PERSONNEL SECURITY
PHYSICAL SECURITY
ACCOUNT AND PASSWORD MANAGEMENT
CONFIDENTIALITY OF SENSITIVE DATA
DISASTER RECOVERY
SECURITY AWARENESS AND EDUCATION
COMPLIANCE AND AUDIT
Checklist Response Analysis For each question that is marked “No,” carefully review its applicability to your organization. Implementing or improving controls decreases potential exposure to threats/vulnerabilities that may seriously impact the ability to successfully operate. | YES | NO |
For this assessment, numeric rating scales are used to establish impact potential (0–6) and likelihood probability (0–5). | |
IMPACT SCALE | LIKELIHOOD SCALE |
1. Impact is negligible | 0. Unlikely to occur |
2. Effect is minor, major agency operations are not affected | 1. Likely to occur less than once per year |
3. Organization operations are unavailable for a certain amount of time, costs are incurred. Public/customer confidence is minimally affected | 2. Likely to occur once per year |
4. Significant loss of operations, significant impact on employee/user confidence | 3. Likely to occur once per month |
5. Effect is disastrous, systems are down for an extended period of time, systems need to be rebuilt and data replaced | 4. Likely to occur once per week |
6. Effect is catastrophic, critical systems are offline for an extended period; data are lost or irreparably corrupted; employees safety, and possibly external public are affected | 5. Likely to occur daily |
When determining impact, consider the value of the resources at risk, both in terms of inherent (replacement) value and the importance of the resources (criticality) to the organization’s successful operation.
Factors influencing likelihood include: threat capability, frequency of threat occurrence, and effectiveness of current countermeasures (security controls). Threats caused by humans are capable of significantly impairing the ability for an organization to operate effectively.
Human threats sources include:
SOURCE | SOURCE DESCRIPTION |
Insiders: | Employees, |
General contractors and subcontractors | Cleaning crew, developers, technical support personnel, and computer and telephone repair workers |
Former employees | Includes those who have quit, were fired, or retired |
Unauthorized personnel | Intruders, computer hackers, trespassers, terrorists, and other people with bad intent |
21–30 High Risk Occurrence may result in significant loss of major tangible assets, information, or information resources. May significantly disrupt the organization’s operations or seriously harm its reputation.
11–20 Medium Risk Occurrence may result in some loss of tangible assets, information, or information resources. May disrupt or harm the organization’s operation or reputation. For example, authorized users are not able to access supportive data for several days.
1–10 Low Risk Occurrence may result in minimal loss of tangible assets, information, or information resources. May adversely affect the organization’s operation or reputation. For example, authorized users are not granted access to supportive data for an hour.
HUMAN THREATS | Impact (0–6) | Probability (0–5) | Score (Impact × Probability) |
1. Human error | |||
Accidental destruction, modification, disclosure, or incorrect classification of information | ____ | ____ | ____ |
Ignorance: inadequate security awareness, lack of security guidelines, lack of proper documentation, lack of knowledge | ____ | ____ | ____ |
Workload: Too many or too few system administrators, highly pressured users | ____ | ____ | ____ |
Users may inadvertently give information on security weaknesses to attackers | ____ | ____ | ____ |
Incorrect system configuration | ____ | ____ | ____ |
Security policy not adequate | ____ | ____ | ____ |
Security policy not enforced | ____ | ____ | ____ |
Security analysis may have omitted something important or be wrong | ____ | ____ | ____ |
2. Dishonesty: Fraud, theft, embezzlement, selling of confidential agency information | ____ | ____ | ____ |
3. Attacks by “social engineering” | |||
Attackers may use telephone to impersonate employees to persuade users/administrators to give user name/passwords/modem numbers, etc. | ____ | ____ | ____ |
Attackers may persuade users to execute Trojan Horse programs | ____ | ____ | ____ |
4. Abuse of privileges/trust | ____ | ____ | ____ |
GENERAL THREATS | Impact (0–6) | Probability (0–5) | Score (Impact × Probability) |
1. Unauthorized use of “open” computers/laptops’ | ____ | ____ | ____ |
2. Mixing of test and production data or environments | ____ | ____ | ____ |
3. Introduction of unauthorized software or hardware | ____ | ____ | ____ |
4. Time bombs: Software programmed to damage a system on a certain date | ____ | ____ | ____ |
5. Operating system design errors: Certain systems were not designed to be highly secure | ____ | ____ | ____ |
6. Protocol Design Errors: Certain Protocols not designed to be highly secure. Protocol weakness in TCP/IP can result in: | ____ | ____ | ____ |
Source Routing, DNS Spoofing, TCP sequence guessing, unauthorized access | ____ | ____ | ____ |
Hijacked sessions and authentication session/transaction replay, data is changed or copied during transmission | ____ | ____ | ____ |
Denial of Service due to ICMP Bombing, TCP-SYN Flooding, large PING packets, etc. | ____ | ____ | ____ |
7. Logic Bombs: Software programmed to damage a system under certain conditions | ____ | ____ | ____ |
8. Viruses in programs, documents and e-mail attachments | ____ | ____ | ____ |
9. Trojan Horses (programs masquerading as other programs) | ____ | ____ | ____ |
10. Intruders seeking to spoof or obtain unauthorized access | ____ | ____ | ____ |
11. Phishing attacks (e-mail appearing to come from authorized sources) | ____ | ____ | ____ |
12. Attacks through SKYPE®, VIBER®, and teleconferencing software | ____ | ____ | ____ |
13. SCADA attacks and control system spoofing | ____ | ____ | ____ |
14. Sabotage | ____ | ____ | ____ |
15. Physical destruction of equipment | ____ | ____ | ____ |
16. Electromagnetic radiation (EMP) attacks | ____ | ____ | ____ |
17. Failure to properly remove and destroy electronic media in abandoned equipment | ____ | ____ | ____ |
18. Deliberated deletion of critical files and backup systems | ____ | ____ | ____ |
After completing a review of current security controls and along with a review and rating of potential threats/vulnerabilities, a series of actions should be determined to reduce risk (threats exploiting vulnerabilities) to and acceptable level. These actions should include putting into place missing security controls, and/or increasing the strength of existing controls.
Security controls should ideally reduce and/or eliminate vulnerabilities and meet the needs of the business. Cost must be balanced against expected security benefit and risk reduction. Security remediation efforts and actions will be focused on addressing identified high risk threat/vulnerabilities.
The recommended Security Actions to remediate vulnerabilities should be displayed in a tabular form, and a color coded or shaded table displaying risk vulnerabilities, costs in a semi-quantitative format could be formulated to permit rapid identification of the risks accompanying the report. Another approach is to conduct a Bow-Tie Analysis of the various risks and preventative/remedial measures and cost the damages and remedial responses in the table. An example of the type of table is shown below.
Sample of Cyber Risk Vulnerability/Risk and Preventive Actions | ||||
Item | Damage Cost, Millions | Probability of Occurrence, No. per year | Remedial Actions Equipment Costs, Millions | Training and Other Associated Costs, Millions |
Spoofing SCADA—destroys process plants | 2.0 | 0.01 | 0.5 | 0.0 |
Intrusion | 0.04 | 1.0 | 0.02 | 0.01 |
Cyber attack | 0.3 | 12.0 | 0.05 | 0.05 |
Data breach | 0.3 | 1.0 | 0.01 | 0.05 |
The table is more effective in color, but even in one color, it can be printed with shading from the darkest to the lightest shading to highlight the important information. A variety of display options can be used.