Risk analysis problems

Posted on 2006-05-02
Last Modified: 2010-04-11
If I were to carry out a risk analysis on a company what would I need to do at a basic level. I'm not worried about the tools that I need like MSAT etc. I need to know how a report should look, what it should contain etc. Would I just need to list vulnerabilities, the severity of the vulnerability, sensitivity, impact on performance etc or is there something else.

Question by:levyuk
    LVL 1

    Expert Comment

    I think everything you listed is fine but you could add more detail by adding the exposure factor of the asset(s), anualized loss expectancy, anualized rate of occurence, etc. Here are a few links, hope they help:
    LVL 4

    Accepted Solution

    For as many people as you talk to will be the number of answers you will get with regards to how a "risk assessment" should be written and what it should include.  Is there some kind of standard that the company needs to be in compliance of?  Gov. clients usually need to comply with standards such as NIST, DIACAP, DITSCAP, etc... Most of these standards have at least an outline or a paragraph that states what kind of information should be included in what that regulation calls a "risk assessment".  For corporations, it isn't unusual that they have to comply with HIPPA, or Sarbanes-Oxley (SOX).

    In short, find out what the motivation is for this company to want a risk assessment.  If there is no regulation that they are worried about, then you simply need use the customer's motivation in order to get a good idea of what the customer wants to see in the report.

    Is this an all encompassing risk assessment?  i.e. will you be looking at their risk posture in regards to their network security, policies and procedures, personnel security, physical security, etc, etc?

    The key to any good risk assessment is knowing what you are expected to audit, auditing it to the level of expectation of the customer, then providing a report that really contains VALUE.  I've seen many risk assessments that are nothing but glorified cut&paste versions of the network security scan tools and some procedural things thrown in.  Nothing makes a customer angrier than being handed a large document that doesn't tell them anything or mean anything to the managerial staff that is reading it.  

    That's why the first page of any good RA has an executive summary which details where the asessment took place, when it was done, how long it took, how many findings of each level were identified (initial risk), and what the residual risk levels were (the level of risk once existing security controls are factored in).  

    I usually break down the sections in my reports into Extremely high, high, moderate, low and ext. low risk vulnerabilities.  
    Each section would then break down each individual vulnerability into:
    a. Description:  A description of the vulnerability, be it a technical, procedural, etc..
    b. Components Affected: This could be a department, the entire enterprise, specific servers, workstations, etc.
    c. Detected By: Interview, Observation, Test, Documentation.  (these are the traditional types)
    d. Initial Risk: What is the raw risk that this vulnerability has on the system? (ext high, high, mod, low, ext low)
    e. Rationale for Original Risk Determination:  How you arrived at the risk level for d
    f. Countermeasures Identified: This is where you would list any countermeasures that would (hopefully) lower the initial risk to a lower level.
    g. Residual Risk: What is the risk level once (hopefully) any exisiting controls are applied.

    If you are in a scenario where you find that there are no countermeasures, then you might want to change f. from "Countermeasures Identified" to "Countermeasures Recommended."  Then you would be free to recommend solutions that would lower the risk of the vulnerability should they be purchased/implemented/changed, etc.

    A lot depends on what the customer really wants (and sometimes determining what a customer REALLY wants can be a black art in and of itself).

    Oh! One more thing, you will want your document to contain some kind of risk matrix.  It is this matrix that you will use to justify section e.

    Your matrix should look something like this: (apologies for the formatting)

    Likelihood of Successful Exploitation of Vulnerability     Degree of Harm if Exploitation is Successful      Risk Level
    High                                                                    High                                                      EXTREMELY HIGH
    High                                                                    Moderate                                                      HIGH
    High                                                                    Low                                                      MODERATE
    Moderate                                                                    High                                                      HIGH
    Moderate                                                                    Moderate                                                      MODERATE
    Moderate                                                                    Low                                                      LOW
    Low                                                                    High                                                      MODERATE
    Low                                                                    Moderate                                                      LOW
    Low                                                                    Low                                                      EXTREMELY LOW

    So the format for section "e" would basically be "The likelyhood of a successful exploit is (see column) because of (reason).  Given the sensitivity of the information involved, the degree of harm if the exploit is successful is (see column).

