If you hear an information technology professional say there are risks to an organization fire them. There is only risk. Risk is a state of possible negative consequences and stating there are multiple risks is glossing over a deeper reality. There is risk in breathing. There is risk in not breathing. Evaluating the overall risk or the entirety of the risk allows you to make an informed decision on which is the least risky behavior. But, there is only risk.
I’ve been told that there are acute and chronic forms of crisis. I think of crisis as a momentary or critical point with negative harm indicated by events. It is kind of hard to get my mind around the idea of a chronic (long lasting, developing, persistent) form of danger. Yet that is where the world finds itself today with the budgetary battles in the United States Congress being one form, and the monetary fiasco in Europe being an even larger example. As globally budgets follow consumer spending, and the decision cycle of leaders has not caught up to the evidence, corporate and government budgets continue to shrink. This is a classic case for risk management, and a classic case for when it will be ignored.
Threats
Let’s look at the threats to the current national budgets. A threat is an actor, agent, or entity that has hostile or negative behaviors to the governance or operation of the enterprise. In this case we can list them in no particular order, and feel free to add your own.
1) Citizens
2) Federal politicians
3) State politicians
4) Bankers
5) Foreign countries
6) National bank lenders
7) Criminals
Not quite the list you were expecting was it? Consider the act of governance inside of an enterprise and the actors or agents that can harm it. We often talk about the insider threat (who would be a user), and we talk about the advance persistent threat (which is code for foreign countries). The administrators and governing agents are like the politicians and bankers. I’ll let you decide who is administrating and who is governing on your own.
You can analyze threat vectors in a variety of ways but we’ll use a very simple example. Think about your citizen and their goals, motives, and incentives. You could write it like this; citizen {goal(lower taxes, freedom of action, etc.) motives(cheaper cost of living, increased ability to buy stuff)} and you could keep on going with it. Now consider the banker {goal(lower taxes, freedom of action, etc.) motives(increased profit, increased ability to make money)}. As you can see they have agreement in at least one vector (lower taxes) as a goal. Even though we would normally assume according to the media they are diametrically opposed. We could (but won’t) weight these values and begin to graph these position points. That weighted graft could provide insight into the actual threats against the enterprise. Or, as in our case balancing the budget.
If you do this kind of analysis (much deeper than a blog post can do) and start to fill in the various behavioral indicators and goals, motives, and incentives (behavior drivers) you can create a map to the vectors of threats. You can also find where group behaviors diverge and converge. This all should be leading to an understanding of the actual threat profile against getting a budget done or securing your enterprise. You would be correct in thinking that this kind of analysis would not be done in a morning before your first cup of coffee.
Vulnerability
Why do you do this? A specific vulnerability has zero impact unless it is assigned to a corresponding threat. An unpatched kernel exploit will have no impact if it is not put into an environment where there are threats against it. Now many would say existence is enough to be threatened but that is a bit simplistic. We have a tendency to roll threats and vulnerabilities together to call them a risk. Speaking heuristically or attempting to discover a procedure to solving the problem of risk we can examine the various aspects of threat and vulnerability against the enterprise.
What are we going to classify as vulnerabilities in our examination of the budgetary processes within the enterprise? We can start out with an unordered list of a few common vulnerabilities. We can argue about them but they are fairly consistently postulated in the mainstream media. Besides, this is just a friendly blog post by a guy nobody listens to anyway. So some vulnerabilities:
1) Political cronyism
2) Banking money in election process
3) Lack of term limits
4) To large to fail, to big to fix
5) Knowledge of financial system is lacking
Nobody ever likes lists like that. They’re never happy with what you put on them, or don’t put on them. For this purpose we can use it for or goal of examination. If you look at a vulnerability we can examine it for particular characteristics. In a well structured domain this would be much simpler, but for our purposes we’ll look at the characteristic of a vulnerability by writing it this way vulnerability{attribute(output, output), …}. So we’ll get something like this; political cronyism{money(graft, corruption, self aggrandizement)), banking money in election process{money(graft, corruption, self promotion). Once again we can see vulnerabilities that align and we could assign values or weights to them and start to tease out some understanding of the actual vulnerabilities
In the information security world there are databases that have weak metric capabilities to assign vulnerabilities values. The worst of them assign binning values like low, medium, and high to a specific vulnerability. Others have attempted to assign values based on the associated threat vectors and use cases. That is a much harder solution. Personally I think this kind of analysis, as weak as this explanation is, will drive use case security as costs rise and budgets decline, but I digress.
