03:18 PM
Alex Hutton
Alex Hutton

Introducing: The RiskFish

In this first article, I'd like to give you a simple tool to help you better understand and categorize risk and security scenarios. We call it "The RiskFish" -- and it's free to use

"I'm having a hard time figuring out where our risk really is here..."

If you've ever had an interesting audit finding, threat scenario, risk analysis, or generally found yourself needing to try to help the business sort thrugh its thoughts about exactly what's going on, then this blog post is for you.

Before we dive in, I should introduce myself. I am a risk manager. My name is Alex, and I work for a largish financial institution where I am a director of technology and operations risk. My information security/risk management background comes from my previous work in risk intelligence at Verizon, where I was part of the Data Breach Investigations Report (DBIR) team, working with Jack Jones setting up IRM/ERM shops and teaching FAIR, and working with Brent Huston doing OCTAVE/NIST stuff "way back" in the 2001-2005 time frame. Prior to that, I was a product manager for a firewall/VPN solution for five years.

So in the past 10 years I've been working around information risk management, I've learned that security and risk are pretty complex. In fact, I don't think it would be a stretch to say that we're working with complex adaptive systems in our profession. This complexity makes it challenging to understand risk, and it can mean that we have difficulty communicating risk.

The good news is that, in my experience, once you have some formalization around definition and modeling, risk management becomes 80 percent communication methods. So in this inaugural series of posts, I'd like to share with you a little tool to help risk and security folks communicate the situation at hand. I call it "The RiskFish."

What Is The RiskFish?
The concept is simple: Take an Ishikawa or Fish Diagram that was originally created for root cause analysis in manufacturing, and then hack it up a bit so that it works for security and risk. The means to provide clarity and definition? We'll use VERIS, the community licensed/released framework used by Verizon to create the DBIR. So where a manufacturing root cause analysis is going to include categories such as Personnel, Materials, Measurements, Environment, Methods, and Machines, we will use the following:

(business unit or victim) Demographics
(threat) Agents
(threat) Actions
(business) Assets
(security) Controls
(security) Attributes
(financial) Impacts

How To Use The RiskFish
Basically, the RiskFish is a brainstorm tool. It's designed to help you sort out your thoughts. You simply take whatever scenario you're looking at -- identify categorically which part of the fish diagram you're talking about (click on it to enlarge) -- and use VERIS to clarify all of the risk elements you think you might want to consider. I've found that VERIS provides pretty good definition and clarity; it has been used to describe thousands of incidents in Verizon's DBIR. Because Verizon has used VERIS for years, anything you think of should be able to be identified and described using the tool. If you come up with something unique and not covered in VERIS, then the community nature of VERIS means that you can contribute to the XML schema and definitions at the VERIS community website.

So using VERIS, what the diagram does is help you identify a high-level category to discuss what you're thinking about. If I'm worried about malicious insiders, for example, I would go to the Agent branch and write down "insider." Then, if I wanted to get more specific, the VERIS community website has metadata associated with "insider." So I might write down "insider - privileged - auditor" if I wanted to describe a specific case where I'm worried an audit might go rogue. Maybe then I'd match up an action of "Misuse" and circle some of the impact categories that I think might apply. I can do more threat modeling in the bottom part of the diagram, picking actions against assets, attributes that would be compromised, and so forth. And it's totally OK to have more than one thing appear in any one branch; again, this is brainstorming. The important part is to get it all down on paper and then start identifying relationships and connections between the branches.

All of this classification metadata you can associate with these top-level categories can be found at the VERIS Community website, except for controls. For now, that branch is "young," and I would welcome industry contributions to help mature that (or any other) category.

Speaking of contributing, I've tried to make the RiskFish as "free" as possible by releasing it under a creative-commons license. You can use it for free; you just can't charge for it, and if you improve it, we ask that you share back to the world. I say "we" because the RiskFish is now formally under the stewardship of the Society of Information Risk Analysts (SIRA). There's no fee to join SIRA, and you can just sign up for the mailing list and get your hands dirty if you want to learn a little bit more about it, talk to people who are using the RiskFish, or even contribute to its evolution.

So feel free to download a .pdf file of the RiskFish from the SIRA website.

Where To Use The RiskFish
I've found using the RiskFish to be really useful in discussions with the business, particularly as a tool to help it sort out its concerns. I've found it useful in Vendor Management discussions, on-boarding new systems, defining red team scenarios, risk's kind of a neat Swiss Army Knife for the risk/security analyst.

Like a Swiss Army Knife, the RiskFish does a little bit of everything. It helps you do a wee bit of threat modeling, control analysis, and impact analysis. The knife isn't going to cut down a tree, but you can whittle something nice with it. The RiskFish isn't a formal threat modeling or risk analysis tool, but it can give you a good idea as to what is important and indicate when it's time to bring out a real tool. The RiskFish is not a tool that's going to calculate your risk, make your world candy canes and unicorns, or protect your network. So far, however, it seems pretty useful for helping you sort your thoughts and helping you identify what's important.

Later, we'll talk about using the RiskFish to create the basis for a risk analysis. Then I thought we'd finish out this series of blog posts by discussing how to use the RiskFish to scope a penetration test, argue an audit finding, and finally, architect a new control framework.

Alex Hutton is Director of Technology and Operations Risk at a largish financial institution. He likes risk and security so much that he contributes spare time to industry groups like The Society of Information Risk Analysts.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
Secure Application Development - New Best Practices
Secure Application Development - New Best Practices
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.