Week 8. Risk Associated with the four vulnerabilities.

The Mesusa Corporation has three information assets to evaluate for risk management as listed below. Create a ranked list of risk associated with the four vulnerabilities. You can begin with the columns from the Ranked Vulnerability Risk worksheet (Asset, Impact, Vulnerability, Likelihood), determine the risk rating, and then include percentage of current control and the uncertainty rate to come up with a final risk -rating estimate. Use the formula as described in this chapter.

Switch L47 connects a network to the Internet. It has two vulnerabilities; (1) susceptibility to hardware failure, with the likelihood of 0.2, and (2) susceptibility to an SNMP buffer overflow attack, with a likelihood of 0.1. This switch has an impact rating of 90 and has no current controls in place. There is a 75% certainty of the assumptions and data.

Server WebSrv6 hosts a company Web site and performs e-commerce transactions. It has Web server software that is vulnerable to attack via invalid Unicode values. The likelihood of such and attack is estimated at 0.2. The server has been assigned an impact value of 100, and a control has been implemented that reduces the impact of vulnerability by 75%. There is an 80% certainty of the assumptions and data.

Operators use the MGMT45 control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. Estimates show the likelihood of misuse is 0.1. There are no controls in place on this asset, which has an impact rating of 5. There is a 90% certainty of the assumptions and data.

Likelihood

Likelihood is the overall rating—a numerical value on a defined scale (.1 – 1.0)—of the probability that a specific vulnerability will be exploited.

Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1-100, low-med-high,

Assessing Potential Loss

To be effective, the values must be assigned by asking:

·         Which threats present a danger to this organization’s assets in the given environment?

·         Which threats represent the most danger to the organization’s information?

·         How much would it cost to recover from a successful attack?

·         Which threats would require the greatest expenditure to prevent?

·         Which of the aforementioned questions is the most important to the protection of information from threats within this organization?

Percentage of Risk Mitigated by Current Controls

If a vulnerability is fully managed by an existing control, it can be set aside.

If it is partially controlled, estimate what percentage of the vulnerability has been controlled.

Uncertainty

It is not possible to know everything about every vulnerability.

The degree to which a current control can reduce risk is also subject to estimation error. A factor that accounts for uncertainty must always be added to the equations; it consists of an estimate made by the manager using good judgment and experience.

Risk Determination

For the purpose of relative risk assessment, = (risk equals likelihood of vulnerability occurrence) x (value (or impact)) – (percentage risk already controlled) + (an element of uncertainty).

Ranked Vulnerability Risk worksheet.

Asset	Asset Impact	Vulnerability	Vulnerability Likelihood	Risk-Rating Factor
Switch L47	90	Susceptibility to Hardware failure (90x0.2)-0%+25% (90x0.2)-((90x0.2)x0.0)+(90x0.2)x0.25)	0.2	22.5
	90	Susceptibility to an SNMP buffer overflow attack (90x0.1)-0%+25% (90x0.1)-((90x0.1)x0.0)+(90x0.1)x0.25)	0.1	11.25
Server WebSrv6	100	Web site and performs e-commerce transactions. Web server software that is vulnerable to attack via invalid Unicode-values. (100x0.2)-75%+20% (100x0.2)-((100x0.2)x0.75)+((100x0.2)x0.2)	0.1	4.5
Operators MGMT45	5	Control console to monitor operations in the server room. It has no passwords and is susceptible to unlogged misuse by the operators. (5x0.1)-0%+10% (5x0.1)-((5x0.1)x0)+((5x0.1)x0.1)	0.1	0.45

From your results, determine in what order the three assets be evaluated for additional controls. Include your worksheet and interpretation of the results.

------------------------------------------------------------------------------------------------------
I have two opinion for this case.

Opinion 1: The system is in control and give maintenance for the impact risk, but other devices such as the Switch L47 is not in control and the MGMT45 will increase that risk.
If vulnerability is fully managed by an existing control, it can be set aside.
If it is partially controlled, estimate what percentage of the vulnerability has been controlled.
The risk identification process should designate, what function the reports serve, who is responsible for preparing them, and who reviews them.
Below is the table of the worksheets that should have been prepared by an information asset risk management team to this point.

Opinion2: The Switch 47 has the highest risk, but other side of WebSrv6 has impact value is 100 and require the no-stop operation.
I would evaluate the WebSrv6 for the additional controls first, depend on the company situation, but the company Web site is hosted by this server and performs valuable e-commerce transactions which can be compromised if the Server is not protected. If an attack on this Server occurs much of the company’s private data could be compromised which could harm the organization in many way. Protecting the server could also keep the organization safe from other threats and attacks.

Deliverable	Purpose
Information asset classification worksheet     1. WebSrv6  for E-commerce BIZ case 1.The Switch L47 has a high risk at the Hardware and Mid(high)-Software     2. Switch L47 2. WebSrv6 : risk rate is low, but the impact value is 100 which requires a non-stop operation.     3. Operations MGMT45 controls the console to monitor the operation Low risk-rating factor, but the user has to use the password to login into the system.	Assembles information about information assets and their impact on or value to the organization.   1.    They need the system & software controls by the schedule of maintenance. * Check the system device & replace it with a high quality component or system.   2.    They have to use the backup server through the cloud system or use the cluster operation server system for backup.   3.    They have to setup the policy for the monitoring system operator.
Weighted criteria analysis worksheet	Assigns a ranked value or impact weight to each information asset
Ranked vulnerability risk worksheet	Assigns a risk-rating ranked value to each uncontrolled asset-vulnerability pair

Reference.
Michael E. Whitman & Herbert J. Mattord, “Management of information security” 3e (2010), Boston, Course Technology, CengageLearning.