Risk Analysis Notes

7/25/2019 Risk Analysis Notes

1/26

RISK ANALYSIS

A risk analysis is an ongoing process of discovering, correcting andpreventing security problems. It is an integral part of a risk management

process designed to provide appropriate levels of security for informationsystems. We need to identify the levels of risk associated with any of theitems in our network infrastructure. Once we have identied the level ofrisk we can then develop an action plan to mitigate (ease or reduce theidentied risk.

We use two measures to identify the level of risk!

A "he likelihoodof the event occurring, and# "he likely impacton the assets or network if the event occurred.

LIKELIHOOD

$%&' $%&')*I+%*' )*I+%*' O-%&A"% *I+%*' *I+%*'

1 2 3 4 5

IMA!"

)%*II#*% I)O& O-%&A"% /I)I0I1A)" /%$%&%

1 2 3 4 5

"his can then be portrayed in a grid to determine the level of risk!


2/26

"he following matri2 demonstrates how risk is calculated based on the impact

and likelihood scores

We can convert this into a numerical value, where the higher the score the

higher the risk!

E#EN"S likel$ to a%ect the

Ai&po&t3ossible event to consider include the

following!

/ystem /oftware

Application /oftware

I" 4ardware

$endor failure

$iruses

nauthorised attacks, hacks, etc.

1ommunications, 1onnectivity 5 local,

internet

Operations 6 error (human

tilities failure 5 power 5 power supply

backup 5 3/

"errorism

1riminal Activity 5 vandalism, etc

Work /toppage 6 /trikes

Weather

0ire 6 0lood

ASSE"S likel$ to 'e

a%ected3ossible assets to consider include!

1abling

Wi network

/ervers and /erver room

Web server

&outer

/witches

0irewall

/ystem /oftware

Application /oftware

I" 4ardware

3ortable devices

)etwork Access

3ublicly Accessed network


3/26


4/26


5/26

"he above diagram was created to help e2plain the relationship between the various

components of an information risk assessment using the basic formula for risk.

Audiences that are new to Information /ecurity and6or &isk anagement may need to

have some of the basic terms e2plained.

The Basic Statement

Likelihood ( Impact ) Ri*k

"he risk statement is derived by following the +l,earrows!

"he *ikelihood -"hat -"hreats Will e2ploit -$ulnerabilities -"o attack -

"argets -and compromise -Information (condentiality and6or integrity and6or

availability -causing -Impact 7 &isk.

LIKELIH

OOD

that

"h&eat*

will

%2ploit

#,l.e&a'ili

tie*

to attack

"a&/et*

and

1ompromis

e

I.0o&mati

o.

causing

IMA!"

)

RISK

Greenarrows present the following control statements:

RISK

can be

Accepted by Executive

Reduce Impact

Reduce

RISK

Transferred to an

External body

Reduce Vulnerability Reduce Likelihood

Mitigated with Controls Reduce Vulnerability Reduce Likelihood

http://www.tru.ca/its/infosecurity/
http://www.tru.ca/its/infosecurity/http://www.tru.ca/its/infosecurity/


6/26

This diagram is shared here for non-commercial use under Creative Commons Attribution-

Noncommercial-Share Alike 2.5 Canada (http://creativecommons.org/licenses/by-nc-sa/2.5/ca/).

1 Minor )oticeable disruption to the achievement of results. "his outcome

would result in response from I" professional and trades sta8 for

the issue, usually under routine procedures

2 Moderate

aterial deterioration in the achievement of results. "his outcome

would result in response from I" management sta8 and the

potential for establishing a dedicated working level, multidiscipline

team to resolve

3 Major /ignicant deterioration in achievement of results. "his outcome

would result in response from divisional management sta8 and

may re9uire the formulation of interdepartmental working level

teams, with management oversight to resolve

4 Severe 0undamental threat to operating results. "his outcome would

result in immediate senior management attention and the

formulation of a dedicated management team and working teams

to identify and resolve the underlying issues.

5 Catastrophic

Worst Case

&esults threaten the survival of the organisation in its current

form. "his outcome would result in full:time senior management

attention and the formulation of dedicated full:time management

teams and working level teams to identify and resolve the

underlying issues.

THREAT SOURCES

A th&eatis any circumstance or event with the potential to adversely impact

organi;ational operations and assets, individuals, other organi;ations, or the )ation

through an information system via unauthori;ed access, destruction, disclosure, or

modication of information, and6or denial of service. "here are two aspects to threat

considered in this publication! (i threat sources< and (ii threat events.