Countermeasures and opportunity costs
Even if all of the threat vectors indicate doom, and all of the vulnerabilities to the system are ready to eviscerate the country ,the game is not done. There are countermeasures to be put into play. If our analysis for the known threats and vulnerabilities has been done well we have some good data to set up our countermeasures. Many people just use cookbook approaches to security and we see that same lack of skill played out in solving national budgetary issues. Each side trots out the same tired homilies whether talking about defense in depth, socialism, security by obscurity, or social contracts.
Countermeasures are our suggested solutions to the threat and vulnerability challenges. In the information technology realm some poor administrator breaks out the NIST STIG or the Department of Defense STIG for an operating system and implements it without thinking. That’s their job leave them to it. We get to look in and ask how much time is being spent on mitigating vulnerabilities that do not have an associated threat? What are the opportunity costs to implementing particular security practices to a system? One example is a continuity of operations, or continuity of government program might be severely hampered by an erstwhile useless virtual private network policy. Having dramatic and even tragic consequences on a mission capability.
If in the analysis specific elements of a particular threat were seen to align and the associated vulnerabilities also align this threat profile should be specifically mitigated through a countermeasure. Where are you going to find these kind of mitigations? Well in the NIST STIGS. It would be nice if they were already coded in such a way that you could do this kind of realistic analysis. Government trying to solve budget fiascos has a set of standards and management practices to call upon. The Office of Management and Budget along with the General Accounting Office (along with other agencies) have documents that explain exactly what needs to be done for good governance. Unfortunately we see legislative leaders ignoring their version of the NIST STIGs, and not really offering up any better form of analysis.
Impact
So the hands of fate align and threat and vulnerability align in an unmitigated (no countermeasure) event. So what? Without an associated impact whether on a sliding scale or not there is zero to worry about. Our impact assessment should look like an associated level of confidence and loss. We might write it something like impact(chance, confidence interval, exposure). So that we know the chance of something happening and the confidence we have about understanding that possibility. These are then linked to allow us to examine the exposure factor to the enterprise.
The greatest example of threat profiles having no effect is the Anonymous/LulzSec attack against Amazon.com. The threat actors Anonymous/LulzSec activated a vulnerability via a denial of service attack (attack against availability). Amazon had mitigated the attack via a variety of architectural choices and resourcing schemes. The impact at that point was expected to be very low and there was little risk of the impact substantially effecting services. The result was near zero impact on business or enterprise operations. The associated risk would be very low. With congress I’d say they engage in a self-imposed denial of service whenever they are out of session but I kind of like it when they aren’t at work so won’t mention it to loudly.
Putting the pieces together
If we examine the threat vectors, and the associated vulnerabilities, and then the inactive countermeasures or mitigations and then the associated values for impact of the national debacle called congress it would seem the associated risk is very high. That was a long-winded way of saying we’re screwed.
You can use the strategies for doing risk management and depending on how you put the pieces together you will end up with residual risk (that risk you have not mitigated but know) and the latent risk (that risk you didn’t mitigate and didn’t know you had). That is one of the benefits of using recipe security. Recipe security results in a broader swath of mitigation than you might perceive. So, though it isn’t good for the process it may be good for the enterprise. A lesson congress has consistently failed to learn. A practice that corporation who are primarily focused on quarterly profit and having short vision horizon also fail to learn.
Now for something completely different
We won’t go into detail here, but we’ll examine one little tidbit. If you actually read this far here is the candy at the end of the meal. What if you turned the risk management process on its head? What if you looked at it from the perspective of increasing risk? Why would you do that? A variety of reasons come to mind why this exercise might be valuable, but just play along for a minute and think about it.
If I want to create risk I am going to want to activate a threat and vulnerability pair. I will want to look at the countermeasures and nullify or negate them. Depending on the tie between the threat and vulnerability pair I can associate a perceived impact or we’ll call it result after the exercise. We’re talking about a classic version of targeting and associated impact assessment. Welcome to the dark side. Think about this the next time somebody wants to publish a risk assessment on the web.
These are just some research notes of some projects I’m working on. Don’t take them to serious, and I figure most people will be to-long-didn’t-read (TLDR) anyways, but if you did like it let me know. I haven’t decided if I’m going to pursue this to much further. Though I may post the Internet weather forecasting (vulnerability zero day) analysis piece soon.