Law and Investigation Ethics

LAW, INVESTIGATION, AND

ETHICS

Forensic Analysis of Risks in Enterprise Systems

Peter Stephenson, CISSP, CISM, FICAF he concepts of vulnerability assessment and penetration testing as methods of risk analysis have been a staple of the practice of information security. The seminal paper by Farmer and Venema [FV92] introduced the concept of performing penetration tests as a method of vulnerability assessment. Since the early 1990s, the practices of vulnerability assessment and risk analysis have alternately converged and diverged as new methods waxed and waned. Most recently, standards such as BS 7799 and ISO 17799 have focused on the synergy between technical testing and risk analysis. Implicit in the concepts of vulnerability analysis and risk analysis — whatever the techniques used — is the notion of risk management. Risk management returns to first principles of vulnerabilities, threats, impacts, and countermeasures. Current thinking, as embodied in various standards and industry-specific regulations, implies a holistic approach to risk management that comprises technical, operational, and administrative controls and the required assessments to establish their efficacy in managing the organization’s information technology (IT) risks. Unfortunately, there is, today, limited evidence of credible risk analysis procedures that satisfactorily combine technical

T

and nontechnical assessment and analysis methods. Risk analysis methods tend to focus on expected annual loss, while vulnerability and penetration testing methods focus on uncovering holes in the system that would permit an intruder to compromise the organization’s information assets. There are serious limitations to both of these approaches. The results of various methods of risk analysis in common use in IT systems today are suspect because the source data, and the assumptions upon which their conclusions are based, are subjective and may be flawed and inconsistent. The results of various...