A th&eat *o,&ceis an actor (causal agent with the intent and method targeted at the

e2ploitation of a vulnerability or a situation and method that may accidentally e2ploit a

vulnerability. In general, types of threat sources include! (i hostile cyber6physical

attacks< (ii human errors of omission or commission< (iii structural failures of

organi;ation:controlled resources (e.g., hardware, software, environmental controls< and

(iv natural and man:made disasters, accidents, and failures beyond the control of the

organi;ation.
http://creativecommons.org/licenses/by-nc-sa/2.5/ca/http://creativecommons.org/licenses/by-nc-sa/2.5/ca/


7/26

"$pe o0 "h&eat So,&ce De*c&iptio. !ha&acte&i*t

ic*

ADVERSARIAL

Individual

Outsider

Insider

"rusted Insider=

3rivileged Insider

roup

Ad hoc

%stablished

Organisation

)ation:/tate

Individuals, groups, organi;ations, or

states that seek to e2ploit the

organi;ation>s dependence on cyber

resources (i.e., information in electronicform, information and communications

technologies, and the communications

and information:handling capabilities

provided by those technologies.

1apability,

Intent,

"argeting

ACCIDENTAL

Ordinary ser

3rivileged ser6Administrator

%rroneous actions taken by individuals in

the course of e2ecuting their everydayresponsibilities.

&ange of

e8ects

STRUCTURAL

I" %9uipment

/torage

3rocessing

1ommunications

-isplay

/ensor

1ontroller

%nvironmental 1ontrols

"emperature64umidity 1ontrols

0ailures of e9uipment, environmental

controls, or software due to aging,

resource depletion, or other circumstances

which e2ceed e2pected operating

parameters.

&ange of

e8ects

)ote! "aken from )I/" /pecial3ublication ?@@:@ &evision B,Initial 3ublic -raft, uide for1onducting &isk Assessments,/eptember C@BB, pp. D:? andAppendi2 -:C


8/26

3ower /upply

/oftware

Operating /ystem

)etworking

eneral:3urpose Application

: ission:/pecic Application

ENVIRONMENTAL

)atural or man:made disaster

0ire

0lood6tsunami

Windstorm6"ornado

4urricane

%arth9uake

#ombing

Overrun

nusual natural event 5 e.g.

sunspots

Infrastructure 0ailure6Outage

"elecommunications

%lectrical 3ower

)atural disasters and failures of critical

infrastructures on which the organi;ation

depends, but which are outside the control

of the organi;ation.

)ote! )atural and man:made disasters

can also be characteri;ed in terms of their

severity and6or duration.

4owever, because the threat source and

the threat event are strongly identied,

severity and duration can be

included in the description of the threat

event (e.g., 1ategory E hurricane causes

e2tensive damage to the facilities housingmission:critical systems, making those

systems unavailable for three weeks.

&ange of

e8ects

ADVERSARIAL THREAT EVENTS - Representative Examples

A threat event is an event or situation initiated or caused by a threat source that has the

potential for causing adverse impact. "hreat events for cyber attacks are typically

characteri;ed by the tactics, techni9ues, and procedures (""3s employed by

adversaries. (/ee also the list of non:adversarial threat events

"h&eat Ee.t* De*c&iptio.


9/26

Access sensitive information

through network sniFng

Adversary gains access to the e2posed wired or

wireless data channels that organi;ations (or

organi;ational personnel use to transmit information,

and intercept communications. Adversary actions might

include, for e2ample, targeting public kiosks or hotel

networking connections.

Adapt cyber attacks based on

detailed surveillance.

Adversary adapts attacks in response to surveillance of

organi;ations and the protective measures that

organi;ations employ.

%2ploit recently discovered

vulnerabilities.

Adversary e2ploits recently discovered vulnerabilities in

organi;ational information systems in an attempt to

attack the systems before mitigation measures are

available or in place.

%mploy brute force loginattempts6password guessing.

Adversary attempts to gain access to organi;ationalinformation systems by random or systematic guessing

of passwords, possibly supported by password cracking

utilities.

1ause degradation or denial of

attacker selected services or

capabilities.

Adversary launches attacks specically intended to

impede the ability of organi;ations to function.

1ause

deterioration6destruction ofcritical information system

components and functions.

Adversary attempts to destroy or deteriorate critical

information system components for purposes ofimpeding or eliminating the ability of organi;ations to

carry out missions or business functions. -etection of

this action is not a concern.

1ombine internal and e2ternal

attacks across multiple

information systems and

information technologies to

achieve a breach or

compromise.

Adversary combines attacks that re9uire both physical

presence within organi;ations and cyber methods to

achieve success. 3hysical components may be as

simple as convincing maintenance personnel to leave

doors or cabinets open.

