?
Solved

Help with a risk assessment

Posted on 2011-10-20
18
Medium Priority
?
560 Views
Last Modified: 2012-08-13
Can someone talk through a risk assessment with me so I can get the understanding? The tech “risk factors” we have identified are CIAA (confidentiality, integrity, availability, accountability).

The technologies we want to assess are use of encryption of portable USB devices and mobile devices such as blackberry, the use of 2-factor authentication for remote web services such as VPN or citrix, and using mobile devices as thin clients – i.e. can view exchange mail but can’t save any data locally onto the device.

Am I correct in thinking you essentially saying in a risk assessment, e.g.:

“without using 2-factor authentication – the confidentiality risks are xyz, the integrity risks are xyz, the availability risks are xyz, the accountability risks are xyz…”

Or does not every control have all these risk categories when not in operation?

For example lack of encryption I can see can lead to loss of confidentiality. But can you give some examples on accountability, integrity, accountability for this? Just so I can see some examples?

Perhaps same for 2-factor authentication and thin clients, if I could see some example risks for conf, integrity, availability, and accountability I can get my head around this much more.  
0
Comment
Question by:pma111
  • 9
  • 5
  • 2
  • +2
18 Comments
 
LVL 4

Accepted Solution

by:
ldavis07 earned 600 total points
ID: 36998877
http://www.mass.gov/?pageID=afterminal&L=4&L0=Home&L1=Research+%26+Technology&L2=Cyber+Security&L3=Security+Risk+Assessment&sid=Eoaf&b=terminalcontent&f=itd_policies_standards_it_security_risk_assessment_guidelines&csid=Eoaf

This link will tell you all about risk management. Simply it means computer ethics. You should know what the wrongs and rights are when dealing with computers. Since a lot of companys are using remote and mobile devices they are more prone to threat. You need to eliminate that threat the best way possible. Now as it may be no computer or server is 100% safe but there are techniques you can use such as the "2 way authentication method" that will allow smart cards and tokens and biometrics to allow a more safe approach. But just remember that just because you can login safe does not mean that you are browsing safe.
0
 
LVL 3

Author Comment

by:pma111
ID: 36999140
I appreciate that post - but I just wanted to talk through an example of 2 factor authentication and all th risks of not using such authentication - and which risks fit into confidentiality, integrity, availability and accountability. I want some assistance with one basic example to help me see the kind of risks EE experts perceive in not having 2-factor.
0
 
LVL 4

Expert Comment

by:ldavis07
ID: 36999182
Ok well the 2 factor authentication is simply using 2 ways to make something more save for example. If you are using a computer workgroup you can use biometrics(fingerprint, iris, etc) a token( which will be a usb sort of device that the number changes every 30 seconds or so that way no one can detect the password) that is using the 2 way authentication method. It simply means something you are, something you know, something you do. The way it fits in the 3 methods are: In the workplace every piece of data is confidential and needs to be protected. So in order to do that you need to have all the threats eliminated that way your info is save. With the availability it means the uptime of your network. A good uptime is 99.9999 % that is 6 9's according to the research I have done. The integrity is the valueableness of the network. Meaning that you need to set the network up and maintain based on (how many users, how many clients, is it home or professional use, is it government or small busines usage).
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Assisted Solution

by:sravi2208
sravi2208 earned 400 total points
ID: 36999185
To manage risk effectively, your risk management plan needs to:

1. Identify mission-critical applications.
2. Identify and analyze potential risks.
3. Quantify the potential impact of the risks.
4. Detail escalation processes.
5. Identify solutions.
6. Be communicated to senior management and project members.
7. Become a part of day-to-day project management.
8. Be kept up-to-date.

0
 
LVL 3

Author Comment

by:pma111
ID: 36999305
sravi2208 - thanks - but that wasnt the question.
0
 
LVL 3

Author Comment

by:pma111
ID: 36999312
ldavis07 - so could implementing 2-factor affect network uptime? Thus availability.
0
 
LVL 4

Expert Comment

by:ldavis07
ID: 36999315
pma111 did my answer solve what you were asking? Or are you asking something more specific that we are just not understanding. I thought you were asking for an example of how they were applied in the workplace and I believe I gave you that solution. If you are asking for something more specific can you please clarify it more better so I can assist more in depth.
0
 
LVL 4

Expert Comment

by:ldavis07
ID: 36999341
No that has nothing to do with it really. The uptime of the network depends on you ISP provider and if the network is set up right and out of the way from obstruction (like power plants, grounding, outside, the weather) all that sort of stuff can effect your uptime. The 2-factor method is simply protecting the networks assets if that makes since. The availability is part of the protection simply because if you are protecting client data as well as making sure the clients are able to get in and out of the network they need a high uptime cause somethings data and information has a time frame it needs to be accompished in. If your uptime is lower then the data is not there and important information can be sent slower causing lots of money lost in time to get the network up and running as well as maybe losing clients because your network isnt available when they need it.
0
 
