I have been asked about several risk assessment terminologies over the years and wanted to talk about a few of them that keep coming up. Given the substantial number, I thought it best to break them up and discuss over a series of articles. Below are the things that this article will help define:
- What Needs to Be Protected - The CIA Triad
- Offensive Security - Red Teams
- Defensive Security - Blue Teams
- Security Risk Assessment – Assets, threats, risk, vulnerability, exploit
What Needs to Be Protected:
You will often hear that information security focuses on three things: Confidentiality, Integrity, and Availability, or the "CIA" Triad. The CIA Triad is the basis for determining the risk level of an information system as it evaluates the classification levels (high, medium, low) for the types of data contained in the information system. Knowing the classification levels of the data types helps an organization determine the risk severity if something were to happen to compromise the data, and which security controls to use to protect the data. We often use the saying that you don't protect a $10 dollar horse with a $100 dollar fence. Likewise, you protect your information and data to the appropriate levels and using the appropriate measures, but if the cost to protect the data is way too expensive, then it may be necessary to use other strategies such as buying cyber insurance, or simply accepting the risk.
Note that an important aspect of knowing what needs to be protected is by knowing your system boundaries and what types of assets you have. I authored another article a while back that will help identify some of those concepts as well.
The three parts of the CIA Triad:
- Confidentiality: The data must not be viewed by unauthorized persons or entities. Revealing your data to unauthorized people can cause grave damage, some damage, or even minimal damage to your organization. Having the proper access controls, for example, can help secure your data by allowing only authorized individuals to see it.
- Integrity: The data must be correct and accurate. For example, if you have financial data, serious damage can be caused if the data is manipulated incorrectly or has errors that are accidentally injected. Again, proper access controls may help prevent unauthorized people from maliciously changing the data. And having processes to perform accuracy checks and information audits may help to ensure accuracy.
- Availability: The system and the data must be available to the people who need the data to prevent business disruptions. So, for example, while a simple website that goes offline for a few hours will only cause minor inconveniences, a SCADA system that controls electrical utilities for a large geographic area going offline for even a few minutes will cause serious harm. Having redundancies in place is just one example of a protection that will help keep systems available to the required levels.
Red Team – The “Offense!”
The Red Teams are the ones that are called in to simulate cyber-attacks. They are usually not employees of the company, but independent, third-party contractors who are hired to perform these services. They use vulnerability scanners to find weaknesses in computers and network equipment, then use tools such as Metasploit to attempt attacks against those weaknesses. Red Team members will often also test physical security as well and enter office spaces after hours to try to find out if employees are leaving out information that needs to be secured.
Some techniques typically used by the Red Team:
- Social Engineering – using phishing emails and phone calls claiming to be tech support in order to obtain passwords, usernames, corporate data, or other sensitive information. Phishing emails can also catch people who are likely to click on links that would infect their computers and smartphones with malicious software.
- Penetration Testing – use vulnerability scanners, the suite of tools in Kali Linux, and Metasploit.
- Testing physical security - testing door locks and physical security systems, including attempting to enter secured areas by "tailgating" other employees.
Once the Red Teams have completed their testing engagement, they will then make recommendations to the company's management and their Blue Team for making security improvements.
EXAMPLE: In my organization we would call in a team of outside “Pen Testers” every year to test our security and make recommendations. They did vulnerability scans and used Kali Linux/Metasploit to discover and exploit software and hardware vulnerabilities, but also came in after hours and checked the office cubicles to look for unlocked cabinets, written down passwords, etc. They would also test our physical security to see if it was possible for an unauthorized person to enter a facility.
IMPORTANT NOTE: Rules of engagement must be in place – the Red Teams must have permission to perform attacks. Many of the techniques employed by a Red Team could be otherwise illegal. These permissions are usually spelled out in a document known as the "Rules of Engagement." But since this is part of what is known as "ethical hacking," Red Teams must perform these things with full permission of the company who hired them.
Typical Red Team Member Certifications:
- Certified Ethical Hacker (CEH)
- Licensed Penetration Tester (LPT) Master
- CompTIA PenTest+
- GIAC Penetration Tester (GPEN)
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- Offensive Security Certified Professional (OSCP)
- Certified Red Team Operations Professional (CRTOP)
Blue Team – The “Defense!”
The Blue Teams are the ones that receive the test results from the Red Teams who are called in to simulate the cyber-attacks against the company. They are usually employees of the company and make up groups such as the "Risk and Compliance" or "Information Assurance" teams within the company.
Some duties typically performed by the Blue Team:
- Take recommendations from Red Team to improve security
- Risk assessment, hardening techniques, monitoring and detection
- Audits, and cybersecurity control documentation and testing
- Monitor network activity – Firewall logs, security incident and event monitors
EXAMPLE: At the end of the pen test, we had a debrief with the Red Team and our management to prioritize and plan for improvements. The Red Team would often offer to come back and test our improvements for us.
Typical Blue Team Member Certifications:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- CompTIA Security+ and Advanced Security Practitioner (CASP+)
- GIAC Certified Incident Handler (GCIH)
- GIAC Security Essentials Certification (GSEC)
- GIAC Systems Security Certified Practitioner (SSCP)
Security Risk Assessment:
An organization will typically perform a risk analysis by evaluating what assets they have with the threats to their assets and the likelihood of those threats occurring, and the level of damage that would be caused if those threats acutely occurred. They evaluate the vulnerabilities in their environment against the threats of those vulnerabilities being exploited. That information will then help determine how to mitigate those threats. Risk cannot be completely eliminated, by the way. It can either be mitigated (controls in place to protect the data), transferred (such as by purchasing insurance), or accepted (the risk of a threat/exploit occurring is low and/or the mitigation is too expensive). The components that play into this risk assessment are:
Assets – People, equipment, intellectual property, data, buildings. Having an inventory and knowing system boundaries. This falls under the Asset Management Program, which I discuss in the linked article.
Threat – Natural (storms, hurricanes, fires); Unintended Human (accidental data deletion or data mistakes); Intentional Human (cyber-attacks, malicious insiders).
Risk – Financial loss, damage to equipment, damage to reputation.
- Risk = Threat Probability * Vulnerability Impact.
- The risk analysis we did in Colorado, for example, looked at likely events such as tornadoes, forest fires, and terrorist attacks against a government committed.
Vulnerability – Weaknesses in assets; broken locks, unpatched systems, old, outdated software, and untrained personnel. I discuss vulnerabilities and patches in this article.
Exploit – Attackers can make use of those weaknesses by using "holes" in the system integrity to steal data, damage systems, and deny access to your systems.
So, to tie everything together, the Red Team's job, then, is to assess the vulnerabilities that exist in the organization and attempt to exploit them. This will give the organization an idea how many and how widespread their vulnerabilities are, and how easy it was to exploit them. The Blue Team would then take this information to ensure that their list of assets was properly documented and covered by their continuous monitoring program, as well as evaluating how effective their program is for things like applying patches/updates, scanning for malware, properly implementing access control and password policies, employee training, and that the risk analysis was done frequently and accurately.
In future articles, I will take a deeper dive into these areas, as well as talk about some of the strategies for implementing techniques for continuous monitoring, security control implementation and testing, and how to ensure that assets are properly inventoried and documented. At the end of the day, it really is all about risk assessments, and using the information from periodic and robust testing to ensure that your protections are in place to secure your environment.
For further information:
