The
Mesusa Corporation has three information assets to evaluate for risk management
as listed below. Create a ranked list of risk associated with the four
vulnerabilities. You can begin with the columns from the Ranked Vulnerability
Risk worksheet (Asset, Impact, Vulnerability, Likelihood), determine the risk
rating, and then include percentage of current control and the uncertainty rate
to come up with a final risk -rating estimate. Use the formula as described in
this chapter.
Switch L47 connects a network to the Internet. It has two
vulnerabilities; (1) susceptibility to hardware failure, with the likelihood
of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a
likelihood of 0.1. This switch has an impact rating of 90 and has no current
controls in place. There is a 75% certainty of the assumptions and data.
|
Server WebSrv6 hosts a company Web site and performs e-commerce
transactions. It has Web server software that is vulnerable to attack via
invalid Unicode values. The likelihood of such and attack is estimated at
0.2. The server has been assigned an impact value of 100, and a control has
been implemented that reduces the impact of vulnerability by 75%. There is an
80% certainty of the assumptions and data.
|
Operators use the MGMT45 control console to monitor operations
in the server room. It has no passwords and is susceptible to unlogged misuse
by the operators. Estimates show the likelihood of misuse is 0.1. There are
no controls in place on this asset, which has an impact rating of 5. There is
a 90% certainty of the assumptions and data.
|
Likelihood
Likelihood is
the overall rating—a numerical value on a defined scale (.1 – 1.0)—of the
probability that a specific vulnerability will be exploited.
Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1-100, low-med-high,
Assessing
Potential Loss
To be
effective, the values must be assigned by asking:
·
Which
threats present a danger to this organization’s assets in the given
environment?
·
Which
threats represent the most danger to the organization’s information?
·
How
much would it cost to recover from a successful attack?
·
Which
threats would require the greatest expenditure to prevent?
·
Which
of the aforementioned questions is the most important to the protection of
information from threats within this organization?
Percentage of
Risk Mitigated by Current Controls
If a
vulnerability is fully managed by an existing control, it can be set aside.
If it is
partially controlled, estimate what percentage of the vulnerability has been
controlled.
Uncertainty
It is not
possible to know everything about every vulnerability.
The degree to
which a current control can reduce risk is also subject to estimation error. A
factor that accounts for uncertainty must always be added to the equations; it
consists of an estimate made by the manager using good judgment and experience.
Risk
Determination
For the purpose
of relative risk assessment,
= (risk equals likelihood of vulnerability occurrence) x (value (or impact)) –
(percentage risk already controlled) + (an element of uncertainty).
Ranked Vulnerability Risk worksheet.
Asset
|
Asset Impact
|
Vulnerability
|
Vulnerability
Likelihood
|
Risk-Rating
Factor
|
Switch
L47
|
90
|
Susceptibility to Hardware failure
(90x0.2)-0%+25% (90x0.2)-((90x0.2)x0.0)+(90x0.2)x0.25) |
0.2
|
22.5
|
90
|
Susceptibility to an SNMP buffer overflow attack (90x0.1)-0%+25% (90x0.1)-((90x0.1)x0.0)+(90x0.1)x0.25) |
0.1
|
11.25
|
|
Server
WebSrv6
|
100
|
Web site and performs e-commerce transactions. Web server software that is vulnerable to attack via invalid Unicode-values. (100x0.2)-75%+20% (100x0.2)-((100x0.2)x0.75)+((100x0.2)x0.2) |
0.1
|
4.5
|
Operators MGMT45
|
5
|
Control console to monitor operations in the server room.
It has no passwords and is susceptible to unlogged misuse by the operators.
(5x0.1)-0%+10% (5x0.1)-((5x0.1)x0)+((5x0.1)x0.1) |
0.1
|
0.45
|
From your results, determine in what order the three assets be evaluated for additional controls. Include your worksheet and interpretation of the results.
------------------------------------------------------------------------------------------------------
I have two opinion for this case.
I have two opinion for this case.
Opinion 1: The
system is in control and give maintenance for the impact risk, but other devices
such as the Switch L47 is not in control and the MGMT45 will increase that
risk.
If vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.
The risk identification process should designate, what function the reports serve, who is responsible for preparing them, and who reviews them.
Below is the table of the worksheets that should have been prepared by an information asset risk management team to this point.
If vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.
The risk identification process should designate, what function the reports serve, who is responsible for preparing them, and who reviews them.
Below is the table of the worksheets that should have been prepared by an information asset risk management team to this point.
Opinion2: The
Switch 47 has the highest risk, but other side of WebSrv6 has impact value is
100 and require the no-stop operation.
I would evaluate the WebSrv6 for the additional controls first, depend on the company situation, but the company Web site is hosted by this server and performs valuable e-commerce transactions which can be compromised if the Server is not protected. If an attack on this Server occurs much of the company’s private data could be compromised which could harm the organization in many way. Protecting the server could also keep the organization safe from other threats and attacks.
I would evaluate the WebSrv6 for the additional controls first, depend on the company situation, but the company Web site is hosted by this server and performs valuable e-commerce transactions which can be compromised if the Server is not protected. If an attack on this Server occurs much of the company’s private data could be compromised which could harm the organization in many way. Protecting the server could also keep the organization safe from other threats and attacks.
Deliverable
|
Purpose
|
Information asset classification worksheet
1. WebSrv6 for E-commerce BIZ case
1.The Switch L47 has a high risk at the Hardware and Mid(high)-Software
2. Switch L47
2. WebSrv6 : risk rate is low, but the impact value is 100 which requires a non-stop operation.
3. Operations MGMT45 controls the console to monitor the operation
Low risk-rating factor, but the user has to use the password to login into the system.
|
Assembles information about information assets and their impact on or value to the organization.
1. They need the system & software controls by the schedule of maintenance. * Check the system device & replace it with a high quality component or system. 2. They have to use the backup server through the cloud system or use the cluster operation server system for backup. 3. They have to setup the policy for the monitoring system operator. |
Weighted criteria analysis worksheet
|
Assigns a ranked value or impact weight to each information asset
|
Ranked vulnerability risk worksheet
|
Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair
|
Michael E. Whitman & Herbert J. Mattord, “Management of information security” 3e (2010), Boston, Course Technology, CengageLearning.
