[Preface]
In the information security risk management field, there are three requirements or problems:
• Enterprise top management needs to see the overall situation of enterprise information security risks from a macro perspective
• The measurement methods of information security risk are not objective enough. The existing measurement methods contain too many subjective factors, making the measurement results hard to be widely recognized.
• There is a lack of objective selection basis for policies and solutions to handle information security risks, making it difficult to evaluate the effectiveness of risk control results.
This article attempts to provide a relatively objective method for measuring information security risks and try to solve the above problems to a certain extent.
[Measurement Model]
Information security risks are the possibility that a threat may cause losses to an information asset or a group of information assets. Generally, the size of information security risk values is related to the value of information assets, threats, and vulnerabilities.
Figure 1: Risk = f (Asset, Threat, Vulnerability)
It is difficult to identify all risks faced by information assets. If we cannot identify all risks faced by information assets, the so-called overall situation will lose the foundation. Therefore, the first problem to be solved is the completeness of information security risk identification, that is, how to identify all risks faced by one or more information assets.
To solve this problem, we have discovered that we need to simplify the information security risk measurement model. Among the three elements of risk, the value of information assets and the threats they face are possible constants.
It is of practical significance to regard the value of information assets and their threats as constants. Generally, the overall risk situation is described for specific information assets. That is to say, in specific scenarios, information assets are clearly targeted and their values are also clear, it is a constant. As the threat is sporadic, the uncertainty of the threat makes it difficult to accurately evaluate the threat. We recommend that you take the maximum value. Therefore, you can regard the threat as a constant. This simplification also specifies the direction for information security risk management. In general, the most immediate and effective risk management measures among the three elements of risk are aimed at vulnerabilities. Therefore, in-depth analysis of vulnerabilities is of practical significance to reduce information security risks. It can provide specific feasible implementation solutions for information security risk management.
[Vulnerabilities vs security vulnerabilities]
In actual business scenarios, threats to use a single vulnerability cannot cause actual harm to information assets. For example, if a server has a 0-day vulnerability, this is a weakness. However, if hackers want to use this vulnerability to intrude on the server, they must at least have another precondition, services or applications with zero-day vulnerabilities can be accessed or accessed from the network or physically. That is to say, any actual information security risk requires at least two prerequisites: path accessibility and permission accessibility. That is, first, you must be able to access the target object. Whether it is network or physical, at least some form of contact is required. On the other hand, the target object is vulnerable to unauthorized access to the target information. It is like obtaining money. First, you must have access to the cash machine and then have a bank account and password. These two conditions are indispensable.
Therefore, for ease of description, a new definition is provided for security vulnerabilities, namely, security Vulnerabilities are a set of vulnerabilities that can be exploited by threats and affect information in a certain order.
Security Vulnerability = Min {V path reachable, V permission reachable}
For example, a server exposes port 23 to the Internet and the administrator password of the server is weak. This situation can be called. The server has a security vulnerability that can be exploited by external hackers. The vulnerability contains two vulnerabilities: 1. Expose port 23 to the Internet, 2. The administrator password is weak. If either of the two vulnerabilities does not exist, the vulnerability does not exist. That is to say, if the administrator password of this server is weak but port 23 is not exposed to the Internet, the security vulnerability does not exist. Similarly, if the server exposes port 23 to the Internet, but the administrator password is not a weak password, the security vulnerability does not exist.
It can be seen from the above that a single vulnerability cannot substantially cause losses to information assets. Different types of vulnerabilities need to be properly combined in a certain order, this may cause actual harm to information assets. This sort is a collection of vulnerabilities that can be exploited to generate actual dangers to information assets. These vulnerabilities are called security vulnerabilities.
[Defense and Comparison of security risks]
The path concept introduced in the security vulnerability definition brings both theoretical and practical feasibility for completely identifying all information security risks faced by information assets. In a network space, the security vulnerability path corresponds to the network link. The directed network link path between any two points is theoretically limited. Therefore, the path from threat to security vulnerability of information assets may be exhausted along the network link.
Figure 2: compare information security risks
Because security vulnerabilities contain a serial relationship between vulnerabilities, the possibility of being exploited is the product of the possibility of being exploited.
PW = PV1 * PV2 *...... * PVn (where PVi <1)
To simplify the risk comparison, assuming that the vulnerabilities are used at the same probability, a risk comparison principle with strong practical significance can be obtained:
- Risk comparison principle: the fewer vulnerabilities contained in security vulnerabilities, the higher the possibility of being exploited by threats, the greater the security risk.
Therefore, in the three security risks shown in figure 2,
RA> RB> RC
In this way, the comparison of different security risks is converted into comparing the vulnerability points contained in different security vulnerabilities.
The practical significance of this simplification is that, on the one hand, the simplified computing results are consistent with the risk comparison results in some actual business scenarios. A security vulnerability consists of three high-likelihood vulnerabilities, which are less risky than a security vulnerability consisting of two low-probability vulnerabilities. In most cases, the simplified computing results are in line with the actual situation. On the other hand, this simplification makes the calculation process of security risks objective and transparent, avoiding the evaluation of the same risk by different people, the results are different. At the same time, the transparency and objectivity of the process allow the evaluation results to be more widely understood and recognized, which lays a good foundation for the selection of risk disposal measures in the future.
[Security risk management]
Based on the definition of a security vulnerability, the following risk management principles can be obtained: risk management Principle 1: If any vulnerability that constitutes a security vulnerability is damaged, the vulnerability will be damaged. That is, eliminating a security vulnerability does not need to eliminate all vulnerabilities that constitute the vulnerability. If one vulnerability is eliminated, the vulnerability is eliminated. Based on the risk comparison principle, another risk management principle can be obtained: risk management Principle 2: the higher the priority of Security Vulnerability handling with fewer vulnerabilities. Since a security vulnerability with fewer vulnerabilities brings greater security risks, from the perspective of priority, of course, security vulnerabilities with fewer vulnerabilities should be disposed of first. If the same vulnerability is contained by multiple security vulnerabilities, once the vulnerability is eliminated, multiple security vulnerabilities will be eliminated. Therefore, the third risk management principle can be obtained: risk management Principle 3: priority to deal with the convergence points of multiple security vulnerability paths. Based on the above risk management principles, the security risk management process can be summarized into the following steps: Step 1: Identify all Shortest Paths Based on the network links between threats and information assets, assume that the current shortest path contains n nodes. Step 2: Review the shortest paths one by one to check whether each node in the shortest path has the accessible permissions, in this way, all security vulnerabilities are obtained to form an overall view of security risks. Step 3: handle security risks: first, handle the aggregation points of the security vulnerability path. Second, follow the principle of easy access, priority should be given to accessible vulnerabilities in the path, and finally the accessible vulnerabilities should be handled until all security vulnerabilities are eliminated. Step 4: All security risks with the shortest path n are handled, whether the service needs are met to reach the acceptable level of security risks. If the security risk is met, the service is terminated. If the security risk is not met, n + 1 is returned to the first step and enters the next cycle. [Summary] This section describes how to measure security risks by measuring security vulnerabilities. based on objective reality, it makes appropriate assumptions about some variables in the industry-standard security risk measurement method, such: threats and vulnerabilities are exploited to achieve objective, realistic, and easy-to-operate measurements in some scenarios.