Richard Bejtlich at TaoSecurity has a great post regarding Dan Kaminsky’s DNS news in the context of a handful of other vulnerabilities announced. He does a good job putting things in perspective of risk – as a function of threats, vulnerabilities, and potential losses:
It’s bad if you think of R only in terms of V and forget about T
and A. What do I mean? Remember the simplistic risk equation, which
says Risk = Vulnerability X Threat X Asset value. Those vulnerabilities
are all fairly big V’s, some bigger than others depending on the
intruder’s goal. However, R depends on the values of T and A. If
there’s no T, then R is zero.
I agree entirely with this statement, but it makes me wonder if we should ever assume T(hreat) equals 0. Remember that these values are estimates only and our threat estimate may be the most difficult to evaluate.
Since we know in a general sense that “threat” exists in the cyber infrastructure, the question of whether there is a threat value for some particular attack vector (vulnerability) ends up being a function of comparative costs of attack, anticipated benefits, and likelihood of getting caught. That is, an attacker will do his best to minimize his costs and maximize his gains without getting caught.
In the DNS case, this becomes even more interesting, because it appears (to me) that the “vulnerability” he found is likely to be a new attack that reduces the attackers costs significantly. This is more likely, then, to increase the threat component of risk.
Another way to evaluate “threat” is to factor in the total volume of activity (or potential activity) for some particular vulnerable technology. Higher volumes create an increased threat, constrained (sometimes significantly) by the cost to attack.
Pete,
Of course T can’t be zero, especially in the context of that equation and it’s common use (i.e. with ordinal values). Why? Because T = 0 doesn’t therefore make V or A = 0. It’s nonsense. A still has observable value, as does V.
Finally, multiplying ordinal numbers is like multiplying crayon colors. You can’t do it.
“It’s bad if you think of R only in terms of V and forget about T and A.”
I ask you, now…who could forget about T & A?
@Alex -
I don’t really know what you mean – if you are multiplying numbers and one of them is 0, then the final answer is 0. But you know that. So why should T need to affect V and A? I think they are fairly easy to keep discrete (in most cases).
Can you clarify?
@JohnQ – True enough
Hi Pete,
It’s 5am and I’ve not had my coffee so this may be a little rough, but take a second and play with that equation using basic algebra. You’ll get all sorts of nice things like 1/T*R=A*V and such.
As you do it, focus on the “=” sign and it’s meaning – a nice test is to not say “equals to” but to say “is the same as”. I think you’d have a tough time suggesting that Threat “is the same as” R/A*V. But if that equation is logical – then that should be true.
But the stupidity of that equation is just one part of the problem. Then using “0″ as part of your ordinal or interval scale and then plugging that somewhere into that equation – things just become even sillier.
@Alex -
I don’t think it is a problem at all to say that R/(A*V) “is the same as” T so we must be thinking differently there. I also think that the ordinal/interval number thing is a red herring. I would rather have absolute numbers, but I can live with someone prioritizing using a scale.
I should clarify – my preference is to think of risk as a function of threats, vulns, and consequences. Then, I make consequences qualitative (e.g. owning a system) so that threats and vulns consist of a probability. Finally, I think of T and V as percentage of bad flows, sessions, program operations, transactions.
That said, I don’t see anything wrong with Richard’s logic and I generally use it myself in a quick analysis.
If you can provide an example using risk assessments (and not calendar dates) where this is obviously “stupid”, I would appreciate it.
We’re looking at two different issues, the equation and then the use of scale. Ignoring the use of scale bit and focusing on the equation -
What is the logic of multiplying Threat times Vulnerability?
Then, what is the logic of multiplying by Asset?
I think I tabbed poorly, the above comment is, infact, mine and not Pete’s.
@Alex – I agree these are two separate things (I believe you were the one who introduced the scale issue into the discussion).
Risk is the likelihood of loss — a probability number between 0 and 100. So TxV are the components of that probability number (leave consequences out of it for now). And if we actually have probability of threat and probability of vuln, then you multiply probabilities together to get the risk. If T or V is 0, then the total risk is 0.
I would argue that risk is the probable frequency of loss AND the probable magnitude of that loss.
Likelihood defined that way, to me, has limited meaning in the context of security events (how often does an attack without response occur just once?).
Second If I grant you that we break R down that way, What do you mean by “the probability of Threat” and “the Probability of Vulnerability”?
I’m not being facetious, I’d really like to know, because those probabilities have no meaning to me unless you have a more specific definition.
I would argue that risk is the probable frequency of loss AND the probable magnitude of that loss.
Likelihood defined that way, to me, has limited meaning in the context of security events (how often does an attack without response occur just once?).
Second If I grant you that we break R down that way, What do you mean by “the probability of Threat” and “the Probability of Vulnerability”?
I’m not being facetious, I’d really like to know, because those probabilities have no meaning to me unless you have a more specific definition.
There might be one value missing in that formula, and that is “Counter measures”. The one I’ve seen the most is this one:
Risk = ((Vulnerability X Threat) / Countermeasures) X Asset value
As I see it, this formula only serves the purpose of making us aware of the factors — quantifying them and calculate the risk as a number is quite difficult, if not impossible.
Sure there was a time when T was so close to zero as to make no difference. For quite a few years MIT ran an “incompatible” timesharing system on the ARPANET with no security at all. There were no “privileged” restricted commands, and anyone could connect from anywhere on the net without logging in and execute a command that would cause the system to crash. In the risk equation, this amounts to setting V to infinity. Since the asset value was substantial enough to keep the system online for over a decade, you have to do a physicist’s approximation and say that T*V = infinity*0 = 1. It’s not rigorous math, but it works.
The real problem is your definition of risk as a product of factors (V*T*A).
This makes the assumption that Vulnerability and Threat are independent probabilities, which is patently false.
Risk is an expected value, that is, it is a probability * value.
The probability is the probability of the asset value loss, which is really a function of (threat, vulnerability, exposure, countermeasures, etc.) The true formula for risk is
Risk=ProbOfLoss(threat,vulnerability, countermeasures, …) * AssetValue.
In this more accurate formula, you can have a zero threat, but still have a non-zero probability of loss.