RISK MANAGEMENT FOR COMPUTER SECURITY This Page Intentionally Left Blank RISK MANAGEMENT FOR COMPUTER SECURITY Protecting Your Network and Information Assets By Andy Jones & Debi Ashenden AMSTERDAM ● BOSTON ● HEIDELBERG ● LONDON NEW YORK ● OXFORD ● PARIS ● SAN DIEGO SAN FRANCISCO ● SINGAPORE ● SYDNEY ● TOKYO Elsevier Butterworth–Heinemann 30 Corporate Drive, Suite 400, Burlington, MA 01803, USA Linacre House, Jordan Hill, Oxford OX2 8DP, UK Copyright © 2005, Elsevier Inc. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permis- sion of the publisher. Permissions may be sought directly from Elsevier’s Science & Technology Rights Department in Oxford, UK: phone: (+44) 1865 843830, fax: (+44) 1865 853333, e-mail: [email protected]. You may also complete your request on-line via the Elsevier homepage (http://books.elsevier.com/security), by selecting “Customer Support” and then “Obtaining Permissions.” ϱ Recognizing the importance of preserving what has been written, Elsevier-Science prints its books on acid-free paper whenever possible. Library of Congress Cataloging-in-Publication Data Jones, Andy. Risk management for computer security: protecting your network and information assets/Andy Jones and Debi Ashenden. —1st ed. p. cm. Includes bibliographical references and index. ISBN 0-7506-7795-3 (alk. paper) 1. Industrial safety—Management. 2. Computer security. I. Ashenden, Debi. II. Title. T55. J655 2005 658. 4’78—dc22 20040755 British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library. ISBN: 0-7506-7795-3 For information on all Elsevier Butterworth-Heinemann publications visit our Web site at http://books.elsevier.com/security Printed in the United States of America 05060708091010987654321 To my wife, Kath, who has always given support and shown tolerance and patience and without whose support I would not have been able to complete this book. Dr. Andrew Jones, MBE MSc. MBCS University of Glamorgan United Kingdom This Page Intentionally Left Blank Contents Foreword by Dr. Jerry Kovacich ix Preface xiii Acknowledgments xix About the Authors xxi SECTION I: AN INTRODUCTION TO RISK MANAGEMENT 1 1 Introduction to the Theories of Risk Management 3 2 The Changing Environment 11 3 The Art of Managing Risks 25 SECTION II: THE THREAT ASSESSMENT PROCESS 35 4 Threat Assessment and Its Input to Risk Assessment 37 5 Threat Assessment Method 55 6 Example Threat Assessment 89 SECTION III: VULNERABILITY ISSUES 131 7 Operating System Vulnerabilities 133 8 Application Vulnerabilities 143 vii viii Risk Management for Computer Security 9 Public Domain or Commercial Off-the-Shelf Software? 149 10 Connectivity and Dependence 165 SECTION IV: THE RISK PROCESS 183 11 What Is Risk Assessment? 185 12 Risk Analysis 195 13 Who Is Responsible? 207 SECTION V: TOOLS AND TYPES OF RISK ASSESSMENT 213 14 Qualitative and Quantitative Risk Assessment 215 15 Policies, Procedures, Plans, and Processes of Risk Management 219 16 Tools and Techniques 231 17 Integrated Risk Management 243 SECTION VI: FUTURE DIRECTIONS 253 18 The Future of Risk Management 255 Index 261 Foreword This book, Risk Management for Computer Security: Protecting Your Network and Information Assets, as the name obviously implies, is a book about managing risks. But not just any type of risks—risks to information systems and computers. Computers may be networked or stand alone, although very few these days are not somehow connected to one another through local area networks, wide area networks, and the “mother of all networks,” the Internet, as well as the informa- tion they display, store, process, and transmit. It is about cost-effectively managing those risks. You are probably saying “so what?” There are thousands of such books on the market, so why this one? I anticipated that question because I also was a potential reader of this book and did not want to waste time reading a book that was not practical and only provided “scholarly” information but was of little practical application for me in establishing and managing a risk management program. I asked myself the same question. After all, why should I endorse this book? To find the answer to “our question,” I decided to do some research. I went on- line to one of the world’s most well-known on-line booksellers (who shall remain nameless) and found 90,316 “hits” on risk management books and magazines. The books and magazines listed ran the gamut from risk management topics related to finance, product development, insurance, investing, computing, secu- rity, personal credit, healthcare, and the like. I narrowed the search to “computer security risk management” and found “only” 53,872 hits. That helped but still didn’t work very well. Therefore, I decided to see what these 53,872 