1ompromise critical

information systems via

physical access by outsiders.

Adversary without authori;ed access to organi;ational

information systems, attempts to physically gain access

to the systems.

1ompromise mission critical

information.

Adversary takes action to compromise the integrity of

mission critical information, thus preventing6impeding

ability of organi;ations to which information is supplied,

from carrying out operations.

1ompromise informationsystems or devices used

e2ternally and reintroduce into

Adversary manages to install malware on informationsystems or devices while the systems6devices are

e2ternal to organi;ations for purposes of subse9uently


10/26

the enterprise. infecting organi;ations when reconnected.

1ompromise design,

manufacture, and6or

distribution of information

system components (including

hardware, software, and

rmware organi;ations are

known to use.

Adversary is able to compromise the design,

manufacturing, and6or distribution of critical

information system components at selected suppliers.

1onduct reconnaissance,

surveillance, and target

ac9uisition of targeted

organi;ations.

Adversary uses various means (e.g., scanning, physical

observation to e2amine and assess organi;ations and

ascertain points of vulnerability.

1onduct phishing attacks. Adversary attempts to ac9uire sensitive information

such as usernames, passwords, or //)s, by pretendingto be communications from a legitimate6trustworthy

source. "ypical attacks occur via email, instant

messaging, or comparable means< commonly directing

users to Web sites that appear to be legitimate sites,

while actually stealing the entered information.

1ontinuous, adaptive and

changing cyber attacks based

on detailed surveillance of

organi;ations.

Adversary attacks continually change in response to

surveillance of organi;ations and protective measures

that organi;ations take.

1oordinating cyber attacks on

organi;ations using e2ternal

(outsider, internal (insider,

and supply chain (supplier

attack vectors.

Adversary employs continuous, coordinated attacks,

potentially using all three attack vectors for the

purpose of impeding organi;ational operations.

1reate and operate false front

organi;ations that operate

within the critical life cycle

path to inGect malicious

information system

components into the supply

chain.

Adversary creates the appearance of legitimate

suppliers that then inGect corrupted6malicious

information system components into the supply chain

of organi;ations.

-eliver known malware to

internal organi;ational

information systems (e.g.,

virus via email.

Adversary uses common delivery mechanisms (e.g.,

email to install6insert known malware (e. g., malware

whose e2istence is known into organi;ational

information systems.

-eliver modied malware tointernal organi;ational


Adversary uses more sophisticated means (e.g., WebtraFc, instant messaging, 0"3 to deliver malware and

possibly modications of known malware to gain access


11/26

to internal organi;ational information systems.

-evise attacks specically

based on deployed

information technology

environment.

Adversary develops attacks, using known and unknown

attacks that are designed to take advantage of

adversary knowledge of the information technology

infrastructure.

-iscovering and accessing

sensitive data6information

stored on publicly accessible


Adversary attempts to scan or mine information on

publically accessible servers and Web pages of

organi;ations with the intent of nding information that

is sensitive (i.e., not approved for public release.

-istributed -enial of /ervice

(--o/ attack.

Adversary uses multiple compromised information

systems to attack a single target, thereby causing

denial of service for users of the targeted information

systems.

%2ploit known vulnerabilities

in mobile systems (e.g.,

laptops, 3-As, smart phones.

Adversary takes advantage of fact that transportable

information systems are outside physical protection of

organi;ations and logical protection of corporate

rewalls, and compromises the systems based on

known vulnerabilities to gather information from those

systems.

%2ploiting vulnerabilities in

information systems timed

with organi;ationalmission6business operations

tempo.

Adversary launches attacks on organi;ations in a time

and manner consistent with organi;ational needs to

conduct mission6business operations.

%2ternally placed adversary

sniFng and intercepting of

wireless network traFc.

Adversary strategically in position to intercept wireless

communications of organi;ations.

4iGacking information system

sessions of data traFc

between the organi;ation and

e2ternal entities.

Adversary takes control of (hiGacks already established,

legitimate information system sessions between

organi;ations and e2ternal entities (e.g., users

connecting from o8:site locations.

InGecting false but believable

data6information into

organi;ational information

systems.

Adversary inGects false but believable data into

organi;ational information systems. "his action by the

adversary may impede the ability of organi;ations to

carry out missions6business functions correctly and6or

undercut the credibility other entities may place in the

information or services provided by organi;ations.

Insert subverted individuals

into privileged positions inorgani;ations.

