List of Abbreviations

Chapter 4. New Models

4.3 Infrastructure Vulnerability and Risk Assessment Framework

4.3.1 Infrastructure Vulnerability Framework

From Section 2.7, it can be seen that many frameworks are high-level, and give little attention to detailed implementation, and are asset or organisation orientated rather than infrastructure

127

orientated. Most consider general risk, or information risk; only the Minimum Essential Information Infrastructure framework is dedicated to an IW scenario. However, this framework focuses on the technical issues, and not the political, legal, social, or ethical considerations. The intent therefore is to propose a model that is scalable and adaptable, which is layered and guides the user from the high-level to the detailed implementation. It is also intended to be related to cases of IW. The outcome of the framework is to be a single metric or figure for the vulnerability and risk of the infrastructure. Multiple metrics can be used (one each for different perspectives, threats, or other considerations) to compare possible scenarios.

The following risk and vulnerability frameworks and methods will be considered:

SWOT (Section 2.7.1.8);

PESTEL (Section 2.7.1.7);

MEII (Section 2.7.2.1);

FAIR (Section 2.7.2.4); and, TVA Worksheet (Section 2.7.1.9).

The SWOT analysis is a high-level; for an IW situation, the weaknesses can be considered analogous to the vulnerabilities, and strengths can be considered as analogous to the controls, legislation, and policies that are in place, which will mitigate an attack. Threats are the IW threats, and opportunities may be considered as measures that may be improved or introduced to increase the controls or strengths. An addition needs to made, in that the potential impact of an incident needs to be assessed.

For PESTEL, the political, legal, social, and economic considerations may overlap; these can all be grouped into non-technical factors. The technical considerations remain as is, and the ecological considerations can largely be ignored in an IW situation, except where there are possible ecological effects, such as in Section 4.2.7.5. This will fall under the impact assessment, and may be assessed through environmental impact assessments.

For the proposed framework, the highest level of layers will be the modified SWOT analysis as described above, incorporating threats, vulnerabilities, countermeasures, and opportunities. For each of these, the next layer will be the modified PESTEL with two sections: technical; and non- technical, which incorporates the political, economic, social, and legal considerations. This is shown in Table 4.2. A variety of methods may be used for the next layers: two levels of analysis are provided for. Techniques and sources of information may include vendor and national threat

128

advisories, white papers, political and legal analysis methods, war gaming, and what-if scenario analysis. Information may also be gained from business and national intelligence, Monte-Carlo computer simulations, and expert input through workshops and interviews.

For the technical vulnerabilities, the categorisation of the MEII process may be used to further segment the analysis; this will correspond to Analysis Method 1 in the figure. Methods may be used to assess each category (this will correspond to Analysis Method 2). For example, electronic accessibility may be assessed though penetration testing; singularities and centralisation may be tested by the use of graph theory, and computer simulations may test operating conditions and loading effects. Many technical threats and vulnerabilities may also be determined from CERT or CSIRT advisories and vendor reports; major incidents may be identified through the news media.

For each of the modified SWOT elements, certain variables need to be rated for the IW situation.

The non-technical threat (Step 1A in Table 4.2) is related to the context; who a potential aggressor could be, their capabilities, and the likelihood that they will conduct some form of attack. The technical threats (Step 1B) will the likelihood of the technical attack (certain attack methodologies are more common than others – this will be discussed in Chapter 5) and the complexity of conducting the attack. The vulnerability phase (Step 2) consists of identifying the potential vulnerabilities that are to be rated and prioritised in the assessment. Non-technical vulnerabilities (Step 2A) can be associated with both the context and limitations in the planning phase of the IW Lifecycle Model; for instance insufficient legal frameworks, political segregation, or economic dependence may make a nation susceptible to an IW attack. Technical vulnerabilities (Step 2B) can be identified through assessing the categories of the MEII process through the use of various techniques; examples of these are provided in the Analysis Method 2 column of Table 4.2. When a potential vulnerability is identified, the complexity or effort a threat would need to expend in exploiting it should be rated.

The countermeasures and defences (Step 3) may be determined whilst identifying the vulnerabilities; the strength of the controls in place need to be rated; the non-technical factors (Step 3A) will need to be estimated according to available information. The strength of the technical countermeasures (Step 3B) may be determined from datasheets, product specifications, vendor whitepapers and reports, and simulations. For example, a report may rate anti-virus applications according to the success rate of detecting and removing malware; this can then be used to rate the strength of the anti-virus application as a control against malware.

