Background for writing this topic
In SAP Secure software development lifecycle (SSDL) methodology, the first stage is performing ‘Risk Assessment’ on all SAP products. In ‘Risk Assessment’ stage, we use methodologies like Threat Modelling (Product and Scenario), Product standard assessment, Data protection compliance evaluation(DPCE) to identify risks and plan for security measures to mitigate the risks.
In my experience of conducting many TM workshops and TM classroom trainings, I observed people having different expectations or assumptions on risk assessment in general.
We tend to not realize that we unknowingly perform risk analysis in our daily chores and then take a decision on how to execute them effectively. Risk assessment is confined not only to software products. Threat modelling or risk assessment could be conducted on physical infrastructure, organization facilities/ campuses, corporate strategies and so on. Risk assessment and management can be felt more in our daily lives then in software world. Once we understand risk assessment generically, the concept is easier to relate to software products. This would enable people to have a better idea of what to expect out of a TM workshop and its overall benefits.
In one of the TM training, a participant asked me a question to basically tell the differences between a risk, a threat and a vulnerability before going any further. He requested for a simple general example that makes sense to anyone even if one is not having security background. Since I am in Bangalore, I used the example of a daily activity that all SAP employees will perform i.e. commuting to office. Using this scenario and with a series of questions to participants, I was able to give a glimpse of what we happens in a TM workshop or a risk assessment activity.
After that I have worked on this example on refining it and presenting it in a generalized format. I tried to globalize the scenario and present it as generic as possible. When presented in a couple of forums, it has been appreciated that this example was useful in clearing their assumptions and confusions on this topic.
Why is it important to understand the difference between the terms Risk vs Vulnerability vs Threat
If we don’t understand the difference, we might make mistakes in understanding the actual risk to assets. Understanding the definitions of these security terminologies would help us to be more effective in assessing the threats, identifying the vulnerabilities which will help us in determining the resulting risk to an asset.
Example Scenario: An employee commuting to SAP office
Let’s look into a use case scenario that is relevant to all of us. We commute daily to our work locations i.e. our SAP office. Correct?
Now this is the example scenario ,
Let us consider that one of our SAP offices is in a location which is riddled by traffic jams, has a fair amount of air and noise pollution, extreme weather conditions. In this city, due to heavy traffic conditions and population density, many times people tend to change lanes and cross other vehicles to reach their destination faster. Assume that a fair amount of traffic chaos exists in this place.
One of our employees newly moves in to this office location. This person "plans" to travel to office as stated below. (I highlighted ‘plan’ as we need a scenario that is relatable to design time of a software product. Remember that risk assessment is recommended at the planning/design stage of a product)
Employee Travels from a distant place to office which requires him/her to cross multiple traffic junctions. This route is loaded with enough bottlenecks and traffic jams which could take a toll on our physical and mental health, consumes a lot of time and effort.
The person uses a 2 wheeler to commute to office.
The person travels all the way to office rarely wearing a helmet, without wearing other protective gear.
The person does not use protective air or noise pollution masks.
Now let’s us try to do a risk assessment on this scenario. **Note: I understand that this use case is relative and subjective to different people. There could be different possibilities of analyzing and understanding the scenario based on the geographic location and other factors. You may be able to come up with more risks and new use cases which is appreciated. But the intention here is to send the right message to anyone who is new to risk assessments and to reduce confusions before diving into this topic**
**Note: I have intentionally tried not to directly refer to the any of the standard methods or SAP security requirements that we use in SAP threat modelling to make it as generic as possible. Objective here is to convey the concept of risk assessment to general public using a relatable example**
Determining Asset: People, property and information. People may include employees and customers along with other third parties involved in business activity. Property assets may be tangible or intangible. Tangible assets include physical infrastructure, systems etc. Intangible assets include company credibility, reputation and proprietary information. Information may include business data, employee and customer information, company records etc.
"An asset is what we’re trying to protect"
I would say there are two main assets in this case. Person (Human component) and Two wheeler
We shall also observe and analyze later as to how the risk analysis and rating would vary with the choice of asset.
Identify vulnerabilities: A vulnerability refers to a known weakness of an asset that can be exploited by external malicious factors. Weaknesses or gaps in a system that can be exploited by attackers to perform harmful activity.
