"Investigation of the potential for a Risk Assessment optimisation scheme usingobjective input based on CySeMoL and internal inventory data 1 AbstractThere is an ever-increasing cyber threat landscape that targets an increasinglycomplex set of information technology infrastructures. A multitude ofmethodologies, frameworks and tolls exist, aimed at assisting organisations to reducethe impact and likelihood of any attacks on their systems. There is a question of howorganisations know which method is the best for conducting a risk assessmentpertinent to their needs. These organisations need to be confident that the riskassessment and resultant risk treatment plan will be effective in mitigating risks. Inorder to provide that confidence, the use of tools to enhance any risk managementstrategies may be considered. These tools must however have been tested andimplemented within any adopted hybrid risk assessment approach, in a way that theorganisation fully trusts any recommendations that fall out of the results of a risktreatment plan. AcknowledgementsMany thanks to Dr Gregory Epiphaniou at the University of Bedfordshire for thesupport, guidance and feedback he has provided me in the production of this report. DedicationThis project is dedicated to my darling wife who has never once complained aboutme being shut away in my office for days on end compiling this report.KeywordsSecurity, Risk, Assessment, Controls, Assets, Cyber, Attack, CySeMoL 2 ContentsAbstract ................................................................................................................................ 21 Introduction ..................................................................................................................... 41.1 Research Problem .................................................................................................... 41.2 Aim ........................................................................................................................... 41.3 Key Performance Indicators (KPI)/Objectives .......................................................... 41.4 Layout ....................................................................................................................... 52 Literary Review ................................................................................................................ 52.1 The need for Risk Management ............................................................................... 52.2 Security Risk Assessments........................................................................................ 72.3 Potential shortfalls in Risk Assessments ................................................................ 112.4 Hybrid approach to information security risk assessments ................................... 132.5 Use of Controls in Risk Management ..................................................................... 142.6 Relationships between Security Controls and Assets ............................................ 152.7 Use of Attack graphs in security risk assessments ................................................. 162.8 CySeMoL and EAAT ................................................................................................ 182 2.8.1 P AMF ........................................................................................................... 212.8.2 Recent research on CySeMoL ........................................................................ 233 Practical Application ...................................................................................................... 243.1 Scenario .................................................................................................................. 243.2 Method of testing .................................................................................................. 333.3 Practical work through ........................................................................................... 383.4 Scenario Testing ..................................................................................................... 453.5 Problems/Issues ..................................................................................................... 523.6 Conclusion .............................................................................................................. 533.7 Future work ............................................................................................................ 54References ......................................................................................................................... 55Appendix A. List of defenses, assets and attack steps. .................................................. 58Appendix B. Full Network ............................................................................................... 61Appendix C. Poster ......................................................................................................... 