Adversary has individuals in privileged positions within

organi;ations that are willing and able to carry outactions to cause harm to organi;ational

missions6business functions. /ubverted individuals may


12/26

be active supporters of adversary, supporting

adversary (albeit under duress, or unknowingly

supporting adversary (e.g., false Hag. Adversary may

target privileged functions to gain access to sensitive

information (e.g., user accounts, system les, etc. and

may leverage access to one privileged capability to getto another capability.

1ounterfeit6/poofed Web site. Adversary creates duplicates of legitimate Web sites

and directs users to counterfeit sites to gather

information.

-eliver targeted "roGan for

control of internal systems and

e2ltration of data.

Adversary manages to install software containing "roGan

horses that are specically designed to take control of

internal organi;ational information systems, identify

sensitive information, e2ltrate the information back to

adversary, and conceal these actions.

%mploy open source discovery

of organi;ational information

useful for future cyber attacks.

Adversary mines publically accessible information with

the goal of discerning information about information

systems, users, or organi;ational personnel that the

adversary can subse9uently employ in support of an

attack.

%2ploit vulnerabilities on

internal organi;ational


Adversary searches for known vulnerabilities in

organi;ational internal information systems and

e2ploits those vulnerabilities.

Inserting malicious code into


systems to facilitate

e2ltration of

data6information.

Adversary successfully implants malware into internal

organi;ational information systems, where the malware

over time identies and then successfully e2ltrates

valuable information.

Installing general:purpose

sni8ers on organi;ation:

controlled information systems

or networks.

adversary manages to install sniFng software onto

internal organi;ational information systems or

networks.

*everage traFc6data

movement allowed across

perimeter (e.g., email

communications, removable

storage to compromise

internal information systems

(e.g., using open ports to

e2ltrate information.

Adversary makes use of permitted information Hows

(e.g., email communications to facilitate compromises

to internal information systems (e.g., phishing attacks

to direct users to go to Web sites containing malware

which allows adversary to obtain and e2ltrate

sensitive information through perimeters.

Insert subverted individuals

into the organi;ations.

Adversary has individuals in place within organi;ations

that are willing and able to carry out actions to cause


13/26

harm to organi;ational missions6business functions.

/ubverted individuals may be active supporters of

adversary, supporting adversary (albeit under duress,

or unknowingly supporting adversary (e.g., false Hag.

Insert counterfeited hardware

into the supply chain.

Adversary intercepts hardware from legitimate

suppliers. Adversary modies the hardware or replaces

it with faulty or otherwise modied hardware.

Inserting malicious code into


systems and information

system components (e.g.,

commercial information

technology products known to

be used by organi;ations.

Adversary inserts malware into information systems

specically targeted to the hardware, software, and

rmware used by organi;ations (resulting from the

reconnaissance of organi;ations by adversary.

Inserting speciali;ed, non:

detectable, malicious code

into organi;ational information

systems based on system

congurations.

Adversary launches multiple, potentially changing

attacks specically targeting critical information system

components based on reconnaissance and placement

within organi;ational information systems.

Insider:based session

hiGacking.

Adversary places an entity within organi;ations in order

to gain access to organi;ational information systems or

networks for the e2press purpose of taking control

(hiGacking an already established, legitimate sessioneither between organi;ations and e2ternal entities

(e.g., users connecting from remote locations or

between two locations within internal networks.

Installing persistent and

targeted sni8ers on


systems and networks.

Adversary places within the internal organi;ational

information systems or networks software designed to

(over a continuous period of time collect (sni8

network traFc.

Intercept6decrypt weak or

unencrypted communication

traFc and protocols.

Adversary takes advantage of communications that are

either unencrypted or use weak encryption (e.g.,

encryption containing publically known Haws, targets

those communications, and gains access to transmitted

information and channels.

amming wireless

communications.

Adversary takes measures to interfere with the wireless

communications so as to impede or prevent

communications from reaching intended recipients.

alicious activity using

unauthori;ed ports, protocols,and services.

Adversary conducts attacks using ports, protocols, and

services for ingress and egress that are not authori;edfor use by organi;ations.


14/26

alicious creation, deletion,

and6or modication of les on

publicly accessible information

systems (e.g., Web

defacement.

Adversary vandali;es, or otherwise makes unauthori;ed

changes to organi;ational Web sites or les on Web

sites.

apping and scanning

organi;ation:controlled

(internal networks and

information systems from

within (inside organi;ations.

Adversary installs malware inside perimeter that allows

the adversary to scan network to identify targets of

opportunity. #ecause the scanning does not cross the

perimeter, it is not detected by e2ternally placed

intrusion detection systems.

ishandling of critical and6or

sensitive information by

authori;ed users.

