levyuk
asked on
Risk analysis problems
If I were to carry out a risk analysis on a company what would I need to do at a basic level. I'm not worried about the tools that I need like MSAT etc. I need to know how a report should look, what it should contain etc. Would I just need to list vulnerabilities, the severity of the vulnerability, sensitivity, impact on performance etc or is there something else.
Cheers
J
Cheers
J
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Dude that is one of the most clear explanations I've found. It all makes sense to me, I've seen something like that somewhere but I wasn't sure so it's good to get a 2nd opinion. The company is fictional so it doesn't have to comply with any regulations. Since you seem to have done this before could you suggest any risks off the top of your head for network infrastructure. I was thinking about loss of connectivity between two networks as one problem, ip spoofing as another and then I hit a brick wall.
Cheers
Cheers
Hehe, I'm so glad it made sense!!
As for risks to a network infrastructure, you can usually work your way around that brick wall if you operate around the "CIA Triad" of Confidentiality, Integrity and Availability:
Does the network handle sensitive information? (patient data, financial, personally identifiable info that could be used to steal an identity, etc)
If so, how is it being protected? Do they have encryption in places where encryption makes sense?(Confidentiality)
Do they have an adequate backup policy for their critical data? how many day's worth of retention is there? Where are backups stored? (off-site in a fire-rated container?) (Integrity)
Single points of failure in the architecture are always big (depends on how much the company's profit and viability depends on Availability)
Lack of a COOP site (if the primary goes down, is there a cold/warm/hot site waiting in the wings?, again speaks to Availability)
Change management is a Vulnerability that I'm ALWAYS identifying, especially when it comes to key network infrastructure components such as routers and firewalls. Is there a formal approval process for making modifications to these key devices? (I once found a FW that had all of the original rules negated by a slew of exceptions followed by an allow Any:Any rule. Their excuse was that they had gotten too many complaints from users who couldn't do things out on the internet..)
Is that the type of risks you were wanting to hear about when you said network infrastructure? You threw me with the IP spoofing example, since that is more along the lines of an attack. However, if they don't encrypt their sensitive data, you could certainly say that it could be easily compromised by a spoofing attack. In this case, their inability to properly protect their assets is their vulnerability, and the spoof attack is what you would think about when speaking about the likelyhood of a successful exploit of vulnerability.\
Let me know if there is anything else I can help you with. :)
__Mal
As for risks to a network infrastructure, you can usually work your way around that brick wall if you operate around the "CIA Triad" of Confidentiality, Integrity and Availability:
Does the network handle sensitive information? (patient data, financial, personally identifiable info that could be used to steal an identity, etc)
If so, how is it being protected? Do they have encryption in places where encryption makes sense?(Confidentiality)
Do they have an adequate backup policy for their critical data? how many day's worth of retention is there? Where are backups stored? (off-site in a fire-rated container?) (Integrity)
Single points of failure in the architecture are always big (depends on how much the company's profit and viability depends on Availability)
Lack of a COOP site (if the primary goes down, is there a cold/warm/hot site waiting in the wings?, again speaks to Availability)
Change management is a Vulnerability that I'm ALWAYS identifying, especially when it comes to key network infrastructure components such as routers and firewalls. Is there a formal approval process for making modifications to these key devices? (I once found a FW that had all of the original rules negated by a slew of exceptions followed by an allow Any:Any rule. Their excuse was that they had gotten too many complaints from users who couldn't do things out on the internet..)
Is that the type of risks you were wanting to hear about when you said network infrastructure? You threw me with the IP spoofing example, since that is more along the lines of an attack. However, if they don't encrypt their sensitive data, you could certainly say that it could be easily compromised by a spoofing attack. In this case, their inability to properly protect their assets is their vulnerability, and the spoof attack is what you would think about when speaking about the likelyhood of a successful exploit of vulnerability.\
Let me know if there is anything else I can help you with. :)
__Mal
ASKER
Some good suggestions there. I shall take them on board. There is sensitive data involved so encryption would need to be applied.
ASKER
If a company was connecting to LANs using a secure VPN then that would solve the problem of encryption and confidentiality as its taken care of by the SVPN, thats correct right?
sure, provided they are using a fairly secure encryption.. However, if the data is only encrypted between LANs, but then travels in clear text internally and anyone has access to the internal lan (available from any ethernet plug, no VLAN separation, ability to access internal resources through unprotected dialups) then it is still a finding, only internally vs. externally. :)
http://www.ccert.edu.cn/education/cissp/hism/229-230.html
http://www.riskythinking.com/glossary/annualized_loss_expectancy.php