A widely accepted definition of information security risk is the potential of a specific threat exploiting the vulnerabilities of an information asset, with the following formula used to represent information security risks: Risk = Likelihood x Impact.
The potential impact on information, processes and people is typically estimated during a business impact analysis as part of corporate business continuity planning. However, estimating likelihood of information security risks is often guesswork resulting from combined vulnerability assessments and threats assessments. While assessing the likelihood of risks, many IT security teams will categorise risk using the traffic light system for high, medium or low level. Those responsible for information security in a company should estimate risk levels for all corporate information systems and apply control measures accordingly. Estimating risk levels is a continuous process and it requires the use of tools such as vulnerability assessment scanners and/or contracting the services of companies specialized in ethical hacking.
In May this year, the Financial Times was hacked via the exploit of one of its many blogging systems. The system in question was based on the vulnerable version of a content management system. This case illustrates that the principle of the weakest link in the security chain could affect complex information systems with many interconnected components. To maintain a high level of protection of vital corporate information, it is necessary to assess vulnerabilities of all information systems, since those that are less critical could be exploited to provide access to other, more critical systems.
The likelihood of successfully exploiting a vulnerability is determined by the degree of difficulty in its implementation, skills of the attacker, availability of software tools, capacity of processing power and data connectivity, and publicly available information on the vulnerability.
A vulnerability that is known to be popular among hackers carries a higher likelihood of exploitation. Standard tools for vulnerability assessments are software based vulnerability scanners. These automated tools compare detected application, operating systems and other components on target hosts against proprietary or public databases of known vulnerabilities. They provide reports on detected gaps and recommend implementation of security patches, if they are available.
In assessment reports, automated scanners typically provide links to vendor provided security patches or knowledge base articles with recommended fixes. After testing the top five tools, I have been using Retina CS from BeyondThrust for the last two years. However, automated tools lack human intelligence and cannot recognize relationships among interconnected information systems. A determined hacker is more likely to exploit even the low prioritized vulnerability on one system if it has the potential to lead to a high value business asset.
In today's dynamic business environment where boundaries of responsibilities blur in cloud computing, it is difficult to dedicate resources to the continuous audit of all IT assets. Moreover, certified and skilled manual ethical hacking is costly and time consuming. Nevertheless, there are new assessment solutions for information security managers and IT auditors -- hybrid solutions in the form of combined automated vulnerability scanners with manual ethical hacking.
Sign up for CIO Asia eNewsletters.