Authori;ed users inadvertently e2pose critical6sensitive

information.

ultistage attacks (e.g.,hopping.

Adversary moves attack location from onecompromised information system to other information

systems making identication of source diFcult.

)etwork traFc modication

(man in the middle attacks by

e2ternally placed adversary.

Adversary intercepts6eavesdrops on sessions between

organi;ations and e2ternal entities. Adversary then

relays messages between the organi;ations and

e2ternal entities, making them believe that they are

talking directly to each other over a private connection,

when in fact the entire communication is controlled by

the adversary.

)etwork traFc modication

(man in the middle attacks by

internally placed adversary.

Adversary operating within the infrastructure of

organi;ations intercepts and corrupts data sessions.

)on:target specic insertion of

malware into downloadable

software and6or into

commercial information

technology products.

Adversary corrupts or inserts malware into common

freeware, shareware, or commercial information

technology products. Adversary is not targeting specic

organi;ations in this attack, simply looking for entry

points into internal organi;ational information systems.

Operate across organi;ations

to ac9uire specic information

or achieve desired outcome.

Adversary does not limit planning to the targeting of

one organi;ation. Adversary observes multiple

organi;ations to ac9uire necessary information on

targets of interest.

Opportunistically stealing or

scavenging information

systems6components.

Adversary takes advantage of opportunities (due to

advantageous positioning to steal information systems

or components (e. g., laptop computers or data storage

media that are left unattended outside of the physical

perimeters of organi;ations.

3erimeter network Adversary uses commercial or free software to scan


15/26

reconnaissance6scanning. organi;ational perimeters with the goal of obtaining

information that provides the adversary with a better

understanding of the information technology

infrastructure and facilitates the ability of the adversary

to launch successful attacks.

3ollution of critical data. Adversary implants corrupted and incorrect data in the

critical data that organi;ations use to cause

organi;ations to take suboptimal actions or to

subse9uently disbelieve reliable inputs.

3oorly congured or

unauthori;ed information

systems e2posed to the

Internet.

Adversary gains access through the Internet, to

information systems that are not authori;ed for such

access or that do not meet the specied conguration

re9uirements of organi;ations.

/alting the physical perimeterof organi;ations with

removable media containing

malware.

Adversary places removable media (e.g., Hash drivescontaining malware in locations e2ternal to the physical

perimeters of organi;ations but where employees are

likely to nd and install on organi;ational information

systems.

/imple -enial of /ervice (-o/

Attack.

Adversary attempts to make an Internet:accessible

resource unavailable to intended users, or prevent the

resource from functioning eFciently or at all,

temporarily or indenitely.

/ocial engineering by insiders

within organi;ations to

convince other insiders to take

harmful actions.

Internally placed adversaries take actions (e.g., using

email, phone so that individuals within organi;ations

reveal critical6sensitive information (e.g., personally

identiable information.

/ocial engineering by

outsiders to convince insiders

to take armful actions.

%2ternally placed adversaries take actions (using email,

phone with the intent of persuading or otherwise

tricking individuals within organi;ations into revealing

critical6sensitive information (e.g., personally

identiable information.

/pear phishing attack. Adversary employs phishing attacks targeted at high:

value targets (e.g., senior leaders6e2ecutives.

/pill sensitive information. Adversary contaminates organi;ational information

systems (including devices and networks by placing on

the systems or sending to6over the systems,

information of a classication6sensitivity which the

systems have not been authori;ed to handle. "he

information is e2posed to individuals that are not

authori;ed access to such information, and theinformation system, device, or network is unavailable

while the spill is investigated and mitigated.


16/26

/pread attacks across

organi;ations from e2isting

footholds.

adversary builds upon e2isting footholds within

organi;ations and works to e2tend the footholds to

other parts of organi;ations including organi;ational

infrastructure. Adversary places itself in positions to

further undermine the ability for organi;ations to carry

out missions6business functions.

/uccessfully compromise

software of critical information

systems within organi;ations.

Adversary inserts malware or otherwise corrupts critical

internal organi;ational information systems.

"ailgate authori;ed sta8 to

gain access to organi;ational

facilities.

Adversary follows authori;ed individuals into

secure6controlled locations with the goal of gaining

access to facilities, circumventing physical security

checks.

"ailored ;ero:day attacks onorgani;ational information

systems.

Adversary employs attacks that e2ploit as yetunpublici;ed vulnerabilities. Jero:day attacks are based

on adversary insight into the information systems and

applications used by organi;ations as well as adversary

reconnaissance of organi;ations.

"amper with critical


system components and inGect

the components into the

systems.

