8.3 Review Technology Vulnerabilities and Summarize Results
The previous activity required specialized information technology and security knowledge to complete. Before you can move to the risk analysis activities of phase 3, you need to make sure that all analysis team members have an appreciation of the results of the infrastructure examination. Thus, part of this activity requires communicating technological issues effectively to people who may not have technology backgrounds.
A second part of this activity requires you to think about the technology information in the context of your organization. You refine the picture of current security practices and organizational vulnerabilities. You also revisit the threat profile for each critical asset to see if the vulnerability evaluation has exposed any new threats.
Step 1: Review and Refine the Preliminary Summary
In this step the entire analysis team reviews the preliminary summary of vulnerabilities. The information technology staff or external experts who conducted the evaluation lead the review. During this step you must make sure that you understand the following information for each critical asset:
You can make changes to the summary during the discussion, if appropriate. For example, you might decide to change the definitions of severity levels. Once the summary is reviewed and refined for each component, make sure that you document it. You should also keep the detailed reports generated by the tools. You might need to reference them after the evaluation when you fix specific vulnerabilities.
In our sample scenario, one member of ABC Systems presented the results of the vulnerability evaluation to the analysis team. The presenter highlighted the types of vulnerabilities that were found on the key components and illustrated how those weaknesses could enable attackers to access PIDS, ECDS, and desktop computers (the critical assets that can be accessed using the network). This activity helped all members of the analysis team to appreciate the relationship between technology vulnerabilities and their business processes. No changes were made to the vulnerability summary shown in Figure 8-3.
Step 2: Identify Actions and Recommendations
As you review and refine the summary of vulnerabilities, you may identify specific actions or recommendations for addressing the technology vulnerabilities. If you need to address any technology vulnerabilities immediately, make sure that you assign an action item and designate responsibility for it.
Remember to look at the technology vulnerabilities across components and critical assets for patterns that can help you better understand the security issues. Patterns of technology vulnerabilities can indicate problems with the current security practices in your organization. (See the catalog of practices in Appendix C for a list of Information Technology Security practices.) For example, staff members may indicate that they perform a practice, but the pattern of technology vulnerabilities might show evidence to the contrary. You also need to be careful when establishing vulnerability patterns. Make sure that you don't jump to conclusions based solely on one (or a few) technology vulnerabilities. Review patterns of technology vulnerabilities that affect a critical asset as well as patterns of technology vulnerabilities across critical assets.
Record all actions and recommendations. This information will be useful during process 8, when you create a protection strategy, risk mitigation plans, and an action list.
At MedSite the workshop group, which included three staff members from ABC Systems and the analysis team, performed this step in conjunction with step 1. As the presenter from ABC Systems discussed the vulnerability summary and illustrated how attackers could exploit technology vulnerabilities to access critical information and systems, the group identified a number of actions that they needed to take, including a review of the policy that prevents assessment of home PCs. These actions are shown in Figure 8-4.
Step 3: Perform a Gap Analysis
Remember from our discussion in Chapter 7 that technology vulnerabilities define the access paths that human threat actors can use to access a critical asset. Thus, when you identify a technology vulnerability on a key infrastructure component, you have identified a weakness that can directly lead to unauthorized action by a human threat actor. You now need to review the threats you identified in process 4 in light of your understanding of how vulnerable your infrastructure is. Your view of threats may have changed.
After you have reviewed and discussed the vulnerability summary, perform a gap analysis of the threat profile for each critical asset you created during process 4. During the gap analysis, you reexamine the unmarked branches of the threat tree for human actors using network access.
Consider the following question when you review the unmarked branches of a threat tree: Do the technology vulnerabilities associated with the critical asset's key infrastructure components indicate that there is a more than negligible possibility of additional threats to the asset? Make sure that you mark any new threats on the appropriate branches of the threat tree and document any important contextual comments or notes (e.g., refer to the vulnerability summary).
The workshop group at MedSite reviewed the human actors using network access threat trees for PIDS, ECDS, and personal computers and determined that there were no threats in addition to those already marked. (See the complete example in Appendix A for the complete threat profiles for each critical asset in the example.)
This completes the process 6 workshop. By this point in the process you have gathered a lot of asset, threat, and vulnerability information. It is time for you to start making sense of the data by identifying and analyzing your organization's risks. Process 7 kicks off OCTAVE's risk identification and analysis activities.