129

Table 4.2: The Proposed Infrastructure Vulnerability Assessment Framework, van Niekerk and Maharaj (2011a)

SWOT PESTEL Analysis Method 1 Analysis Method 2

Step 1.

Threats

1A. Non- technical

Social National & international threat advisories, and reports

Business intelligence News Media Trend Analysis

Expert input What-if Analysis Scenario Analysis

Employee satisfaction analysis Economic

Political Legal

1B. Technical

CSIRT advisories Business intelligence Vendor advisories

Expert input

Step 2.

Vulnerabilities, (Weaknesses)

2A. Non- technical

Social Business intelligence

National & international threat advisories and reports Trend Analysis

Political and Legal Analysis

Expert input Economic

Political Legal

2B. Technical Use MEII or equivalent

Penetration testing Vendor Reports CSIRT Advisories Graph Theory Analysis

Step 3.

Countermeasures and Defences (Strengths)

3A. Non- technical

Social

National & international threat advisories, and reports

Business intelligence

Expert input Economic

Political Legal

3B. Technical Vendor whitepapers Product specifications

Expert input Simulations

Step 4. Impact

4A. Non- technical

Social

Wargaming What-if Analysis Scenario Analysis

Expert input Economic

Political Legal

4B. Technical Simulations Expert input

4C. Ecological What-if Analysis Environmental Impact

Assessment

Step 5.

Opportunities

5A. Non- technical

Social

National and business intelligence Political, legal, or economic assessments

Expert input

Political and corporate alliances Economic

Political Legal 5B. Technical

Vendor whitepapers Product specifications

National and business intelligence

Expert input

130

The impact of a vulnerability being exploited by a threat (Step 4) can be estimated through use of wargaming, what-if and scenario analyses, simulations, and expert input. Potential ecological consequences (Step 4C) of an attack can be determined with a what-if or scenario analysis coupled with an environmental impact assessment. Possible opportunities or solutions to mitigate vulnerability (Step 5) can be identified through use of intelligence, product specifications, and vendor whitepapers; expert input may also be able to identify possible solutions through experience.

Opportunities include participating in political alliances and joint technical committees, or improving and introducing technical controls. Ensuring compliance and accreditation will also aid in mitigating risk and vulnerabilities.

In the paragraphs above five steps in the process were described; during this process certain variables need to be rated; these will be used to determine the vulnerability and risk rating in a process that has been modified from the FAIR analysis. These variables can be summarised as:

The likelihood of the threat taking action;

The estimate capability of the threat;

The required capability to overcome the identified vulnerability;

The strength of the controls and countermeasures in place to protect the vulnerability; and, The impact or loss should the vulnerability be exploited.

These variables will be combined through the use of a modified FAIR process (or equivalent method according to organisational preferences). This is Step 6, and is illustrated in Table 4.3, where the X indicates the two variables are used in a risk matrix to determine the rating of the variable above. The primary modification from the original FAIR process is that the loss or impact no longer has primary and secondary factors. This is due to the fact that the primary impact of an IW attack (which will correspond to the objectives and motivation of the aggressor in the IW Lifecycle Model) will be more significant than any secondary factors; however, if the secondary factors can be estimated this may be incorporated. Another modification is that the variables for rating the threat and vulnerability have been altered. In an IW situation, the likelihood that the threat is making contact indicates an action of some form; the threat rating is therefore a combination of the threat capability and the likelihood of action. The vulnerability rating is a combination of the skill required to exploit the identified vulnerability, and the strength of the control measures in place.

131

Table 4.3: Proposed Framework Rating Determination, van Niekerk and Maharaj (2011a) Risk

Likelihood of a successful attack X Loss or Impact

Threat X Vulnerability

Threat action likelihood

X Estimated threat

capability

Control strength X

Required capability to exploit vulnerability

The likelihood of a successful attack is a combination of the threat and vulnerability ratings; this is then combined with the impact rating to estimate risk for that particular vulnerability and threat pairing. Examples of the risk matrices used in the process are presented in Table 4.4 and Table 4.5;

qualitative ratings of very low to very high are used (however these rating can be adjusted according to requirements).

