Fred Cohen & Associates

Risk Assessment in Distributed Domain Networks

Copyright(c), 1990, 1995 Fred Cohen - All Rights Reserved

The dominant protection theory at this time is based on the concept of limiting information flow. The rational for this assumption is given in earlier chapters of this book. The concept of distributed domains is based on having a set of information domains with restricted flow between them. Each domain may be physically distributed, but is logically unified with respect to information flow. An information network is then described as the set of domains and the information flow between them. Certain management and administrative effects are inherent in the use of distributed domains for information protection, and we examine these in some depth here to provide insight into some current management problems and how they may be addressed.

In an information network based on distributed domains, communication, and thus the ability to disseminate and modify information are limited. If we assume that the system is properly implemented and that external attackers are successfully thwarted by common techniques, we are left with the effects of internal abuse. Since individuals in such a network may access multiple domains, it is convenient to consider individuals as collusions of domains. We may quickly see that the maximum effect of an individual is the combined transitive effects of all domains which that individual can effect, and the maximum dissemination is the combined transitive domains affecting the individual. To consider groups of individuals who might collude to launch an attack, we assume collusion and treat them as a single individual. Our discussion is based on the launching of attacks by individuals or groups of individuals, but the method works equally well in the analysis of accidental leaks and corruption of information.

In order to assess risk in such a system, we consider corruptive effects and dissemination effects independently, and add them for the joint effect. Just as in standard risk assessment techniques [Saltmarsh83] , we assign dollar values to resources and probabilities to attacks, but unlike the standard analysis, we have a firm basis for separation of resources, and thus a means for reducing the complexity of analysis. Our technique is then quite simple:

Assign each domain a dissemination value (Vd) and a modification value (Vm) which correspond to the financial value of illicit dissemination and modification respectively.
Assign each human subject a yearly probability of illicit dissemination (Pd) and a yearly probability of illicit modification (Pm) which correspond to the likelihood of a successful attack of the type described being launched by each individual in a given year.
Determine a yearly expected loss for each subject (Ls) as the sum of Vd*Pd for each domain which can flow to the subject and Vm*Pm for each domain which the subject can flow to. This is easily done by using collusion analysis where a subject is represented as the collusion of all flows to and from that subject's domains.
Determine the system wide expected loss (Lsys) as the sum of Ls for all subjects 's'.

To reduce Lsys, we have a number of alternatives, combinations of which may lead to optimizations:

reduce the subjects with access without increasing access per subject
reduce the values of domains (by eliminating unnecessary information)
reduce the loss per individual (by reallocation of duties)
reduce the likelihood of attack (by background checks or increased awareness)