[Last Call] Learn how to a build a cloud-first strategyRegister Now


Risk analysis problems

Posted on 2006-05-02
Medium Priority
Last Modified: 2010-04-11
If I were to carry out a risk analysis on a company what would I need to do at a basic level. I'm not worried about the tools that I need like MSAT etc. I need to know how a report should look, what it should contain etc. Would I just need to list vulnerabilities, the severity of the vulnerability, sensitivity, impact on performance etc or is there something else.

Question by:levyuk
  • 3
  • 3

Expert Comment

ID: 16589735
I think everything you listed is fine but you could add more detail by adding the exposure factor of the asset(s), anualized loss expectancy, anualized rate of occurence, etc. Here are a few links, hope they help:


Accepted Solution

MalleusMaleficarum earned 2000 total points
ID: 16590098
For as many people as you talk to will be the number of answers you will get with regards to how a "risk assessment" should be written and what it should include.  Is there some kind of standard that the company needs to be in compliance of?  Gov. clients usually need to comply with standards such as NIST, DIACAP, DITSCAP, etc... Most of these standards have at least an outline or a paragraph that states what kind of information should be included in what that regulation calls a "risk assessment".  For corporations, it isn't unusual that they have to comply with HIPPA, or Sarbanes-Oxley (SOX).

In short, find out what the motivation is for this company to want a risk assessment.  If there is no regulation that they are worried about, then you simply need use the customer's motivation in order to get a good idea of what the customer wants to see in the report.

Is this an all encompassing risk assessment?  i.e. will you be looking at their risk posture in regards to their network security, policies and procedures, personnel security, physical security, etc, etc?

The key to any good risk assessment is knowing what you are expected to audit, auditing it to the level of expectation of the customer, then providing a report that really contains VALUE.  I've seen many risk assessments that are nothing but glorified cut&paste versions of the network security scan tools and some procedural things thrown in.  Nothing makes a customer angrier than being handed a large document that doesn't tell them anything or mean anything to the managerial staff that is reading it.  

That's why the first page of any good RA has an executive summary which details where the asessment took place, when it was done, how long it took, how many findings of each level were identified (initial risk), and what the residual risk levels were (the level of risk once existing security controls are factored in).  

I usually break down the sections in my reports into Extremely high, high, moderate, low and ext. low risk vulnerabilities.  
Each section would then break down each individual vulnerability into:
a. Description:  A description of the vulnerability, be it a technical, procedural, etc..
b. Components Affected: This could be a department, the entire enterprise, specific servers, workstations, etc.
c. Detected By: Interview, Observation, Test, Documentation.  (these are the traditional types)
d. Initial Risk: What is the raw risk that this vulnerability has on the system? (ext high, high, mod, low, ext low)
e. Rationale for Original Risk Determination:  How you arrived at the risk level for d
f. Countermeasures Identified: This is where you would list any countermeasures that would (hopefully) lower the initial risk to a lower level.
g. Residual Risk: What is the risk level once (hopefully) any exisiting controls are applied.

If you are in a scenario where you find that there are no countermeasures, then you might want to change f. from "Countermeasures Identified" to "Countermeasures Recommended."  Then you would be free to recommend solutions that would lower the risk of the vulnerability should they be purchased/implemented/changed, etc.

A lot depends on what the customer really wants (and sometimes determining what a customer REALLY wants can be a black art in and of itself).

Oh! One more thing, you will want your document to contain some kind of risk matrix.  It is this matrix that you will use to justify section e.

Your matrix should look something like this: (apologies for the formatting)

Likelihood of Successful Exploitation of Vulnerability     Degree of Harm if Exploitation is Successful      Risk Level
High                                                                    High                                                      EXTREMELY HIGH
High                                                                    Moderate                                                      HIGH
High                                                                    Low                                                      MODERATE
Moderate                                                                    High                                                      HIGH
Moderate                                                                    Moderate                                                      MODERATE
Moderate                                                                    Low                                                      LOW
Low                                                                    High                                                      MODERATE
Low                                                                    Moderate                                                      LOW
Low                                                                    Low                                                      EXTREMELY LOW

So the format for section "e" would basically be "The likelyhood of a successful exploit is (see column) because of (reason).  Given the sensitivity of the information involved, the degree of harm if the exploit is successful is (see column).

