Ch15 - 15.01 - Intro to Risk Analysis Flashcards
Asset
A resource that your organization needs to function
Vulnerability
A weakness in the configuration of hardware or software
Threat
An event that can cause harm to the asset
Threat Vector
A tool, or mechanism, the hacker uses to exploit a weakness on a system
Threat Actor
The person (hacker) using the threat vector to compromise the system
Threat Target
The system or device being attacked
Risk
When the threat to an asset can cause harm to the organization—typically resulting in a financial loss
Risk analysis
The identification and planning of mitigation
techniques to reduce and manage the risks to your organization
Risk Analysis Process
- Identify Assets (Asset Identification)
- Identify Threats to Each Asset (Threat Assessment)
- Analyze Impact (Impact Analysis)
- Prioritize Threats
- Identify Mitigation Techniques
- Evaluate Residual Risks
Risk Analysis Process - 1. Identify Assets
The first phase of performing a risk analysis, also known as a risk assessment, is to identify the assets within the organization and the value of those assets. This phase is also known as asset identification. For example, if a company earns revenue by selling products online, the web server hosting the e-commerce web site would be considered an asset to the company.
Risk Analysis Process - 2. Identify Threats to Each Asset (Threat Assessment)
Once you have identified the assets in the organization, you then turn your focus to threat assessment, which involves identifying the threats to each of the assets identified in the first phase. Continuing the example of a company e-commerce web site, it has a number of potential threats; for example, the system could be hacked via a buffer-overflow exploit or an SQL injection attack. The web server could also experience a hard drive failure, which could cause the system to be down for a long time, resulting in lost revenue.
Types of Threats
- Environmental Threats (Floods, Earthquakes, …)
- Manmade Threats (Worm, Virus, Theft, …)
- Internal and External Threats (Disgruntled Employees, …)
- Weaknesses, or Vulnerabilities, Exist in the Assets of the Organization
4a. No system hardening
4b. No physical security
4c. No security controls on data
4d. No administrative controls
Risk Analysis Process - 3. Analyze Impact (Impact Analysis)
The next phase in risk analysis is the impact analysis. The goal of impact analysis is to identify what the result of the threat occurring would be on the business. For example, if the company’s e-commerce web site has a denial of service attack performed against it, then the impact is that the server could be down for days, resulting in lost revenue.
Tangible vs. Intangible Impacts
Tangible Impacts
A tangible impact involves a visible loss to the company
E.g:
1. Loss of revenue or business opportunity
2. Loss of money due to cost to fix
3. Loss of production
4. Employee safety
Intangible Impacts
The impact of all threats is not always so visible, and sometimes the effect
of the threat occurring is not seen for some time after the threat occurs. These
types of impacts are known as intangible impacts.
E.g:
1. Company reputation
2. Failure to follow regulations
3. Loss of customers’ confidence
Risk Analysis Process - 4. Prioritize Threats
Qualitative vs. Quantitative Analysis
Once you have identified all of the threats that could occur against each asset, you must prioritize the threats based on their impact and probability of occurring (also known as the likelihood of occurrence) so that you can deal with the more serious threats first.