books were about. I found that many were very narrow in focus, dealing with risk issues per- taining to U.S. Government matters, a new health law, vulnerabilities of some networks, risk stuff related to the Internet, and the like. Some were somewhat dated, actually out of date based on the rapidly changing world of our informa- tion environment. To narrow my book choices down even more, I looked at the ix x Risk Management for Computer Security information provided about many of the books’ authors. Some were written by individuals who may be nice people, good writers, and researchers but obviously either have little or no experience in the “real-world” of doing risk management processes, projects, establishing risk management programs, and the like—or if so, their experiences seemed to be limited (based on the information provided). This became apparent by looking at their degrees as well as their jobs as presented on the on-line books’ web pages. In addition, they, for the most part, seemed to be focused on risks without actually putting the emphasis where it belongs— applying it to businesses, thinking like a business person, and looking at it from a business perspective. In other words, how can I do it at the least cost to my busi- ness while balancing those costs with some acceptable level of risks? After all, even governments have limited budgets for information assets protection and have developed a “business approach” to dealing with this issue. Some books’ web pages I looked at indicated that the books were basically information systems security—computer security—books with some risk management things thrown in. Some had “cutesy” titles to get your attention, but when looking at the reviews by those who had purchased their books, the number of pages, table of contents, and authors’ backgrounds, well, many just didn’t seem to be worth reading. So, there we have it. I found many books published that at least alluded to risk management, but very few really seemed to be written by those whose duties involve managing risks to automated information and the information systems. Many seemed to be outdated, whereas others seemed to lack the approach used in this book. Now, there is this book you are reading—or at least reading this Foreword. What I found enjoyable about this book is that it really is a “handbook” that is easy to read and covers “everything you always wanted to know but were afraid to ask” on the topic of managing risks of information assets, with emphasis on costs versus risks. Let me say it this way: It is a business-oriented approach where costs are an important issue that must be considered. In other words, how much pro- tection is enough? How much does it cost? Is it worth the costs? Are we getting our money’s worth? How do we know? How much risk am I accepting? Is it too much? Not enough based on costs? As the authors point out: ... if the risk assessment is not carried out effec- tively, then the organization will either waste money or be exposed to an unac- ceptable risk. This says it all. This is what risk management is all about, and this is the authors’ driving thought behind this book. Now, how does one establish a program to include processes and such to address the risk manage- ment issues associated with information assets protection at least cost? In Foreword xi other words, using management terminology, effectively and efficiently (good and cheap). Speaking of the authors, look at who they are—look at their educational background and experience as noted in the “About the Authors” part of this book. Their experience is not just in information systems security, even though that background is needed. More importantly, look at their experience in actually establishing and managing risk management projects and programs. Andy Jones and Debi Ashenden indeed have “been there and done that.” They are writing based on their actual experiences in the business of managing the risks to infor- mation systems and the information that our modern systems display, process, store, and transmit. Indeed, if you could only have one book on risk manage- ment to guide you to successfully managing systems and information risks in the business world as well as in a government’s information environment, this would be the one to choose. What is also nice about this book is that it is not some statistically driven look at managing risks written by someone with a PhD in statistics and one that requires the reader a similar degree to understand what the author is talking about. No, this is an easy-to-read common business sense approach to the topic. It has information that can be easily applied by both the novice and experienced information systems security practitioners.