CRAMM (CCTA Risk Analysis Management & Methodology)
CRAMM stands for CCTA Risk Analysis Management & Methodology. The main reasons for the development of CRAMM were the need for a rigorous methodology and the deficient methodologies at the time, that were subjective, vulnerability driven and needed experienced personnel to operate them, while their results were less than impressive.
The new methodology should be easy to understand and use, be able to be used for system development, consist an automated tool, it should contain a threat checklist ανδ have the countermeasures built in. CRAMM does risk analysis by combining assets, threats and vulnerabilities to evaluate the risk involved and then it does risk management by suggesting a list of countermeasures. The theoretical model of the system, that CRAMM uses, contains assets Ak, threats vulnerabilities Vi and impacts Ij. CRAMM has thirty-one generic threats and eight impacts. First we assign values to asset/impact pairs, then we identify threat/impact/asset triples, we evaluate threats and vulnerabilities (low, medium, high) and calculate the security requirement (risk) of each threat/impact/asset triple.
CRAMM consists of three stages: the first stage, where we scope the security problem, the second stage, where we evaluate the risk and the third stage, where we select suitable countermeasures.
First stage: The evaluation of the scope of security consists of three steps.
I. The preparation of the project framework takes place. As it is the case with the whole CRAMM procedure, the security consultant that conducts the CRAMM procedure, interviews selected staff to get the information needed. At this point, the arrangement of the initial management meeting takes place, followed by the preparation of the functional specification of the system. The project boundaries are agreed and the physical (hardware, communications, environmental, software, documentation) and data (organised interrelated data) assets are identified and documented. Then, the organisation's structure is documented; the data users and three time periods for unavailability are identified. At the end of all this, the project schedule is prepared, which is the objective of this phase.
II. The security consultant tries to assign values to assets. Assigning values to physical assets is not difficult, as their price is known. What can be difficult is the assignment of values to data assets. This happens because the data is only valuable to somebody during some defined period of time. At this point, the personnel are interviewed, so that the consultant can value the data assets. Questionnaires and tables are used along with worst case scenarios. It is very important that existing countermeasures are ignored and that the interviewees provided accurate and relevant numerical input (not vague descriptions of the impact due to the lack of the data assets). When valuing assets, one should take into account the impact from political embarrassment, personal safety matters, infringement of personal privacy, failure to meet legal obligations, financial loss, disruption of activities, commercial confidentiality. Under certain threats these impacts can become reality, causing from minor losses up to imprisonment and public humiliation. At the end of that phase, a data assets value summary is created.
III. The data results are reviewed just in case some of the value assignments do not correspond to reality. This can happen if the interviewees were not the appropriate ones, or if the interviewer was not experienced. At this point, the CRAMM report is printed and the consultant writes his/her own report that will be given to the management. In the report the consultant's understanding of the client's business must be clearly stated. Then, all the asset valuations have to be agreed upon.
The first stage can pose a series of problems such as the lengthy period it takes to complete. Moreover, bad data grouping can occur if the interviewees or the interviewer are not the appropriate ones. The first stage can also be bogged down in useless detail or the unavailability periods can be incorrect.
Second stage: It is involved with the evaluation of the risk and it consists of four steps.
I. The threat, asset, impact relationships are identified. CRAMM has thirty one generic threats that cover all possible threats form accidents to malicious misconduct. During that step, all meaningful threat/asset combinations are found and impacts are assigned to them. Time and space can be saved by grouping together assets.
II. The threats and vulnerabilities are measured by calculating the threat and vulnerability ratings. The threat rating reflects the likelihood of a threat occurring and takes into account if the threat has happened in the past and who is interested on the assets involved. The vulnerability rating shows if the system makes a threat more likely to happen and also if the system's nature increases the possible extent of damage. This rating takes into account the redundancy built into the system and how easy it is to eavesdrop.
III. The security requirement is calculated. A fixed three dimensional lookup table (matrix) is used; whose elements represent the security requirement under different settings of threat rating, vulnerability rating and asset value. These elements are in the range 1-5 and give the security requirement for every threat/impact/asset triple.
IV. The security requirement values are reviewed to avoid any errors, that would either impose unnecessary expenses for unneeded extra security or would leave the system unprotected. Also, in case there is a limited budget factor a reasonable compromise between the cost and risk must be reached.
The problems imposed by stage two are mainly generated by the fact, that there are too many questions to be asked (approximately 600). The interviewees tend to get bored or be uncooperative. Also, sometimes the answers are objective, so the interview process has to be repeated.
Third stage: It is the last stage of CRAMM, where the appropriate countermeasures are selected.
I. The required countermeasures are identified. The calculated security requirement is a pointer to a set of applicable countermeasures from which "sufficiently powerful" countermeasures are selected. CRAMM contains fifty three countermeasure groups, categorised according to strength (1-5), "cost", security aspect (hardware, software, communications, procedural, physical, personnel, environmental) and sub-group type (to reduce threat, to reduce vulnerability, to reduce impact, to detect, to recover).
II. We compare the required countermeasures with the countermeasures already installed, to find out how many new countermeasures we need to install.
III. We recommend and confirm with the management the new countermeasures and here the work with CRAMM ends.
The problems we get with the third stage are that it generates a lot of output and that it is really hard to identify the already installed countermeasures, because the interviewees' knowledge is sometimes inadequate, or the countermeasures are not truly installed.
The typical time scale for a CRAMM cycle ranges from six days for a small system (one computer, one application), to seventeen days for a medium system (one mini computer, several applications), to thirty days for a large system (a mainframe with sites on several geographic locations).
One problem one can face with CRAMM, is that it requires expert knowledge, the right interviewees and to get the right balance between cost and risk, because even idiots can throw in numbers and get impressive but not appropriate results. It is also time consuming, not particularly green (consumes too much paper) and the reports are sometimes inadequate. Moreover, it doesn't really take into account the security policy of a company, the existing products and the cost of products, and the organisation culture of the company. On the other hand, CRAMM is a rigorous methodology that is becoming the Defacto standard, it is applicable to most systems, it is regularly updated and has a countermeasure database of impressive quality.
To get the best of CRAMM, one must identify the correct people, obtain useful information, avoid getting bogged down in detail, avoid being driven by CRAMM, identify key equipment to the company, start threats' and vulnerabilities' identification and evaluation early and finally start the countermeasures' process early.