LVL 3

Author Comment

by:pma111
ID: 36999459
Ok one of my ideas on an integrity risk for external devices was if a connection had been intercepted or a device stolen and used to gain corporate domain credentials - how can we assure the integrity of the user accessing the network. It could be genuinely that user or it could be a hacker who has obtained the doman credentials from a mobile worker.
0
 
LVL 3

Author Comment

by:pma111
ID: 36999466
Thanks for your posts making much more sense now though
0
 
LVL 4

Expert Comment

by:ldavis07
ID: 36999472
Well in that case that is why they say try to avoid social networking in that case. meaning that if someone calls and asks for creditials then you should never give them over the phone nor in email simply because it could be intercepted by man in the middle or spoofing or sniffers. Creditials are only suppose to be dealt with by the netwrok administrator. As for the mobile they do have VPN clients that are safer and allow more in depth security. They also allow for EAS to encrypt data back and forth and that would allow the sniffers to intercept but not read them. That comes with the win7 OS and can be installed with the VPN using it as the EAS.
0
 
LVL 4

Expert Comment

by:ldavis07
ID: 36999626
Does that answer all your questions about risk managemtn in this case?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 600 total points
ID: 36999962
Risk Assessments take a lot of things into consideration, typically not focused on one thing, but often a department or group is tasked with writing their own. http://en.wikipedia.org/wiki/Risk_assessment
http://en.wikipedia.org/wiki/IT_risk_management#Risk_assessment
Also looking back at previous comments, a RA is not computer ethics, but computer ethics and proper use are involved in your policies, so maybe in some round about way they are involved in an RA. It's pretty simple, assessing risk.. It's a bunch of what if's... if our data center floods, what do we do, if our users get a virus what do we do. Infact, http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_27406307.html#36999185 answered the question in essence, but it was not enough information.
Two factor is less of a risk and more of a mitigation. The only risk I see in using it, is what happened to RSA this year, a hacker getting the SEED's from RSA or your own device and your authentication being compromised. A mitigation could be logon hours being used so that if a hacker does this, they can only do the hacking during business hours. Or changing your passes more often, and absolutely change them immediately after a breach is disclosed or found.
As for the USB issue, it's very hard to ensure the data is encrypted, be it a CD/DVD or if someone prints out something. It's possible to take a screen shot of data as well. We had someone breach our network, use VNC to watch the users and record the sessions to a SWF file and copy them back to him/herself. DLP is a tough nut to crack, we disable USB drives and auto run's.
I recommend reading the following for more info about what a RA is about:
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
-rich
0
 
LVL 4

Expert Comment

by:ldavis07
ID: 37000016
While I agree with your statement. It absolutly is computer ethics. Computer ethics is knowing the right and wrong of computer awareness. As I said before risk assessment is knowing the risks and preventing them leading to it being ethical awareness of knowing the rights and wrongs.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 37000187
Thinking about it more, your right, an ethic is more than "morals or philosophy" it's also a code of conduct and or standard of conduct in a profession. I was being to pedantic when I saw the word, still "feels" like the wrong word to use, but that is just me maybe. </confusedness>
-rich
0
 
LVL 4

Expert Comment

by:ldavis07
ID: 37000199
Well i actually have a computer ethics class and its all about risk management so that is where i am coming from. the thinng about computers rich that we have to remember is terms can be coincided many different ways lol but there are no wrong answers they just have to be substituted at the right time and way to suit the question and problem.
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 400 total points
ID: 37002162
A VPN is not neessarilly a  two factor authentication mechanism nor is citrix until and unless you have use something whose validity is short lived i.e. RSA tocken etc.
The user has three sets of information username/password and a tocken that reflects randomly generated set of numbers and a pin.
In process is authentication/authorization
I.e. the user is prompted for username and password if authenticated the user is then asked for the secureID which is the combination of the PIN and the random numbers from the tocken device. IF the pin/tocken numbers much the user will be allowed in whether it is a VPN a login into a system, or access to a web site.

Another way to get VPN with two factor auth deals with using client certificate for initial authentication and then requesting the username/password (xauth) for authorization.

The primary risk is internal i.e. a person with access leaks the information or through other activities gets their system infected etc.

In many cases you can go to peoples cubicle and get their username/password either as a sticky, or a piece of paper in their drawer etc.
0
 
LVL 4

Expert Comment

by:ldavis07
ID: 37002237
As well we can talk all day about 2 way authentication methods but the simple factor of it is that it really is not part of availabiilyt in the term of 2 way authentication. I mean I know you can use tokens and biometrics and creditials but avaiabiility is just part of the uptime.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question