62 3 1 Introduction1.1 Research ProblemSecurity Risk Assessments and the resultant risk treatment can be conducted usingvarious methodologies and techniques with varying success. Changes in ITinfrastructure and the threat landscape is ever changing. A change in in ITinfrastructure may impact on other areas of that system and also may impact on therisk controls in place to reduce risks.Therefore, can a tool be used as part of a risk assessment to provide a more definiteand reliable output with regards to identifying relationships between controls andassets?1.2 AimThe aim of this report is to identify if it is possible to improve or optimize thesecurity risk assessment process for an IT infrastructure.In order to ascertain this, one part of this optimization may be to use a tool toestablish if there is a method of identifying what effect the changing of one controlor asset has on other controls and assets.This report will focus on the use of the Cyber Security Modelling Language(CySeMoL) and associated Enterprise Architecture Analysis Tool (EAAT).1.3 Key Performance Indicators (KPI)/Objectivesa. As part of the literary review a research gap analysis on existing RiskAssessment methodologies will be conducted. The gap analysis will therefore justifythe necessity of this report and research.b. Confirm if the method put forward takes a quantitative approach or is moresubjective in nature.c. Identify if we can optimise part of the risk assessment process, in this case bythe use of a tool (CySeMoL and EAAT).d. Identify if CySeMoL and associated tool be used to assist in security riskassessments.4 1.4 LayoutThis report is laid out with an initial introduction which includes the researchproblem and aims and objective. A literary review is included to set the scene of theneed for risk management and risk assessments. There is an introduction to CySeMoL which forms part of the practical testing of asimple IT infrastructure, followed by the testing of that IT infrastructure aimed atlooking at the research problem.Finally, a conclusion and potential future work is identified at the end of the report.2 Literary Review2.1 The need for Risk ManagementHardy, K (2014) provides a definition of [Enterprise] Risk Management by theCommittee of Sponsoring Organizations (COSO) as being “…a process, effected bythe entity?s board of directors, management and other personnel, applied in a strategysetting and across the enterprise, designed to identify potential events that may affectthe entity, and manage risk to be within its risk appetite, to provide reasonableassurance regarding the achievement of objective.”.From the Management of Risk: Guidance for Practitioners (2010), risk “…is definedas „an uncertain event or set of events that, should it occur, will have an effect on theachievement of objectives. A risk is measured by the combination of the probabilityof a perceived threat or opportunity occurring and the magnitude of its impact onobjectives.”.Risk occurs in all organizations and therefore must be managed appropriately to thebusiness. Murray-Webster (2010) highlights various reasons why organisationsshould manage their risks, including; “…improve[d] internal control and [to] supportbetter decision-making”, “…fewer sudden shocks and unwelcome surprises” and“…more efficient use of resources”. 5 Risk management should therefore be used in all organisations that wish to improvetheir decision making or reduce the number of shocks and unwelcome surprises andmake better use of its resources. There are various risk specialisms which include(Murray-Webster (2010)):? Business Continuity Management ? Incident and Crisis Management? Health and Safety Management? Security Risk Management? Financial Risk Management? Environmental Risk Management? Reputational Risk Management? Contract Risk Management. Security Risk Management is highlighted as a specific area of risk management. Thispaper more specifically will focus on Information Security Risk Management whereinformation security is “…protecting information from unwanted exposure,tampering, or destruction.” (Sadowsky, G et al (2003)).A fundamental part of risk management is understanding what risks are applicable toan organisation. This is achieved by the organisation conducting a risk assessmentwhich is pertinent to the area that is of concern to the business. As already discussedfor this paper the focus will be on Information Security.Moreover, not only is there a need for a risk assessment, but there is the need for thatrisk assessment to be updated on a continual basis. The threat landscape with regardsto attacks on organisations and the security of information is a continuous battle. Areport produced by FireEye quotes that Mandiant (an American cybersecurity firm)“…has been advising clients to prepare for when attacks happen, not if theyhappen…” (FireEye, Inc, 2016). This therefore means that to effectively manage anyrisk to information security, the management of risks should be an ongoing process. This is by no means an easy feat to achieve though. Not only do potential attackerschange their modus operandi and/or their toolkit(s), any change to an organisationsinfrastructure may change or potentially add new vulnerabilities. For instance, the6 patching of an operating system of piece of software may add vulnerabilities that arenot known about until they are identified by the software manufacturer.The newly set up National Cyber Security Centre (NCSC) raises this point in that “Atechnology system that is „secure? today will not necessarily be secure tomorrow.The changeable and complex nature of technology systems means that thecorresponding security cannot be in a fixed state.”