"A vulnerability is a weakness or gap in protecting the asset"
Person is not wearing protection gear like helmet, knee or elbow pads or anything that would protect him from getting hurt in case of any accident.
Person is not wearing pollution filtering mask.
Person not using noise blocking devices.
Person not using any skin protection cream in case of hot weather or warm clothing in case of cold weather . Note: Sometimes in threat modelling we need to uncover some of the vulnerabilities based on the business case, even though they are not explicitly mentioned in the use case. In scenario description above, it is mentioned that location has extreme weather conditions. So we need to analyze vulnerabilities related to weather as well. Remember to brainstorm and think out of the box.
Assess Threats: – A threat refers to an entity which has the potential to harm a system or organization. Anything that can exploit a vulnerability, intentionally or accidentally and negatively impact the asset.
"A threat is what we’re trying to protect the asset against"
Person could be hit by other vehicles. Even if the person is driving carefully, others might not be.
Person could hit others by mistake or recklessness.
People may not follow traffic rules.
Air pollution and Noise pollution.
Extreme weather conditions.
Getting caught by a traffic cop.
Determining Risk: Risk is the intersection of impact on assets, threats, and vulnerabilities. We can also say risk is a result of threat exploiting a vulnerability in a given asset. Risk could be rated based on the negative impact on the asset versus how easily the vulnerability in asset could be attacked.
"Risk refers to the potential loss or damage or destruction to asset when a threat exploits a vulnerability"
If the asset is human or person in question
Person could fall prey to health issues like lung or breathing problems, skin problems due to weather, orthopedic problems, muscular sprains or strains, hearing problems. We can rate this as high to critical.
Meet with an accident and physically get hurt or in the worst case lose life. We can rate this as critical.
If caught by traffic cop. Loss of money. Could be rated Low to Medium.
If the asset is 2 wheeler
Damage to 2 wheeler. Could be rated as medium to high based on the class of vehicle used by the rider or based on the loss incurred by the user.
Point to consider: "We rate and prioritize risks based on the impact and easiness of attack on the an asset. Risks are actionable items"
What happens to the risk if either of the threat or vulnerability is absent in the scenario
Threats (actual, conceptual or inherent) may exist, but if there are no vulnerabilities then there is little or no risk. Similarly, we can have a vulnerability, but if we have no threat, then we have little or no risk.
No threats but vulnerabilities exist = minimum or no risk
Let us imagine a situation that this person has moved his/her home very close to office which is few hundred meters away, no or minimum traffic in that route, no traffic police on the way, not much pollution as such, no malicious external factors. In this case though the asset is vulnerable there are minimum threats. So there is minimum or no risk at all.
We can relate this case to the example to staying in SAP Guesthouse Kalipeh in Walldorf and commuting to office buildings using a bicycle or by walk. Risk is minimum or null here.
No vulnerabilities but threats exist = minimum or no risk
Now let us say that the person is wearing a helmet and protective gear, using pollution masks, bike is in good condition with all relevant documents, following all traffic rules. Then even though there are threats that are surrounding the asset, the risk has been reduced to minimum as all possible vulnerabilities are addressed sufficiently.
Risk Mitigations: In general, mitigation means to minimize the degree of any loss or harm to the asset. Risk mitigation is the process of reducing the extent of risk on the asset.
In majority of cases, risk mitigation is responsibility of product or business owners. Based on the resources availability and various other dependencies, product owners should take a decision on security measures that would best mitigate the risk in hand.
Here: (If Human is asset)
Wear a helmet, wear knee or elbow pads.
Wear a pollution masks to reduce the exposure.
Wear skin protection clothes or skin protection creams.
Drive safely and correctly. Follow traffic rules.
May be use a 4 wheeler – Note : Here it is the user might take a decision to completely change the mode of transport to mitigate multiple risks altogether. This also means that the use case itself has changed and a new scenario is in the picture. This requires a new or delta risk assessment for the new criteria in scenario.
Here: (If Bike is asset)
Insure the bike.
Regular bike service and maintenance
Drive safe and correctly. Follow traffic rules.
Point to consider: So evaluating and reaching consensus on the asset is very important in a risk assessment as it determines the extent of negative impact due to risk. Basically the criticality of asset may impact the risk rating and priority.
In this case if we say that bike is the main asset and not the person, then the risk rating and priority changes.
