Problem solve Get help with specific problems with your technologies, process and projects.

Week 23: Risk assessment steps five and six: Identify threats and determine vulnerabilities

In this week's column, Shelley Bard continues her advice on risk assessment.


Risk assessment is the process of analyzing threats to, and vulnerabilities of, an information system, and the potential impact that the loss of information or capabilities of a system would have on national security or your company's bottom line.

Using the Information Security Protection Matrix and the risk assessment process referenced in the Week 20 column, break down the 10-step process, focusing this week on steps five (identify threats) and six (determine vulnerabilities).

To identify threats, look at the organization, the parent company and the industry/country. At each level, determine the danger by asking if an attacker can pose a threat. Does someone have the motivation to exploit a vulnerability? Is there a history of successful exploit? Does someone have a history of targeting your industry?

Another way to identify threats is to think about the properties the organization might have: disclosure (compromising emanations, interception, improper maintenance procedures, hackers); interruption (earthquake, fire, flood, malicious code, power failure); modification (data entry errors, hackers, malicious code); destruction (power spikes, fire, natural disasters); and removal (theft of data or systems).

To determine vulnerabilities, use the matrix to interview personnel, review previous security incidents, and examine audit and system records and system documentation. Contact vendors for reports of known system vulnerabilities, check advisory Web sites and look for security issues by using automated tools. Then, evaluate the vulnerabilities while considering their number and nature and any countermeasures in place (discussed further next week).

Using the matrix, what vulnerabilities exist in the organization's physical areas as applied to information security? Analyze findings from your observations and personnel interviews, risk assessment and historical site surveys, reviews of written and informal procedures and audit trail data, and any other research, like diagrams, practice drills, etc.

Using these findings, determine what vulnerabilities exist in the organization's administration, policies and documentation area, and in the organization's personnel practices. Consider the organization's communications/network connectivity and in the computer system itself.

Once the threat levels have been identified and quantified, evaluate the vulnerability. Does the asset to be protected have single or multiple vulnerabilities? Is it difficult/costly to exploit? Examine countermeasures. Is the asset being protected? How? Using the matrix, determine what is missing.

More information
Good examples can be found at the DISA, NIST and NSA Web sites. Adapt what works for your organization based on threat and regulation needs.

About the author
Shelley Bard, CISSP, is a senior security network engineer with Verizon Federal Network Systems (FNS). An infosecurity professional for 17 years, Bard has briefed and written infosecurity assessments and technical reports for the White House and Department of Defense, special interest groups, industry and academia. Please e-mail any comments to mailto:[email protected].

Opinions expressed in this column are those of Shelley Bard and don't necessarily reflect those of Verizon FNS.

Last week: Risk assessment steps 3 and 4: Identifying methodology and assets; assigning value
Next week: Identify current countermeasures/likelihood of exploitation

This was last published in May 2004

Dig Deeper on Risk assessments, metrics and frameworks