Adversary replaces, though supply chain, subverted

insider, or some combination thereof, critical

information system components with modied or

corrupted components that operate in such a manner

as to severely disrupt organi;ational missions6businessfunctions or operations.

"argeting and compromising

home computers (including

personal digital assistants and

smart phones of critical

employees within

organi;ations.

Adversary targets key employees of organi;ations

outside the security perimeters established by

organi;ations by placing malware in the personally

owned information systems and devices of individuals

(e.g., laptop6notebook computers, personal digital

assistants, smart phones. "he intent is to take

advantage of any instances where employees use

personal information systems or devices to convey

critical6sensitive information.

"argeting and e2ploiting

critical hardware, software, or

rmware (both commercial o8:

the:shelf and custom

information systems and

components.

Adversary targets and attempts to compromise the

operation of software (e.g., through malware inGections

that performs critical functions for organi;ations. "his is

largely accomplished as supply chain attacks.

nauthori;ed internal

information system access byinsiders.

Adversary is an individual who has authori;ed access to

organi;ational information systems, but gains (orattempts to gain access that e2ceeds authori;ation.


17/26

ndermine the ability of

organi;ations to detect

attacks.

Adversary takes actions to inhibit the e8ectiveness of

the intrusion detection systems or auditing capabilities

within organi;ations.

se remote information

system connections of

authori;ed users as bridge to

gain unauthori;ed access to

internal networks (i.e., split

tunneling.

Adversary takes advantage of e2ternal information

systems (e.g., laptop computers at remote locations

that are simultaneously connected securely to

organi;ations and to nonsecure remote connections

gaining unauthori;ed access to organi;ations via

nonsecure, open channels.

sing postal service or other

commercial delivery services

to insert malicious scanning

devices (e.g., wireless sni8ers

inside facilities.

Adversary uses courier service to deliver to

organi;ational mailrooms a device that is able to scan

wireless communications accessible from within the

mailrooms and then wirelessly transmit information

back to adversary.

Jero:day attacks (non:

targeted.

Adversary employs attacks that e2ploit as yet

unpublici;ed vulnerabilities. Attacks are not based on

any adversary insights into specic vulnerabilities of

organi;ations.


18/26

NON-ADVERSARIAL THREAT EVENTS - Representative Examples

Threat Source Threat Event Description

Accidental :Ordinary ser

/pill 5 sensitive information Authori;ed user erroneouslycontaminates a device, information

system, or network by placing on it or

sending to it information of a

classication6sensitivity which it has not

been authori;ed to handle. "he

information is e2posed to access by

unauthori;ed individuals, and as a

result, the device, system, or network is

unavailable while the spill is

investigated and mitigated.Accidental :

3rivileged ser

or

Administrator

ishandling of critical

and6or sensitive information

by authori;ed users

Authori;ed privileged user inadvertently

e2poses critical6sensitive information.

1ommunicatio

n

1ommunications 1ontention -egraded communications performance

due to contention.-isplay nreadable display -isplay unreadable due to aging

e9uipment.%arth9uake %arth9uake at primary

facility

%arth9uake of organi;ation:dened

magnitude at primary facility makes

facility inoperable.0ire 0ire at primary facility 0ire (not due to adversarial activity at

primary facility makes facility

inoperable.0ire 0ire at backup facility 0ire (not due to adversarial activity at

backup facility makes facility inoperable

or destroys backups of software,

congurations, data, and6or logs.0lood 0lood at primary 0acility 0lood (not due to adversarial activity at

primary facility makes facility

inoperable.0lood 0lood at backup facility 0lood (not due to adversarial activity at

backup facility makes facility inoperable

or destroys backups of software,

congurations, data, and6or logs.4urricane 4urricane at primary facility 4urricane of organi;ation:dened

strength at primary facility makes

facility inoperable.4urricane 4urricane at backup facility 4urricane of organi;ation:dened

strength at backup facility makes facility

inoperable or destroys backups of

software, congurations, data, and6or

logs.3rocessing &esource depletion -egraded processing performance due


19/26

to resource depletion./torage -isk error 1orrupted storage due to a disk error./torage 3ervasive disk error ultiple disk errors due to aging of a set

of devices all ac9uired at the same time,

from the same supplier.Windstorm or

"ornado

Windstorm6tornado at

primary facility

Windstorm6tornado of organi;ation:

dened strength at primary facility

makes facility inoperable.Windstorm or

"ornado

Windstorm6tornado at

backup facility

Windstorm6tornado of organi;ation:

dened strength at backup facility

makes facility inoperable or destroys

backups of software, congurations,

data, and6or logs.


