Bringing Home SLE, ARO, ALE, and CBA

This week was fairly interesting to me. We read about controlling risk in the risk management process. Just as with last week, this is fairly new to me, so I try to relate the topics to layman's terms here at home to simplify it. This week, I wanted to do the same thing, so I am going to look at single loss expectancy (SLE), annualized rate of occurrence (ARO), annualized loss expectancy (ALE), and cost-benefit analysis (CBA). In my case, I am going to look at my home desktop computer...my lifeblood, really!

To get the SLE, you have to look at the value of the asset and the exposure it has to an exploited vulnerability. My desktop computer is valued at around $2,000 total. However, the value that I could lose would be closer to $500, which is the cost of my hard disks and memory. The vulnerability I want to look at is malicious software. For the purpose of this exercise, the malicious software will be considered a virus which would cause a total destruction and loss of all data on my computer. Therefore, it would be a 100% loss. So, my SLE would be $500 x 100% or $500. We will use this calculation a little later. First, we need to look at the ARO.

The ARO is the amount of times an exploited vulnerability is expected to occur. My wife and kids utilize my desktop and they are not very diligent, at times, about using the internet. As such, I could expect about four viruses per week, on average, to affect my computer. Of those four viruses, we will assume that two of them could cause catastrophic damage to my hard drive. Therfore, my ARO would be 2 x 52, or 104. There are 52 weeks in a year and I can expect two nasty viruses each of those weeks. That's significantly high, but you can see how it is calculated for this example. So, where does the ARO come into play?

The SLE and ARO combine to give me the ALE. ALE is found by taking the SLE and multiplying it by the ARO. In other words, my single loss value times the rate of occurrence. In this case, it is $500 x 104 or $52,000. What does that mean? Without any controls in place to reduce my catastrophic loss, it would cost me over $50,000 to keep my desktop computer functioning. Who on Earth would pay that kind of money to keep a computer functioning? I know I don't have that much money to replace my hard drive and memory every time. That is why I invest in anti-virus software, or my control. This will factor into my CBA.

A CBA is an analysis of how much you benefit from implementing a specific control to reduce your risk. To figure it, you need to figure out how much your ALE is after implementing the control. In my case, we will assume that my ALE after the control is $0. My anti-virus software is that effective, because I keep it updated regularly. I have Norton 360, which I paid $175 for three years of protection. Therefore, my annual cost of safeguard (ACS) is about $58. The CBA is the difference of the precontrol ALE, postcontrol ALE, and the ACS. Plugging in the numbers, we have $52,000 - $0 - $58, which equals $51,942. What does all of this mean?

Again, speaking in layman's terms, the $58 per year investment in Norton 360 saved me $51,942 annually. Over the course of three years, that $175 investment saved me $155,826. When you look at it that way, that $175 price tag seems pretty cheap, doesn't it? We sometimes look at the high cost of something to protect our valuable assets as too expensive. However, when you step back and look at the long-term, you can definitely see the benefit of paying such a small cost up front. In this case, considering the worst case scenario of a nasty virus outbreak, I have saved thousands of dollars for an investment of less than $200. Amazing when you look at it that way, right?

Bringing Risk Management Home

This week, we have been discussing risk management and working to identify assets and their associated vulnerabilities. This got me thinking about my life here at home and how these concepts could be realized at home. Therefore, I wanted to take a look at my assets and how I would rank their value.

First of all, I have a DSL modem hooked up to a wireless router as my connection to the Internet. My desktop computer is hardwired into the router for optimal speed and, to be honest, the location just worked better for that. I also have my home printer connected into the router and set up on the WiFi so the rest of my network can see it.

Next, my network branches off into two wireless access points. One access point allows my children's computer to connect to the network. That particular computer also doubles as my Web server, music server, file server, and sends the data from my weather sensor out to the rest of the world. The other access point is connected to our Wii, Blu-ray player, and DirecTV system to allow each of these to connect to the Internet.

Lastly, on the network, I have my cell phone, tablet, and my wife's Nook. These all connect to the Internet over the WiFi from the router. The network also allows me to move files anywhere and access just about any device I own quickly and easily. I can even set up my DVR to record from my phone, even when I am not on the network. So, how do I value these items and any risks?

Personally, my highest valued risk would be my Internet connection. Without it, there is very little that I can do. My ability to work on homework, balance my checkbook, pay my bills, or anything else requiring a data connection comes to a halt. Now, I certainly could use my cell phone as a backup, but my Internet hardware is the most important asset on my network. Next, I would have to rank the computer with my Web server, music server, and file storage as second. If this computer crashed, I would lose just about everything. However, I do have the information backed up onto drives. Therefore, those drives would rank third. I would rank my desktop computer fourth, because I do a lot of work on it, but it is all backed up on the aforementioned hard drives. Lastly, I would rank my access points as fifth. They are not extremely important, as I have other ways to navigate around an outage with them. As you can see, it gets interesting when you start looking at risk management from the home perspective.

Have you ever sat down and thought about your information assets at home? How would you function without them? What is the most important? Do you have a plan in place in case you lose an asset or it is compromised through your Internet connection? We look at these things from a business standpoint, but our personal data is just as critical to us as those balance sheets are to the business. Just something to keep in mind while you are surfing the Web or balancing your checkbook!

Life as a Security Management Model

I am going to switch gears a little bit this week, taking a side-step from the personal privacy aspect of my posts, and leaning more toward what we are covering in class this week. One topic that interested me was that of Security Management Models. As I was reading through the textbook about these models, I related back to work and personal life. Interestingly, it helped me grasp the concept a little better. So, I wanted to discuss a couple of them and how "layman's terms" turned the light bulb on upstairs.

