risk assessment

Hurricanes and Risk – Unexpected Consequences

Posted on September 11, 2008 by Caroline Ramsey-Hamilton • 0 Comments

Murphy’s Law states that anything that can go wrong — will go wrong. Natural disasters like earthquakes, power outages and hurricanes always seem to prove that this old axiom is still true.

Many people are allergic to change and when their environment starts to change drastically, as it will in a natural disaster — say a hurricane. And when the environment and familiar patterns start to break down, people get anxious, anxiousness turns into nervousness and in a state of anxiety, bad decisions are made.

The continual push to have emergency responders train, train and train some more, the importance of doing drills and testing emergency plans reflects the importance of people feeling COMFORTABLE and FAMILIAR with the disaster operations and steps toward recovery. Almost every requirement, whether it is for a physical security standard like FEMA 426 (How to Protect Buildings from Terrorist Attacks), to a bank standard like the FFIEC (Federal Financial Institutions Examination Council) the requirements requires disaster plan testing, and training for the personnel who will be affected by the disaster. The better and more frequent the testing and training, the better the plan will perform during an actual disaster.

Stories keep making the rounds about the South Street Seaport outage in lower Manhattan, and the emergency vehicles who raced to the scene and found there was no electricity to plug into.

If we put aside the original disaster, then you will often find peripheral activities that are thrown off and do not behave as planned. When I first moved to the DC area, we had a major power outage in the high rise office I off the beltway. No problem — the building manager had a diesel generator up on the roof. But he had stored the diesel fuel in the basement, and it was about 88 degrees that day. He managed to carry the fuel up the 16 flights of stairs to the waiting emergency generator, but he was hot and tired and when he poured the diesel, he slopped it over the side and it spilled down the outside the building and then soaked into the walls, and we had diesel leaking out of the electrical outlets! If you ever drive by the “Darth Vadar” building right at Route 50 and the Beltway — you can still see the stain on the building.

So when hurricanes are heading west, north and east, all at the same time, it’s a good idea to encourage your associates to breathe deeply, calm down, and take extra time to make sure that things get done correctly.

One of my friends is leaving Brownsville to get away from Hurricane Ike as I am writing this. And I had Hurricane Hanna visiting Annapolis less than a week ago.

Stay safe.

School Security Assessments & Children

Posted on July 18, 2008 by Caroline Ramsey-Hamilton • 0 Comments

My children are out of schools now, but I am always shocked at what I see on CNN’s Nancy Grace Show — all the terrible people who are snatching little girls on their way home from school. And what about the janitorial staff in some schools who don’t take time for the routine background check and find later that these men just rotate through the different schools looking for young victims.

I have been discussing this with some of my ASIS friends who do these types of assessment and they agree that sometimes it seems like the school management is not interested in a REAL security assessment, but instead just wants to punch the ticket so they can say it’s been done.

Conversely, they also find organizations who want to justify an expensive camera system, but totally ignore the basics….One of my friends wrote to me and said, “I have yet to see a school that has not spent a few thousand on detection systems to protect a few thousand dollars of computers but nothing on educating the staff and students on how to respond to critical events in conjunction with the first responders”.

He continued…. “ 99% of all of the school vulnerability assessments I have performed shows
is this: CCTV and Access Control systems are truly useful tools, but they follow the principle of responding after the horse has left the barn, when they should be putting time and smaller amounts of money into such things as fencing and meaningful emergency exercises to prevent and mitigate the threats. Dependence upon electronics is lulling the schools into a false sense of security – the real assets aren’t the computers – the real assets are the kids and staff. An effective true vulnerability risk assessment would show the way to making more informed decisions”.

The same thing happens to organizations who want to spend money on fancy, shiny, IT stuff, instead of doing boring things like:

1. Making sure the staff gets enough training.
2. Making sure that security plans are updated annually.
3. Updating the background checks.

Controls that cost less than $1000 are usually ignored for big purchases like digital color camera systems. We had one incident I remember where the organization had already paid for and installed the fancy camera system, but no one was available to do the monitoring!

Training in how to use new systems is also another area that often gets neglected and it is probably the SINGLE, MOST IMPORTANT PART of any new system. More than one organization didn’t keep using the new visitor management system because the staff never took the training and didn’t understand how to use it. Without that training, you might as well save your money.

And while we’re on schools – I actually got a letter from a big inner-city school district, and it was on letterhead and it said, “We regret that we cannot do a security risk assessment but we feel that if we identified particular risks, we might be liable if we did not fix them in a timely manner.”