. The NCSC highlights this as aweakness of current risk assessments. It raises the point that that organisationsshould have the capability in place to monitor threats to an organisationsinfrastructure which in turn should provide sufficient information to allow changesto security controls to combat those changing threats.2.2 Security Risk Assessments“Risk assessment is the core process of information security risk management.” Lo,C et al (2012). For an organisation to understand how to reduce risks to theirinformation systems there needs to be an understanding of how those risks are likelyto affect the critical business areas of an organisation. The impact on an organisationmay be the inability to perform its main function or a monetary value, be thatbecause of a regulatory fine or due to the reputational impact where customers taketheir business elsewhere. As an example, in October 2015, an attacker accessed personal data of 156, 959TalkTalk customers, which included names, addresses, dates of birth, phone numbersand email addresses. In some cases, the attacker had access to bank details including1 sort codes . The company was fined a total of £400,000 by the InformationCommissioner?s Office (ICO). It is likely that as a result of this attack existingTalkTalk customers will have moved to another Telecoms company resulting in aloss of revenue to TalkTalk.The attack is a common technique used by attackers known as an SQL injectionattack. The ICO stated that “TalkTalk?s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk?s systems with ease.”.1Information Commissioner?s Office report – “TalkTalk cyber attack – how the ICO?s investigationunfolded”.7 ICO technical experts assessed that “TalkTalk had failed to remove, or otherwisemake secure, the webpages that enable the attackers to access the underlyingdatabase.” This would suggest that either TalkTalk had not carried out acomprehensive enough risk assessment and therefore did not know about the risk, ordid not implement sufficient controls to mitigate the risk.The importance of conducting a [security] risk assessment is further highlighted byGiannopoulos, G et al (2012) where “Risk assessment is indispensable in order toidentify threats, assess vulnerabilities and evaluate the impact on assets,infrastructure or systems taking into account the probability of the occurrence ofthese threats.”.In many domains, risk assessments on information systems are conducted manuallyin accordance with differing methodologies by specialist security experts orInformation Assurance practitioners. Holm, H et al (2014) highlight this by statingthat “A common means of estimating the cyber security of their systems in practiceis to consult experts, e.g., network penetration testers.”. Additionally, Holm, H et al (2015) acknowledge the need for these experts forestimating the security of enterprise architectures but point out “…three significantdelimitations: they are only valid for 1) the time that they were carried out, 2) theparts of the enterprise architecture that were studied by the expert, and 3) thecompetence of the consulted expert.". The use of individual security experts to conduct risk assessments “…from diversebackgrounds, … will produce subjective assessments based on their specializedstanding duties and, and job positions.” Lo et al (2012). Lo proposes a hybridprocedure in order to “…diminish the subjective nature of these assessments withaggregation.”. The potential for using CySeMoL and the Enterprise ArchitectureAnalysis Tool in a hybrid approach is discussed further in this report.To reduce these perceived weaknesses in risk assessments of information systems,they need to be:8 1. Able to be conducted on a more regular basis, perhaps even on the fly;2. The whole enterprise architecture needs to be included in any riskassessment; and3. Ideally there is a need to reduce the reliance on the competence of aconsulted expert.Throughout the review of documentation to support this project, similar terminologyis used when conducting a security risk assessment. Ji-zheng et al (2013) states “Riskassessment aims to analyse potential risks of information systems and supplying riskreduction through recognizing assets, threats and vulnerabilities.”. Liu, C et al (2012) comments that “The objective of Risk Assessment is to identifyand assess the potential threats, vulnerabilities and risks…”. With regards tomethodologies of risk assessment they highlight one approach which is “…toassemble the results of a Threat Assessment, Vulnerability Assessment, and anImpact Assessment to determine a numeric value of Risk…”. This is then defined ina diagram which is detailed below and highlights the identification of Assets andThreats as initial activities prior to determining probability and impact of the threatoccurrence.Figure. 1 Illustration of Risk Assessment Process (Liu, C et al (2012))Further, Lanz, J (2015) quotes that the National Institute of Standards andTechnology?s (NIST) “Guide for Conducting Risk Assessments” details the9 following tasks that are performed as part of an information technology riskassessment:? Identify threat sources and events;? Identify vulnerabilities and predisposing conditions;? Determine likelihood of occurrence;? Determine magnitude of impact;? Determine Risk.Panda P (2009) produces the following phases and processes from the OCTAVEapproach to understanding and assessing information security risks:Figure. 2 Risk Assessment Phases (Panda, P (2009))According to Panda, P, the Operationally Critical Threat, Asset and Vulnerability® Evaluation (OCTAVE ) approach “…is [a] framework that enables organisations tounderstand, assess and address their information security risks from [an]organisation?s perspective.”.Finally, with regards to risk assessment steps, Lo et al (2012) have arrived at thefollowing steps for use in a “…hybrid information security risk assessmentprocedure”.:(1) System Characterization;(2) Threat and Vulnerability identification;(3) Likelihood Assessment;(4) Impact Analysis; 10 "