20/26

Vulnerability T!reat "airs

A vulnerability is an inherent weakness in an information system, security procedures,

internal controls, or implementation that could be e2ploited by a threat source. ost

information system vulnerabilities can be identied with security controls either which

have not been applied or which, while applied, retain some weakness.

4owever, vulnerabilities need not be identied only within information systems. $iewing

information systems in a broader conte2t, vulnerabilities can be found in organi;ational

governance structures (e.g., lack of e8ective risk management strategies, poor intra:

agency communications, inconsistent decisions about relative priorities of core missions

and business functions. $ulnerabilities can also be found in e2ternal relationships (e.g.,

dependencies on energy sources, the supply chain, technology, and telecommunications

providers, mission6business processes (e.g., poorly dened processes or processes that

are not risk:aware, and enterprise and information security architectures (e.g., poor

architectural decisions resulting in lack of diversity or resiliency in organi;ationalinformation systems.

Vulnerability ThreatSource Threat Action

Terminated employees'

accounts are not removed

from the system or made

inactive

Adversarial insiders (continuing

employees with ill intent and

knowledge of terminated

employee user IDs and

passwords) and/or adversarial

outsiders (unauthorized eternal

individuals)

Accessing the company's network

(whether remotely or through

having an otherwise valid reason

for !eing physically present within

the organization)" logging into an

application as a terminated

employee" and accessing

company proprietary data or

protected health information#

$ompany firewall allows

in!ound telnet and guest ID

is ena!led on %& server

Adversarial outsiders

unauthorized users (e#g#"

hackers" terminated employees"

computer criminals" terrorists)

sing telnet to %& server and

!rowsing files with guest ID#

The vendor has identified

flaws in the security design

of *indows +,,- server.however" new patches have

not !een applied to the

system#

Adversarial outsiders

unauthorized users (e#g#"

hackers" disgruntled employees"computer criminals" terrorists)

) 0!taining unauthorized access

to sensitive system files !ased on

known system vulnera!ilities#+) A virus or worm could take

down the 1A2" servers and could

transmit data to a computer

criminal#

Data center uses water

sprinklers to suppress fire.

tarpaulins to protect

hardware and e3uipment

from water damage are not

in place#

4nvironmental 5 6ire *ater sprinklers !eing turned on

in the data center#

Inconsistent patient identity

verification safeguards are

applied in the practice

Adversarial outsiders (e#g#"

individuals attempting to

misappropriate another's identity

The medical identity thief

successfully receives care and the

integrity of the legitimate patient's


21/26

for purposes of seeking

healthcare)

protected health information is

compromised#

1ack of detailed operating

procedures designed to

direct the work of !usiness

associates in their

performance of services for

the covered entity

Accidents or errors caused !y

valid ordinary or privileged users

The !usiness associate may carry

out work according to their normal

mode of operations for their non5

healthcare clients and accidentally

violate some component of

7I8AA's 9ecurity :ule !ecause

the !usiness associate is not

familiar with every specific

9ecurity :ule re3uirement#

De#initi$ns $# %ey Terms& Li'eli!$$() Impa*t) Ris'

Ri*k "he determination of risk for a particular threat 6 vulnerability pair is a functionof!

B "he likelihood of a given threat:source>s attempting to e2ercise a given

vulnerability

C "he magnitude of the impact should a threat:source successfully e2ercise the

vulnerability

"he ade9uacy of planned or e2isting security controls for reducing or eliminating

risk

Likelihood*ikelihood is an indication of the probability that a potential vulnerability may be

e2ercised given the threat environment.

1onsider the following factors!

B "hreat:source motivation and capability

C )ature of the vulnerability

%2istence and e8ectiveness of current or planned controls

Li!elihoo"

Level

Li!elihoo" De#inition

Anticipate" #re$uency o# occurrence is%

#e&$

Hi/h

%rror, accident, or act of nature is almost certain to occur< or occurs K B@@

times a year.

Hi/h

%rror, accident, or act of nature is highly likely to occur< or occurs between

B@:B@@ times p.a

Medi,m

%rror, accident, or act of nature is somewhat likely to occur< or occurs

between B:B@ times p.a.

Lo

%rror, accident, or act of nature is unlikely to occur< or occurs less than once

a year, but more than once every B@ years.Ne/li/i'l

e

%rror, accident, or act of nature is highly unlikely to occur< or occurs L once

every B@ years.


