation, I am assuming that loss event knowledge would be contained to the consumer and maybe their social networks. For response, I am assuming lost INI internal productivity and maybe some hard dollars to provide the consumer credit monitoring or other protections.
10. Derive and Articulate Risk; (Page 11 of the FAIR BRAG): At this point in the basic FAIR methodology we can now derive a qualitative risk rating. Using the table on page 11 of the BRAG worksheet, we use the LEF value from step seven and the PROBABLE LOSS MAGNITUDE value from step nine to derive our overall qualitative risk label.
a. LEF value from step seven was MODERATE.
b. PLM from step nine was LOW.
c. Overall risk using the BRAG table on page 11 is MEDIUM.
In part four of this risk assessment scenario, I will summarize the results from both part two and part three.
** PERSONAL NOTE** There is a part of me that thinks the risk associated with this TCOMM is lower. I personally would like to see the TEF range narrowed a bit. Also, there is a contributing factor in this scenario that we should not discount and that is the privacy of the consumer. So, taking into account the privacy aspect – I would have no problem defending this scenario to a decision maker.