If it's connected, we can break into it.   Downloads  |  About Us  |  Contact  |  Careers  |  News  | 

 
 
 Emergency  |  SanityCheck|  Penetration Test |  Risk Assessment | Product Testing | Security Solutions |
  Check your security NOW!
  Latest Security News 
 
"So in war, the way is to avoid what is strong and to strike what is weak."  - Sun Tzu, The Art of War
 
 

eDUCATE - Risk Assessment

QUALITATIVE RISK ASSESSMENT
The classical definition of a Risk Assessment is a process to ensure that the security controls for a system are fully commensurate with its risks.

Greyhat Practitioners will perform a qualitative risk assessment using questionnaires, automated risk assessment tools, network testing, and system testing.
This is currently the most widely used approach to risk analysis.
Probability data is not required and only estimated potential loss is used.

The client deliverable is an Adobe Acrobat report with the overall risks of the assigned environment.
*A Risk Assessment is identical in its methodologies to a Penetration Test but it varies in that it is performed in the event that your
organization does not possess security policies to compare as a standard.
Greyhat will perform tests on the internal and external network, and use the findings to create a baseline security posture for measurement.
From these findings, Greyhat will make recommendations to correct any perceived problems, advise on creating corporate security policies and standards,
and identify threats, potential vulnerabilities, and controls to the assigned environment.

RISK ASSESSMENT METHODOLOGY
Most qualitative risk analysis methodologies make use of a number of interrelated elements:

1] THREATS
These are things that can go wrong or that can 'attack' the system. Examples might include fire or fraud. Threats are present for every network and every system.

2] VULNERABILITIES
These make a system more prone to attack by a threat or make an attack more likely to have some success or impact.
An example of a web server vulnerability would be the presence of a CGI script.  A script may have vulnerabilities which could be exploited
that could cause the system's security to be compromised.

3] CONTROLS
These are the countermeasures for vulnerabilities. There are four types:
Deterrent controls reduce the likelihood of a deliberate attack
Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
Corrective controls reduce the effect of an attack
Detective controls discover attacks and trigger preventative or corrective controls.
 

These elements can be illustrated by a simple relational model:

RISK ASSESSMENT BENEFITS
Cost Justification
Additional security almost always involves additional expense. As this does not directly generate income, it should always be justified in financial terms.
The Risk Assessment process should directly and automatically generate such justification for security recommendations in business terms.

Productivity: Audit/Review Savings
A Risk Assessment program should enhance the productivity of the security or audit team. By creating a review structure, formalizing a review,
pooling security knowledge in the system's "knowledge base" and utilizing "self-assessment" features, much more productive use of time is possible.

Breaking Barriers - Business Relationships
Security should be addressed at both business management and IT staff. Business management are responsible for decisions relating to the
security risk/level that the enterprise is willing to accept at a given time (which involves consideration of potential business impact).
IT management is responsible for decisions relating to specific controls and application.

Risk Assessments should not only direct appropriate information at each group, but play a major and pro-active role in enhancing the understanding
of the needs and role of the other. It should bring the groups closer together. Risk Assessments should relate security directly to business issues.

Security Awareness
The wide-scale application of a risk assessment program, by actively involving a range of, and greater number of, staff, will place security on
the agenda for discussion and increase security awareness within the enterprise.

Targeting Of Security
Security should be properly targeted, and directly related to potential impacts, threats, and existing vulnerabilities.
Failure to achieve this could result in excessive or unnecessary expenditure.
Risk Assessments promote far better targeting and facilitates related decisions.

This not only applies to which areas of particular system resources should be directed to, but which business systems.
Through the application of Risk Assessments across multiple business units, it is possible to quickly establish the areas of greatest risk
to the enterprise as a whole.

'Baseline' Security and Policy
Many enterprises require adherence to certain 'baseline' standards. This could be for a variety of reasons, such as legislation (e.g. Data Protection Act),
enterprise policy, regulatory controls, etc. The Risk Assessment methodology should support such requirements and enable rapid identification of any failings.

Consistency
A major benefit of the application of Risk Assessments are that they bring consistent and objective approach to all security reviews.
This not only applies across different applications, but different types of business system.

It should also embrace those systems not under the direct control of IT management (e.g. paper based systems, PC Systems,
or systems utilizing other office equipment).

Communication
By obtaining information from different parts of a business unit, a Risk Assessment aids communication and facilitates decision-making.

There are also a number of other important, but less tangible, benefits to be accrued via the application of Risk Analysis. 

 
Greyhat LLC   © 1998-2005  All Rights Reserved Worldwide   | Is Hacking legal? | WhatisGreyhat | Legal | Privacy |
Updated 03.27.05  dated