22/26

Impact

"he level of impact from a threat event is the magnitude of harm that can be e2pected

to result from the unauthori;ed disclosure, modication, disruption, destruction, or loss

of information and6or denial of service. /uch adverse impact, and hence harm, can bee2perienced by a variety of organi;ational and non:organi;ational stakeholders

including, for e2ample, heads of agencies, mission and business owners, information

owners6stewards, mission6business process owners, information system owners, or

individuals6groups in the public or private sectors relying on the organi;ationMin

essence, anyone with a vested interest in the organi;ation>s operations, assets, or

individuals, including other organi;ations in partnership with the organi;ation, or the

)ation (for critical infrastructure:related considerations

"he following are adverse impacts that should be considered when scoring!Type o# I&pact I&pact

4arm toOperations

Inability to perform current missions6business functions.o In a suFciently timely manner.

o With suFcient condence and6or correctness.

o Within planned resource constraints.

Inability, or limited ability, to perform missions6business functions in the

future.o Inability to restore missions6business functions.

o In a suFciently timely manner.

o With suFcient condence and6or correctness.

o Within planned resource constraints.

4arms (e.g., nancial costs, sanctions due to noncompliance.

o With applicable laws or regulations.o With contractual re9uirements or other re9uirements in other binding

agreements. -irect nancial costs.

&elational harms.

o -amage to trust relationships.

o -amage to image or reputation (and hence future or potential trust

relationships.4arm to

Assets

-amage to or loss of physical facilities.

-amage to or loss of information systems or networks.

-amage to or loss of information technology or e9uipment. -amage to or loss of component parts or supplies.

-amage to or of loss of information assets.

*oss of intellectual property.

4arm to

Individuals

Identity theft.

*oss of 3ersonally Identiable Information Nor 3rotected 4ealth

Information=. InGury or loss of life.

-amage to image or reputation.

3hysical or psychological mistreatment.

4arm to

OtherOrgani;ati

ons

4arms (e.g., nancial costs, sanctions due to noncompliance.

o With applicable laws or regulations.o With contractual re9uirements or other re9uirements in other binding

agreements. -irect nancial costs.


23/26

&elational harms.

o -amage to trust relationships.

o -amage to reputation (and hence future or potential trust

relationships.4arm to

the nation

-amage to or incapacitation of a critical infrastructure sector.

*oss of government continuity of operations.

&elational harms.

o -amage to trust relationships with other governments or with

nongovernmental entities.o -amage to national reputation (and hence future or potential trust

relationships. -amage to current or future ability to achieve national obGectives.

Ma'nitu"e

o# I&pactI&pact De#inition

#e&$

Hi/h

"he threat event could be e2pected to have multiple severe or catastrophic

adverse e8ects on organi;ational operations, organi;ational assets,

individuals, other organi;ations, or the )ation.Hi/h "he threat event could be e2pected to have a severe or catastrophic adverse

e8ect on organi;ational operations, organi;ational assets, individuals, other

organi;ations, or the )ation. A severe or catastrophic adverse e8ect means

that, for e2ample, the threat event might! (i cause a severe degradation in

or loss of mission capability to an e2tent and duration that the organi;ation is

not able to perform one or more of its primary functions< (ii result in maGor

damage to organi;ational assets< (iii result in maGor nancial loss< or (iv

result in severe or catastrophic harm to individuals involving loss of life or

serious life:threatening inGuries.Medi,m "he threat event could be e2pected to have a serious adverse e8ect on

organi;ational operations, organi;ational assets, individuals other

organi;ations, or the )ation. A serious adverse e8ect means that, for

e2ample, the threat event might! (i cause a signicant degradation in

mission capability to an e2tent and duration that the organi;ation is able to

perform its primary functions,

but the e8ectiveness of the functions is signicantly reduced< (ii result in

signicant damage to organi;ational assets< (iii result in signicant nancial

loss< or (iv result in signicant harm to individuals that does not involve loss

of life or serious life:threatening inGuries.Lo "he threat event could be e2pected to have a limited adverse e8ect on

organi;ational operations, organi;ational assets, individuals other

organi;ations, or the )ation. A limited adverse e8ect means that, for

e2ample, the threat event might! (i cause a degradation in mission capability

to an e2tent and duration that the organi;ation is able to perform its primary

functions, but the e8ectiveness of the functions is noticeably reduced< (ii

result in minor damage to organi;ational assets< (iii result in minor nancial

loss< or (iv result in minor harm to individuals.Ne/li/i

'le

)o signicant impact. "he threat event could be e2pected to have a

negligible adverse e8ect on organi;ational operations, organi;ational assets,individuals other organi;ations, or the )ation.


24/26


25/26

Our Se*urity Ris' Analysis "r$*ess +l$,


26/26

Documents

Risk Analysis Notes