Scribd Logo
Upload

Welcome to Scribd!

  • Lab 006

    Uploaded by

    dungnthe172688
    1 views13 pages

    Original Title

    lab006

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    1 views13 pages

    Lab 006

    Uploaded by

    dungnthe172688

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 13

    Performing a Risk Assessment

    Objectives

    • Selecting a Risk Assessment methodology


    • Identifying the management structure
    • Identifying assets and activities
    • Identifying and evaluating threats
    • Identifying and evaluating vulnerabilities
    • Identifying and evaluating countermeasures
    • Selecting a methodology based on the assessment needs
    • Developing mitigation recommendations
    • Presenting Risk Assessment Results
    • Best practices
    http://fpt.edu.vn 05/20/202 2
    4
    Selecting a Risk Assessment Methodology
    • The two primary types are quantitative and qualitative
    • Before progressing with the RA:
    – Define the assessment:
    • Operational characteristics define how the system operates in your
    environment.
    • Mission of the system defines what the system does.
    – Review previous findings:
    • Recommendations
    • Current status of accepted recommendations
    • Unapproved recommendations

    http://fpt.edu.vn 05/20/202 3
    4
    Identifying the Management Structure
    • The management structure: how responsibilities are assigned
    • Small organizations may have a single IT section
    • Larger organizations may have multiple IT sections or divisions
    – Network infrastructure:
    • Responsible for routers, switches and firewalls in the network..
    – User and computer management:
    • performs the day-to-day management of the network and accounts.
    – E-mail servers:
    • to manage e-mail, spam filtering and malicious attachments.
    – Web servers:
    • Configured in one or more Web farms, generating a significant amount of revenue
    – Database servers:
    • The knowledge needed to manage these servers is specialized.
    – Configuration and change management:
    • oversees configuration and changes to either all servers or all systems.
    http://fpt.edu.vn 05/20/202 4
    4
    Identifying Assets and Activities
    Within Risk Assessment Boundaries
    • Asset valuation is the process of determining the fair
    market value of an asset
    – Replacement value
    – Recovery value
    • Several elements to consider
    – System access and system availability
    – System functions
    – Hardware assets
    – Software assets
    – Personnel assets
    – Data and information assets (Public, Private and Proprietary Data)
    – Facilities and supplies (Hot, Cold and Warm Sites)
    http://fpt.edu.vn 05/20/202 5
    4
    Identifying Assets and Activities (cont.)

    • Several elements to consider


    – Hardware and software assets
    – Personnel assets
    – Data and information assets
    – Facilities and supplies

    http://fpt.edu.vn 05/20/202 6
    4
    Identifying and Evaluating Relevant Threats
    • A threat is any potential danger:
    – to the data, the hardware, or the systems
    – a threat assessment is the process of identifying threats.
    – relationship between threats, attacks, vulnerabilities, and loss (Fig. 6-4)
    • Two primary methods to identify threats:
    – Review historical data:
    • Attacks, natural events, accidents and equipment failures.
    – Modeling:
    • The system, threat profile and threat analysis.

    http://fpt.edu.vn 05/20/202 7
    4
    Identifying and Evaluating
    Relevant Vulnerabilities
    • A vulnerability is a weakness:
    – All systems have vulnerabilities & Not all vulnerabilities result in a loss
    • Two primary assessments:
    – Vulnerability assessments (by using Nmap. Nessus, SATAN, SAINT, …):
    • Identifying IP addresses - ping scanner tools.
    • Identifying names - “whois” tools for computers on the Internet.
    • Identifying operating systems - fingerprinting tools.
    • Identifying open ports – port scanner tools.
    • Identifying weak passwords - password cracker tools.
    • Capturing and analyzing data.
    – Exploit assessments:
    • also referred to as “penetration tests”, attempts to discover what
    vulnerabilities an attacker can exploit.
    http://fpt.edu.vn 05/20/202 8
    4
    Identifying and Evaluating Countermeasures
    • A countermeasure is a security control or a safeguard.
    • In-Place and Planned Countermeasures
    – In-place controls:
    • currently installed in the operational system.
    – Planned controls
    • having a specified implementation date.
    • Control categories:
    – Administrative security controls (in-place controls): Policies and procedures, Security
    plans, Insurance, Personnel checks, Awareness and training, Rules of behavior
    – Technical security controls (automated): Login identifier, Session timeout, System logs,
    Audit trails, Input validation, Firewalls, Encryption
    – Physical security controls: Locked doors, Guards and access logs, Video cameras, Fire
    detection and suppression, Water detection, Temperature and humidity detection,
    Electrical grounding and circuit breakers
    http://fpt.edu.vn 05/20/202 9
    4
    Selecting a Methodology Based
    on Assessment Needs
    • Quantitative
    – Identifying values SLE, ARO, ALE (before and after control), Safeguard
    Cost/Benefit (Lecture 5)
    – Scenario (p. 157-8)
    • Qualitative:
    – using the opinions of experts to determine two primary data points:
    • Probability - the likelihood that the risk will occur (in percentage)
    • Impact identifying the magnitude of the loss if the risk occurs.
    – Prioritize the risks:
    • Buffer overflow
    • SQL injection attacks
    • Web defacing
    http://fpt.edu.vn 05/20/202 10
    4
    Develop Mitigating Recommendations
    • Threat/vulnerability pairs:
    – A control needs to address specific threat/vulnerability pairs.
    • Estimate of cost and time to implement:
    – included in the cost- benefit analysis
    – important to accurately identify this cost by including both direct and indirect costs.
    • Estimate of operational impact:
    – identifying the operational impact of a control as negligible, low, medium, high, or
    overwhelming.
    – four primary resources of a computer system: Processor, Memory, Disk, Network
    interface card (NIC)
    • Prepare cost-benefit analysis

    http://fpt.edu.vn 05/20/202 11
    4
    Present Risk Assessment Results

    • After RA, create a report documenting the results


    • Include two phases
    – Presenting the recommendations to management
    – Documenting the decisions made by management:
    • Creating a plan of actions and milestones (POAM) to track and monitor
    the controls (cf. Lecture 4)

    http://fpt.edu.vn 05/20/202 12
    4
    Best Practices for Performing
    Risk Assessments
    • Ensuring systems are fully described
    • Reviewing past audits
    • Reviewing past Risk Assessments
    • Matching the RA to the management structure
    • Identifying assets within the RA boundaries
    • Identifying and evaluate relevant threats
    • Identifying and evaluate relevant vulnerabilities
    • Identifying and evaluate countermeasures
    • Tracking the results

    http://fpt.edu.vn 05/20/202 13
    4

    You might also like