In our security consulting practice we are often asked to conduct security surveys. We are also asked to do security audits. Some clients ask for vulnerability assessments. Others ask for risk analyses. Some of these clients do not realize they are asking for different things. Each of these tools can be used to determine the "Why?" of a client's security program, before moving along to the "How?" It is important to know the difference when contracting for a security consultation.
A security survey consists essentially of mapping existing systems or programs. Surveys involve visiting a site or evaluating a process for obvious risks. There are pencil and paper checklists, some simple, some complex. There are automated tools, most of them expensive. Some surveys are published by professional organizations; others are intuitive assessments that draw upon a lifetime of professional experience. In short, there are as many security surveys as there are persons or firms willing to do them. Be certain you are paying for the survey you require.
A security audit is a means of measuring or testing existing programs against client documentation or expectation. A common sort of audit is an access control study, where a person tests the effectiveness of lobby visitor controls and the willingness of employees to violate a building's access controls by granting access to strangers. Audits can also take the form of documentation reviews or evaluation of security officer knowledge and competence.
A vulnerability assessment determines the threat posed to critical assets, usually without regard to the probability that an attack against the assets will occur. This can be a useful tool when determining how to apply protection to assets we cannot afford to have damaged even though the likelihood of an attack is low. Used by itself, sometimes a vulnerability assessment can result in rather aggressive, or unrealistically expensive, security recommendations, since risk is not taken into account. We are all equally vulnerable to the effects of a mile-wide asteroid striking Earth. The likelihood it will happen is determined by risk analysis.
The classic risk analysis equation calls for a loss prevention survey and the identification of vulnerabilities. Then one determines the probability, frequency and cost of loss. The product of this calculation is the annual loss expectancy (ALE). This works better across a large population-nationwide car theft rates, for example-or where losses are frequent, such as in the case of shoplifting. An ALE calculation does not do us much good when we're trying to determine whether we should worry about someone trying to blow up the Hoover Dam with a truckload of stolen fertilizer. The reported rate of such attacks is zero, which results in an ALE of zero.
Sandia National Laboratories Risk Assessment Methodology
Sandia National Laboratories, long a defender of high-value assets for the U.S government and other nations, has lately turned its sights on protecting critical public infrastructure such as water treatment facilities, dams, power transmission and chemical facilities. Their Community Vulnerability Assessment Methodology is used to assess and reduce risk to public venues. Sandia has reduced the risk analysis problem to an equation: R = PA(1-PE)C. The probability of attack (PA) evaluates the existence of a threatening organization, its capabilities, it history or expressed intention to harm similar clients or organizations, and whether the threat is targeting a specific client. System effectiveness (PE) is tested using detailed adversary sequence diagrams to determine the ability of the current protection and operating systems to detect, assess, delay and neutralize its attackers. The consequence of an attack (C) calls for a facility characterization using tools such as fault tree analysis and consequence tables to rank critical assets and the real- life harm that will occur if an attack is successful.