Wednesday, March 21, 2007

Risk Analysis

Risk Management

Risk Management’s main function is to mitigate risk. Mitigating risk means to reduce the risk until it reaches a level that is acceptable to an organization

Risk Management consists of the following:

- Performing Risk Analysis

- Implementing, reviewing and maintaining


Risk Analysis

The main purpose of performing a Risk Analysis is to quantify the impact of potential threats. There are 3 variables that are essential to be analyzed:

  1. Threat

Threat can be defined as the presence of any potential event that could cause harm by violating security. There are 2 kind of threat:

    1. Internal Threat

Internal Threat is threat that comes from the internal network. This kind of threat is more threatening than External Threat because:

The attackers are part of the organization

The attackers have legitimate access to the computer

The attackers know the system

The attackers know what to look for

The attackers know weak spots

    1. External Threat

External Threat is threat that comes from outside of the network (e.g. Internet).

  1. Vulnerability

Vulnerability is defined as a weakness in a system that enables security to be violated.

  1. Asset

Asset is considered anything that is computing resource or ability, such as hardware, software, data and personnel

Thus, after analyzing the 3 variables mentioned above, we determine:

1. Risk Level

Risk Level is a level, describing how risky a threat is if it is attacking the network

2. Control

Control is the act of preventing the threat, securing the network.

Risk Determination Table

No

Asset

Threat

Vulnerability

Risk Level

Control

1

Data in server

Password attack

Login

High

Implement strong password

2

Data in local computer

Virus

Computers are connected to LAN

Medium

Install antivirus

3

Data in local computer

Trojan Horse

Computers are connected to LAN

Medium

Install anti-trojan

4

Data in server

System Identity Spoofing, IP Spoofing, Network Intrusion

Computers are connected to Internet

Medium

Install Firewall

5

Physical computer unit

Theft

Computers can be moved easily

High

Ø Attached the computer to locked boxes which are attached to unmovable objects

Ø Lock the room

6

Network User

Social Engineering

Some network user are newbie’s and there are some probability that they could be tricked to give their data or information related to the network

High

User briefing and training

7

Data in the network

Eavesdropping, Data diddling

Data are flowing in the network in their true forms (unencrypted)

Medium

Ø Use safety topology structure

Ø Employing encryption method for important data before sending them through the network

Ø Employing one time password technique

Ø Install anti-sniffer

8

Local mail server

Spam

Network is connected to Internet

Low

Ø Use automated e-mail filter

Ø Use appropriate tool to trap e-mail spam at the mail server level

Ø Creating a unique e-mail address for each person or site the network wish to communicate with

Ø Use anti-virus and anti-spyware programs with regularly updated

9

Staff

Other company

Staff with low salary

Medium

Ø Increase the salary of the staff

Ø Always be ready for new staff recruitment

No comments: