Risk Management

Exploring F.A.I.R – Assets Redux

by kriggins on February 26, 2009

in fair, Risk Management

So, to revisit the post which sparked the last few, let's talk about assets. Before we get started though, just a reminder that all the posts in this series can be found on this page.

And now, on with the show. We have described the organization for which we are performing the assessment. We have also described, to a certain extent, the architecture of the system involved.

Again, we are going to take things in a little different order than presented in the Introduction to FAIR. The first thing we are going to look at is asset. From the introduction:

Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.

With this definition in mind, why don't we make a list of the assets we might be concerned about.

  • Bandwidth
  • Hardware (Servers, routers, switches, firewalls, etc.)
  • Services (Web services and database services)
  • Information (Tax code and tax rates)

The bandwidth is an asset because evil doers on the internet need a way to spread their evil. They would much prefer to use our bandwidth than pay for their own.

The hardware is an asset because someone might want to steal it or run their own software on it.

The services provided are an asset for similar reasons. The evil doers need places to put the stuff they want to spread or a place to stash the stuff they have already taken elsewhere.

The information is an asset because...well...it's why the rest of the stuff is there in the first place 🙂 Seriously, information is always an asset. As discussed in the first post on assets, it likely doesn't matter if the information is classified as public or not. The integrity and availability of that public information can be very important.

For instance, in our case, the information defines how much money a company will have to pay in taxes. If it is modified or deleted, it can have a serious effect on the revenue of the state.

Ideally, we would perform a risk analysis for each asset "class" above and incorporate all the results into our risk assessment. For our purposes though, we are going to concentrate on just one, the information.

In the next post in this series we will take a look at threats and threat agents.

As always, please let me know your thoughts in the comments.

-Kevin

Image courtesy of tao_zyn.
Reblog this post [with Zemanta]

{ 5 comments }

This is the next post in our Exploring F.A.I.R. series. Links to previous posts can be found here.

I didn't plan very well when I jumped right into things with my last post about assets. I made the statement that the information hosted on the web server was not an asset and I was rightfully corrected by several folks.

Where I erred was in having some preconceived ideas of where things were going to go and not sharing those ideas with you ahead of time. That being said, those ideas have changed and I am going to start sharing them in this post.

I am going to follow in the footsteps of others (i.e. steal their ideas) and flesh out our scenario first.  I am essentially copying what Chris did, although not quite as detailed.

Below you will find a description of the organization that we are performing our assessment for along with a Loss Magnitude Table which we will talk about later. The next post will present the characteristics of the system we will be assessing.

Welcome to Oblivia!

Oblivia is a small country that is just now entering the technological age. Needless to say, maturity in their information technology infrastructure is a bit lacking.

The sole source of income for the government is the taxes they assess on companies doing business in the country. Citizens do not pay taxes and there are no tariffs on imports or exports. ( I know, work with me here.) Their tax code is quite complicated and there are many different rates depending on business type, revenue, etc. Annual tax revenue for the country is $10,000,000 and their budget, which they adhere to very well, is $9,000,000. ( I told you, it's a small country!)

They have decided to publish the tax code on the internet and, in the interests of having a transparent tax code, have declared that public representation to be the authoritative source.

We have been hired to assess the web server and infrastructure that has been put in place to publish the tax code.

Below is the Loss Magnitude Table for the Oblivian government.

Severe (Sv) >$1,000,000
High (H) $500,000-$1,000,000
Significant (Sg) $250,000-$499,000
Moderate (M) $100,000-$249,999
Low (L) $50,000-$99,999
Very Low (VL) <$50,000

Keep tuned in as we describe the infrastructure in the next installment of "Exploring F.A.I.R." As always, comment are not only welcome, you are encouraged to let me know what you think.

-Kevin

Reblog this post [with Zemanta]

{ 4 comments }

Exploring FAIR – What’s an Asset?

by kriggins on January 30, 2009

in Risk Management

In this post we are going to start exploring the terminology of FAIR. It makes sense to me that we explore FAIR through the use of an example scenario, much like the FAIR Introduction (link to pdf) does.

We are going to use a web site for our scenario. We will develop the scenario more and more as we go along, but the following are the initial characteristics:

  • The web server is an up-to-date version of Apache.
  • The information stored on the server is public.
  • The web server is exposed to the internet.
  • The bandwidth available is significant.

We are going to take things in a little different order than presented in the Introduction to FAIR. The first thing we are going to look at is asset. From the introduction:

Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.

With this definition in mind, what asset or assets are present that we need to be worried about?

Is the information in this case an asset? No, because we've classified the information as public. Three things come to mind as assets with the information we have so far, the physical hardware Apache is running on, the Apache web server itself and the available bandwidth.

The hardware is an asset because someone might want to steal it or run their own software on it. The web server is an asset because someone might want to use it for their own purposes. The bandwidth is an asset because, again, someone may want to use that bandwidth, that we pay for, for their own purposes.

Pretty basic and straightforward. Next time we will look at "What's a threat?"

As always, the comments are open. Feel free to share your thoughts.

-Kevin

Image courtesy of tao_zyn.
Reblog this post [with Zemanta]

{ 6 comments }

Every business has information of one kind or another. That information is most often processed, transmitted and stored using information technology. While that information is being processed, transmitted and stored, it is exposed to a certain level of risk, even if it never leaves the confines of the business's building.

As information security professionals, we are tasked with ensuring that our business's information is protected. To do so, we need to implement processes, procedures, and controls that reduce risk to an acceptable level. Unfortunately, our companies do not have endless resources, either in terms of man power or money. That means we need a method of determining how much risk exists and what is an appropriate level of resources, if any,  to expend to address that risk.

Enter Factor Analysis of Information Risk (FAIR.) FAIR is the brain child of Jack J. Jones, CISSP, CISM, CISA of Risk Management Insight, LLC and has been released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

So what is FAIR? From the Wiki:

Factor Analysis of Information Risk (FAIR) provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.

Together, over what will likely be a fairly long series of posts, we are going to explore FAIR. This will help me internalize the concepts and hopefully you will find it an interesting ride too.

I have already pointed to the Wiki above. There are also a few other sources of information and tools available if you want to read ahead.

The Basic Risk Assessment Guide lives here. Note: direct link to the pdf.

Alex Hutton frequently writes about FAIR on his blog.

Chris Hayes has done some great work on his blog about FAIR too.

Next we will start digging into the terminology used in FAIR. As always, comments are open. Feel free to let me know what you think.

-Kevin


{ 3 comments }