Our book outlined a couple of integrity models: Bell-LaPadula and Biba. These integrity models essentially state the same principles. The basics of these models attempt to maintain the integrity of data. As such, higher and lower levels of classification and integrity are maintained. It sounds foreign, right? That is where I put a touch of life into it. If you have children, you can relate to you being the higher level. If not, then your parents are the higher level.

As parents, we dictate to our children on a daily basis. We tell them to do things like clean their rooms, do their homework, and complete their chores. Our higher level of authority allows that. However, our children, typically speaking, do not tell us what to do. It's that old expression, "I'm the parent, that's why." Thus, in our every day lives, we become living examples of these integrity models. When that integrity is compromised, such as your child telling you no, we take action to correct that compromise.

Businesses have due diligence to do the same thing. If the integrity of their data is compromised to a lower level that is not authorized to access certain data, measures are taken to correct the behavior and attempt to ensure it does not reoccur. In my line of work, the military, we have the same type of scenarios. If you recall the behaviors of Private Bradley Manning and Edward Snowden and the reaction of the military and Federal government in their wake, you can see this model in play and where it failed.

The integrity was upheld by allowing them access to the data, but it failed when that data was subsequently linked to outside agencies. Thus, the lower level, the civilian world, were given access to data we should not have been granted access to. Actions were taken to remedy the behavior, ensuring it would not happen again, and Private Manning was punished by the military for breaking his agreement to keep the data confidential. In the case of Edward Snowden, it is still ongoing and we do not know what the outcome will be. We also use these principles in our private life.

Think about your data on Facebook. You have the option of keeping your data private. In this case, you are the higher level of authority and allow certain access to a lower level, your friends. If you have no privacy settings set up, all of your data is available for viewing by anyone using Facebook. Your "wall" is a great example of this integrity. Your settings can dictate that you and your friends have read and write access to your wall, thus keeping outsiders from posting to it. On the other hand, a lack of privacy settings makes your wall fair game to anyone wishing to write messages on it. Your privacy settings maintain the integrity of your data. Should that integrity be violated, you have a valid complaint against Facebook for not maintaining it.

As you can see, it is interesting how our normal daily lives revolve around something as simple as these integrity models. Again, I was looking for a way to relate the learning to how we function in life. It made it easy to remember and clarified certain aspects of it for me. Essentially, we are living life in terms of security management models in this technologically advanced world we live in. Interesting, huh?

Referenced Sites

Gellman, B. (2103, December 23). Edward Snowden, after months of NSA revelations, says his mission's accomplished. Retrieved October 12, 2014, from http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html

Maniscalchi, J. (2010, May 17). Information Security Models for Confidentiality and Integrity. Retrieved October 12, 2014, from http://www.digitalthreat.net/2010/05/information-security-models-for-confidentiality-and-integrity/

Tate, J. (2013, August 21). Bradley Manning sentenced to 35 years in WikiLeaks case. Retrieved October 12, 2014, from http://www.washingtonpost.com/world/national-security/judge-to-sentence-bradley-manning-today/2013/08/20/85bee184-09d0-11e3-b87c-476db8ac34cd_story.html

Security Awareness and You

I've been blogging about security and privacy over the past few weeks. This week, we took a look at security awareness training and I thought about how this could factor into your personal life. So, I just wanted to pass along some tips to the personal user on how to better secure your information. I wanted to discuss phishing, passwords, and malicious software.

Phishing is the act of presenting an email to look as though it came from a legitimate user or business. These emails can be disguised to fool you into thinking they came from a friend or a business you regularly deal with. How many of you have received an email from a friend with a strange subject, such as "Hey, check this out!," and contains a link for you to click? What about an email from PayPal asking you to verify your log in information? Chances are, neither of these emails came either your friend or PayPal. Rather, it is a phishing email designed to gain some type of information from you. In the case of the PayPal email, once you enter your username and password, a thief now has your information and can access your account. Be weary of strange emails! But, you have all of your sites password protected, right?

Passwords are the weakest link in the chain for gaining unauthorized access to sites. Many people choose common terms that are found in a dictionary. They also use things such as pet names, birth dates, anniversaries, or another easily remembered combination. This is bad! Cracking programs can run thousands of times per minute and throw a wide variety of passwords at your account to attempt a log in. Yes, many sites have a lockout feature, but do not bet your money on that protecting you. The person running the script may likely just keep trying. Choose a strong password that contains a combination of lowercase and uppercase letters, numbers, and special characters. Make the password as hard to crack as you possibly can without using anything that resembles a common phrase. The more complex your password, the less likely it is to be cracked.

Lastly, I wanted to take a minute to discuss malicious software. This is software that, with or without your approval, can run on your system and accomplish a multitude of dangerous tasks. Malicious software can scan your computer for vital documents, photos, and can even record your keystrokes on the keyboard. The last one is very dangerous, because it can track the sites you visit, harvest your usernames, and grab your password...all without your knowledge. It is very critical that you run some type of virus software to pick up on these types of programs. Some will install just by visiting a web site. Once you have clicked a link, the rest is history. Virus scanning software can help defend you against these types of attacks. If it looks odd and feels strange, do NOT click on it!

In conclusion, for personal safety, it is important that you understand what you are doing. Do not respond to strange emails, ensure you have strong passwords, never use the same password on multiple sites, and always make sure that any computer connected to the Internet is protected with an anti-virus or malware protection software. Just taking these small precautions can spare your time and your checkbook of any harmful activities!