So, an example would look like:

---1.0 Extremely High Risks---
1.1  Anti-virus not set to automatically update on workstations

a. Description:  All workstations were found to contain corporate AV software, but none were configured to automatically get their updates, leaving this as a manual task for each user.
b. Components Affected: All workstations.
c. Detected By: Observation, Test (you can have more than one)
d. Initial Risk: Initial risk is extremely high.  While workstations are partially protected, there is no assurance than they are protected against the most current threats.
e. Rationale for Original Risk Determination:  The likelyhood of a successful exploit is high because of new viruses, worms, trojans and malware threats are being discovered daily.  Given the sensitivity of the information involved, the degree of harm if the exploit is successful is considered to be high.
f. Countermeasures Identified: None, there was no countermeasure identified to migitate this risk level.
f (a) Countermeasures Recommended: Configure all workstations to update their AV signatures daily noon.
g. Residual Risk: As there were no available countermeasures to apply, the residual risk remains as extremely high.
g(a) Residual Risk: If the recommended countermeasures are applied, the residual risk level is reduced to none.

The end would have some kind of wrap-up verbiage, and then you are done.

As a last note:  Some customers want the sections divided up by Initial Risk.  Others want the sections divided up by Residual risk, so they can easily see what their ACTUAL risk posture is.  Typically you end up writing two Risk Asessments for a customer.  The Initial Risk Asessment,that is written with each section being the Initial risk (since there are usually few if any countermeasures, so you'll be writing it with many recommendations for countermeasures).  Later you will likely write another one where the countermeasures have actually been applied, so the residual risk will be much lower.  In that case, you might want to organize it such that each section is now the residual risk.

I know it might be a lot of info, and if anything is unclear I'll be happy to explain it again. :)



Author Comment

ID: 16590200
Dude that is one of the most clear explanations I've found. It all makes sense to me, I've seen something like that somewhere but I wasn't sure so it's good to get a 2nd opinion. The company is fictional so it doesn't have to comply with any regulations. Since you seem to have done this before could you suggest any risks off the top of your head for network infrastructure. I was thinking about loss of connectivity between two networks as one problem, ip spoofing as another and then I hit a brick wall.

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.


Expert Comment

ID: 16590937
Hehe, I'm so glad it made sense!!

As for risks to a network infrastructure, you can usually work your way around that brick wall if you operate around the "CIA Triad" of Confidentiality, Integrity and Availability:

Does the network handle sensitive information? (patient data, financial, personally identifiable info that could be used to steal an identity, etc)
If so, how is it being protected? Do they have encryption in places where encryption makes sense?(Confidentiality)

Do they have an adequate backup policy for their critical data? how many day's worth of retention is there? Where are backups stored? (off-site in a fire-rated container?)  (Integrity)
Single points of failure in the architecture are always big (depends on how much the company's profit and viability depends on Availability)

Lack of a COOP site (if the primary goes down, is there a cold/warm/hot site waiting in the wings?, again speaks to Availability)

Change management is a Vulnerability that I'm ALWAYS identifying, especially when it comes to key network infrastructure components such as routers and firewalls.  Is there a formal approval process for making modifications to these key devices? (I once found a FW that had all of the original rules negated by a slew of exceptions followed by an allow Any:Any rule.  Their excuse was that they had gotten too many complaints from users who couldn't do things out on the internet..)

Is that the type of risks you were wanting to hear about when you said network infrastructure? You threw me with the IP spoofing example, since that is more along the lines of an attack.  However, if they don't encrypt their sensitive data, you could certainly say that it could be easily compromised by a spoofing attack.  In this case, their inability to properly protect their assets is their vulnerability, and the spoof attack is what you would think about when speaking about the likelyhood of a successful exploit of vulnerability.\

Let me know if there is anything else I can help you with. :)



Author Comment

ID: 16591001
Some good suggestions there. I shall take them on board. There is sensitive data involved so encryption would need to be applied.

Author Comment

ID: 16591074
If a company was connecting to LANs using a secure VPN then that would solve the problem of encryption and confidentiality as its taken care of by the SVPN, thats correct right?

Expert Comment

ID: 16592294
sure, provided they are using a fairly secure encryption.. However, if the data is only encrypted between LANs, but then travels in clear text internally and anyone has access to the internal lan (available from any ethernet plug, no VLAN separation, ability to  access internal resources through unprotected dialups) then it is still a finding, only internally vs. externally. :)

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question