YES – if you identify a terrible security problem and don’t fix it – you could be held responsible – but what if you have three teachers killed, or three students – Security shouldn’t just be about liability. It should actually FIX something.

One of the more successful schools assessment projects I have seen lately is down in Florida, where one of the schools is involving parents, as well as staff, in the school security program. There are online security guides that parents have to view, and they actually track it to make sure the parents are taking the online security training.

I got re-interested in the schools when I saw an HBO documentary on a Baltimore school that was having problems complying with the No Child Left Behind legislation, it’s called “Hard Times at Douglass High”. It outlined many of the problems that large city schools have to face, and although the documentary didn’t focus on security, security is always an issue.

Again, it’s the risk assessment that can give a school, whether it’s a public school, private school, magnet school or charter school a good overview of the security controls they have in place and what they need to do to improve. By setting up a program that REGULARLY assesses the school’s security profile, and does a cost benefit analysis on potential controls, the school will go a long way in protecting the interests of the students, the staff and the parents.

The Latest Risk – Data Center Theft

Posted on July 5, 2008 by Caroline Ramsey-Hamilton • 0 Comments

In November of 2007, a co-location data center with state-of-the-art technological controls in place on all of its equipment was broken into for the fourth time. The burglars simply took a masonry saw and cut out a section of the concrete wall. According to a letter from officials — the night manager was repeatedly tazered and struck with a blunt instrument. After violently attacking the manager, the intruders stole equipment belonging to the data center and its customers and at least 20 data servers were stolen.

So does this mean that we have crossed the threshold where the information is more important than the equipment on which it resides? Even more amazing is that this particular co-location center has experienced more than FOUR break-ins! That’s certainly some kind of record.

My theory is that whenever the economy takes a downturn, robbery, burglary and other petty crimes start going up. White collar crime also starts to increase as employees start feeling that their job may not be secure as they thought – and start helping themselves to whatever the company has given them access to, maybe paperclips, maybe something more interesting.

There’s so much talk about “convergence”, the fusion of physical and information security. I think it is still typical in most companies to handle these two types of security completely separately and when the crime rate is increasing, that’s when you have to make sure that the correct physical controls are in place. In the same vein, the background checks on key personnel should be done more often and certainly should be done for all new employees.

A time-honored mantra for security people has always been “the insider threat is always worse than the outsider threat”. You can see the logic in this immediately, because the trusted insider has access to lots of information and with the use of a thumb drive or memory stick, its easy to get information out of a facility. Many organization ban thumb drives for this reason, but they are also not searching the purses, gym bags and other paraphernalia an employee may bring to work.

Data breaches disclosed by Hannaford Bros Supermarket Chain, GE Money, and Georgetown University are just some of the 167 breaches reported during the first quarter of 2008, up 1/3 over the previous quarter, according to the non-profit Identity Theft Resource Center (ITRC). This is more double the first quarter of 2007 (which was 76 breaches). It is an easy theft with a big upside and you can just sell the information to a sort of electronic fence so you don’t have to do much yourself.

Many of the investigations I have been involved with have uncovered employees doing another kind of theft – capacity theft. They are running their own businesses on the organizations boxes, basically stealing capacity and storage, plus the loss of their time and energy while they are engaging in these practices. This can extend from running sex rings which we have seen in state government data centers as well as a recent incident with Congress, to taking the client lists and selling them to spammers.

So with the external environment making lots of people think they could use a few extra bucks, it is probably a good time for improving access control systems, doing background checks on a more frequent basis, and generally improving the facilities security of your data center. Of course, it goes without saying that you should be doing your risk assessments on a more frequent basis.

Besides doing the security checks, a side benefit is that if you publicize the fact that you are doing an assessment, employees will back off their extracurricular activities on your systems. Once again — the risk assessment is a win-win.

Visit RiskWatch.com for more Information

Fear of Risk Assessment!

Posted on June 17, 2008 by Caroline Ramsey-Hamilton • 0 Comments

Why are people INTIMIDATED by risk assessments? Is it because they seem overwhelming with their arrays of lists and categories? (At last count – I categorized over 1.572 million combinations of the 44 asset categories, 58 threat categories, 55 vulnerability categories, 7 loss categories and 160 control categories)!

Part of the trepidation of manager tasked with a risk assessment seems to be that they are anxious about making key assumptions and assigning importance to different areas of the business or agency. Of course, part of this is political – the risk analyst has the power to build up the importance of one part of an organization and reduce the stature of another – or EVEN AFFECT THEIR BUDGETS!!