    So, an example would look like:

    ---1.0 Extremely High Risks---
    1.1  Anti-virus not set to automatically update on workstations

    a. Description:  All workstations were found to contain corporate AV software, but none were configured to automatically get their updates, leaving this as a manual task for each user.
    b. Components Affected: All workstations.
    c. Detected By: Observation, Test (you can have more than one)
    d. Initial Risk: Initial risk is extremely high.  While workstations are partially protected, there is no assurance than they are protected against the most current threats.
    e. Rationale for Original Risk Determination:  The likelyhood of a successful exploit is high because of new viruses, worms, trojans and malware threats are being discovered daily.  Given the sensitivity of the information involved, the degree of harm if the exploit is successful is considered to be high.
    f. Countermeasures Identified: None, there was no countermeasure identified to migitate this risk level.
    f (a) Countermeasures Recommended: Configure all workstations to update their AV signatures daily noon.
    g. Residual Risk: As there were no available countermeasures to apply, the residual risk remains as extremely high.
    g(a) Residual Risk: If the recommended countermeasures are applied, the residual risk level is reduced to none.

    The end would have some kind of wrap-up verbiage, and then you are done.

    As a last note:  Some customers want the sections divided up by Initial Risk.  Others want the sections divided up by Residual risk, so they can easily see what their ACTUAL risk posture is.  Typically you end up writing two Risk Asessments for a customer.  The Initial Risk Asessment,that is written with each section being the Initial risk (since there are usually few if any countermeasures, so you'll be writing it with many recommendations for countermeasures).  Later you will likely write another one where the countermeasures have actually been applied, so the residual risk will be much lower.  In that case, you might want to organize it such that each section is now the residual risk.

    I know it might be a lot of info, and if anything is unclear I'll be happy to explain it again. :)


    LVL 7

    Author Comment

    Dude that is one of the most clear explanations I've found. It all makes sense to me, I've seen something like that somewhere but I wasn't sure so it's good to get a 2nd opinion. The company is fictional so it doesn't have to comply with any regulations. Since you seem to have done this before could you suggest any risks off the top of your head for network infrastructure. I was thinking about loss of connectivity between two networks as one problem, ip spoofing as another and then I hit a brick wall.

    LVL 4

    Expert Comment

    Hehe, I'm so glad it made sense!!

    As for risks to a network infrastructure, you can usually work your way around that brick wall if you operate around the "CIA Triad" of Confidentiality, Integrity and Availability:

    Does the network handle sensitive information? (patient data, financial, personally identifiable info that could be used to steal an identity, etc)
    If so, how is it being protected? Do they have encryption in places where encryption makes sense?(Confidentiality)

    Do they have an adequate backup policy for their critical data? how many day's worth of retention is there? Where are backups stored? (off-site in a fire-rated container?)  (Integrity)
    Single points of failure in the architecture are always big (depends on how much the company's profit and viability depends on Availability)

    Lack of a COOP site (if the primary goes down, is there a cold/warm/hot site waiting in the wings?, again speaks to Availability)

    Change management is a Vulnerability that I'm ALWAYS identifying, especially when it comes to key network infrastructure components such as routers and firewalls.  Is there a formal approval process for making modifications to these key devices? (I once found a FW that had all of the original rules negated by a slew of exceptions followed by an allow Any:Any rule.  Their excuse was that they had gotten too many complaints from users who couldn't do things out on the internet..)

    Is that the type of risks you were wanting to hear about when you said network infrastructure? You threw me with the IP spoofing example, since that is more along the lines of an attack.  However, if they don't encrypt their sensitive data, you could certainly say that it could be easily compromised by a spoofing attack.  In this case, their inability to properly protect their assets is their vulnerability, and the spoof attack is what you would think about when speaking about the likelyhood of a successful exploit of vulnerability.\

    Let me know if there is anything else I can help you with. :)


    LVL 7

    Author Comment

    Some good suggestions there. I shall take them on board. There is sensitive data involved so encryption would need to be applied.
    LVL 7

    Author Comment

    If a company was connecting to LANs using a secure VPN then that would solve the problem of encryption and confidentiality as its taken care of by the SVPN, thats correct right?
    LVL 4

    Expert Comment

    sure, provided they are using a fairly secure encryption.. However, if the data is only encrypted between LANs, but then travels in clear text internally and anyone has access to the internal lan (available from any ethernet plug, no VLAN separation, ability to  access internal resources through unprotected dialups) then it is still a finding, only internally vs. externally. :)

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now