What after a risk assessment like Threat Modelling
Now that we have performed risk assessment, we document our findings in a risk assessment report like TM report. Submit it to the use case owner.
What can the person(use case owner) do in this example?
Person needs to evaluate, estimate and take decisions how to treat the risks.
Can the person take a decision to reject one of the risks , can the person decide to handle the risk later, can the person take the decision to mitigate the risk on priority and fix it immediately.
All these decisions are quite possible and left to the case owner’s prerogative.
In this scenario, it is left to the individual to take decision based on his/her priorities and mitigate the risk accordingly. It is the business decision or personal decision (in this case) to prioritize the risk and take necessary actions on the risk mitigation.
Point to consider: "Owner of the scenario is the best person to analyze and implement the best possible mitigation for the risk. We say this because multiple factors like time, effort, budget and other dependencies need to be evaluated and estimated. Appropriate decision has to be taken so that both security criteria and business purpose are achieved. So an identified risk can be mitigated or accepted or rejected"
Risk assessment report needs to be constantly updated
During the course of time , the person may relocate to a different location. May be there is no or minimum traffic now. May be the person decided to walk or cycle. May be now the distance to office is just few 100 meters. May be the person decided to use a 4 wheeler. May be the person could move to a location and so on.
As per the changes in the scenario, we could discover new threats or some current risks could become irrelevant.
Point to consider: "Risk assessment report needs to be constantly evolved as per the modifications in business scenario. Sometimes it might require a new risk assessment altogether if there are many changes in the current scenario. Existing risks may become invalid or new risks might crop up."
Risk assessments are not for finding confirmed vulnerabilities or for deriving 100% risk free scenario (product)
Once risk assessment is done, if all risks are mitigated and tested, can we guarantee that the scenario cannot be exploited. In above example can we guarantee that the person is safe and secure if all the risks reported are taken care. There are a lot of external factors that are not in our control which could still pose a risk and could have an impact on asset.
"Threat modelling and DPCE are tools to meet our product security requirement of 'Secure by Design' . Risk assessment is not for determining confirmed vulnerabilities or for achieving 100% secure scenario (product). Risk assessment becomes basis for securing the business scenario in design time. It gives a security plan during product development and while testing. It basically helps us to be proactive in securing the product rather than being reactive. Confirmed vulnerabilities could be detected during security testing and validation (using penetration or hacker simulation tests)"
Now let us see an example in software industry that has an analogy to above example
A large and reputed organization like SAP or Google is planning to set up a new data center. After a lot of discussions they have shortlisted a location to build the data center. The main problem with the location is that it is prone to earthquakes, however the management in their wisdom wants to go ahead with this choice as they arrived at this decision after due deliberation.
In this scenario,
Critical business data and customer/employee data residing in data center. Data is the asset apart from the data center infrastructure itself. Data center could be built again but data once lost may not be recovered.
So here we can say data itself is the primary asset and data center infrastructure is secondary asset. In this age of information technology data is considered as gold. Data theft or hack could cost more to a company than physical infrastructure damage itself.
Natural disaster i.e. earthquake.
This is a threat that is uncontrollable and may not be predictable in every situations.
Not having a data recovery plan in place. Not having a secondary data back-up mechanism in process.
Not constructing data center with earthquake proof technology.
In the event that the physical assets are destroyed by a sudden earthquake, the data is lost forever. Data center itself could be destroyed.
The risk to the business would be the loss of information and physical property, disruption in business, loss of reputation and credibility, financial loses, legal troubles as a result of not proactively addressing the vulnerabilities. We can rate this risk to be critical.
The threat of an earthquake is outside of one’s control in any given situation. However, knowing that a natural disaster could potentially hit can help the organization to assess weak points (vulnerabilities) and come up with an action plan to minimize the extent of loss or damage.
There could be multiple mitigations for this scenario. Like moving the data center to a safer locality (which may require a new risk assessment), having data recovery plan in any case, constructing earthquake proof physical structures for data centers and so on.
Recommendations could be given for risk mitigations by Risk assessor. However, final decision on risk mitigation or acceptance relies with the product team.
With these general examples I am able to convey the message to a large extent. If we have this understanding of the security terminologies like risk, threat, vulnerability, risk mitigation and understand the concepts in general, I believe we would be more effective in performing risk assessments.