Table 4.4: General Risk Matrix for the IW Fair Process, van Niekerk and Maharaj (2011a) Variable 2

Variable 1

V. Low Low Med High V. High

V. Low V. Low V. Low Low Med Med

Low V. Low Low Low Med High

Med Low Low Med High High

High Low Med High High V. High

V. High Med Med High V. High V. High

Table 4.5: Vulnerability Matrix for the IW Fair Process, van Niekerk and Maharaj (2011a) Control

Strength

Required Capability to Exploit Vulnerability

V. Low Low Med High V. High

V. Low V. High V. High High Med Med

Low V. High High High Med Low

Med High High Med Low Low

High High Med Low Low V. Low

V. High Med Med Low V. Low V. Low

To keep track of the threat, vulnerability, and impact associations used in the process above a modified Threats-Vulnerabilities-Assets (TVA) worksheet may be used; an example is illustrated in Table 4.6. The TVA Worksheet is described in Section 2.7.1.9; as it is asset-centric, it needs to be

132

modified to be vulnerability-centric; threats are associated with the vulnerabilities. The potential impacts of the vulnerability-threat associations are estimated, and for each the risk is determined using the process described above.

Table 4.6: Modified TVA Worksheet Vulnerability name and

rating

Associated threat names and ratings

Estimated impact type

and rating Estimated risk rating

Vulnerability 1 (Rating)

Threat A (Rating) Impact 1-A-1 (Rating) Impact 1-A-2 (Rating)

Risk 1-A-1 (Rating) Risk 1-A-2 (Rating) Threat B (Rating) Impact 1-B-1 (Rating) Risk 1-B-1 (Rating) Threat C (Rating) Impact 1-C-1 (Rating) Risk 1-C-1 (Rating) Vulnerability 2 (Rating)

Threat B (Rating) Impact 2-B-1 (Rating) Risk 2-B-1 (Rating) Threat D (Rating) Impact 2-D-1 (Rating) Risk 2-D-1 (Rating)

Up to this point, the identified vulnerabilities and the associated risks have been evaluated; the vulnerability and risk ratings of the entire infrastructure need to be determined. Step 7 of the process is determining the ratings for the infrastructure vulnerability and risk using vector mathematics. The magnitude of a vector is calculated as shown in Equation 4.1:

4.1

where I is the number of elements in the vector. The list of vulnerabilities are taken as a vector, with very low having a value of one, and very high having a value of five. The infrastructure vulnerability is then calculated as the magnitude of the vulnerability vector, as shown in Equation 4.2:

4.2

where N is the number of identified vulnerabilities and vi is the individual vulnerability rating.

Similarly, the infrastructure risk is determined by taking the vector magnitude of all the individual risk ratings, as shown in Equation 4.3:

4.3

133

where M is the number of risk elements and ri is the individual risk rating. As each vulnerability may have multiple threats associated with it, there may be more than one risk rating per vulnerability; therefore from Equations 4.2 and 4.3, Equation 4.4 should hold true:

4.4

Vector magnitude is used to calculate the infrastructure vulnerability and risk as these exhibit similar characteristics: the vector magnitude increases as the number of elements or the magnitude of any one element increases. Likewise, the more individual vulnerabilities, or the more severe any single vulnerability, the greater the overall infrastructure vulnerability will be.

This process provides the ability to compare the overall infrastructure vulnerability or risk as the individual vulnerability or risk ratings change or are introduced or eliminated. The vulnerabilities may be prioritised by calculating the risk magnitude for each identified vulnerability, then ranking them according to their associated risk values. Vulnerabilities with higher risk values need to be addressed with higher priority than those with low risk values. The vulnerability and risk ratings may also be calculated for an individual asset, or for a specific impact type or attack objective, such as DoS, exploitation, corruption, and misuse. The relevant elements are treated as a vector for each area of interest, and the magnitude is calculated. An example of this is illustrated in Table 4.7 and Equations 4.5 to 4.7.

Table 4.7: Vulnerability by Impact Type Vulnerability Vulnerability

Rating

Impact

DoS Corruption Exploitation

V1 3 

V2 2  

V3 4 

V4 3   

V5 5  

4.5

4.6

4.7

134

From this example, it can be seen that there is a greater vulnerability to a DoS attack compared to one to that will exploit or corrupt the data or information. The overall framework is adaptable in that it is modular, so any one aspect of the high-level structure can be replaced by an analysis or assessment methodology to suit the requirements of the organisation. Section 4.3.2 applies this proposed framework to the case of cloud computing.