In practice however, it seems like the exercise of doing a risk assessment affords a level of protection which is related to how many other people actually contribute to the risk assessment results. Using the compliance survey as a participatory measure takes the onus of absolute responsibility away from the manager and distributes it throughout the organization where it belongs.

Besides – how can one person know enough to do the entire risk assessment by their self? They would have to be everywhere at once – in the morning, late at night, on the weekends, and also be able to channel the work of everyone from the newest tech support person to the director of the data center. And the inclusion of a variety of individuals adds weight and power to the risk assessment.

While the analysts may be accountable for the report of potential risk, the responsibility for any action that needs to be taken is up at the C level, or with the Board. In fact, in the FFIEC IT Handbook, they spell out, “The Board is responsible for holding senior management accountable”. Often we have found that the actual President of a bank or credit union doesn’t always KNOW that he is going to be held responsible – this information is down another level in the organization.

The analyst should not be afraid of making assumptions in the risk assessment; auditors make assumptions all the time. One could say that the world runs on assumptions. So making an assumption about how long it would take to replace the personnel or web applications of a specific part of the organization is not too difficult. Always remember that each component of the risk assessment can be vetted before with relevant management so that senior management does take the responsibility for validating the choices the analyst makes.

Personally, I advocate getting management to sign off, in writing, on the assumptions they accept, in the course of completing the risk assessment – and of course, on the final reports. There’s nothing like a signature on piece of paper to foster a climate of accountability.

Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software. Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop. In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler. Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications. Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.

Threat Assessments & the Maryland Storms

Posted on June 5, 2008 by Caroline Ramsey-Hamilton • 0 Comments

June 4, 2008, Annapolis, Maryland

Threat Assessments are one of the key areas of a security risk assessment. Whether it’s information technology or physical security — having good threat information is a major component of any risk assessment.

Threat data is also very difficult to get and to keep updated. Part of the problem is that if you look at ‘current’ threat data — you will find that this year, for example, we have had an unusual amount of rain and an unusually high number of storms and ‘conditions that are favorable for tornado (tornadic sp?) activity in Maryland.

Take yesterday for example. I had to take one of my beagles to the vet. As I got into my car, my son called to say there was a very severe storm with a possible tornado heading toward us. (He is in Virginia so he gets the storms first). I actually saw the storm in my rear view mirror as I headed across the 4 mile Bay Bridge and rode out the storm in the vet’s office. All my power was out when I finally got home and hundreds of trees were down. There was so much flooding that I had to take off my shoes and pull up my dress to get to my car in the parking lot of the vet’s office.

So with these storms, tornados, rain and flooding, should I increase my threat of storms, flooding and water damage? NO. In this case, as in others (like hurricanes), as a risk analyst, you are looking at long term trends. Remember 2005? It was the busiest hurricane season on record, with 27 named storms and 11 federal disaster declarations and the unforgettable trio – Katrina, Wilma and Rita? Everyone thought this was the signal of a new problem with hurricanes, but 2006 was quiet. In fact, no hurricanes made landfall in the U.S. in 2006; and in 2007 there was only 15 named storms.

What insurance companies have known for years is that these things occur in cycles, and if you change your disaster plans to focus on hurricanes, next year you may instead get wind, or wildfires. So the smart risk assessor will look at 20 or even 50 year cycles, and will normalize those cycles into an annual number and that annual number will be a better predictor of what actually happens year by year.

For a risk assessment, I always look at what is called an “All-Hazards” threat approach. Even for an IT risk assessment, you need to look at the statistics for natural disasters, and related crime stats, as well as IT threats such as disclosure, viruses, malware, phishing, etc. The impact of a hurricane or flood on a data center is just as damaging, if not more damaging, than a virus brought in by an employee.

There are several threat sources you can refer to, if you are attempting to create your own threat matrix for a risk assessment. In the U.S., the National Weather Service (www.noaa.gov), has good threat data for natural phenomena, and the FBI publishes good crime data — the uniform crime reports (http://www.fbi.gov/ucr/ucr.htm). For looking at IT threat data, there is a wide variety of sources including the CERT at Carnegie Mellon (www.cert.org).

Of course, the best, and most localized is either from your internal data, or from industry data. This includes incident response tracking, incident reports, penetration and scanning test results which can be combined to give a good overall threat profile for your organization to in the risk assessment. The threat assessment probabilities are going to contribute to the risk calculation by seeing what level of protection different assets need according the threats that can impact them.

Category Archives: risk assessment