information risk mangement ppt(pdf)
TRANSCRIPT
RISK ASSESSMENT REPORT
PURPOSE
The purpose of this risk assessment is to evaluate the adequacy of the
NETWORK INFRASTRUCTURE and its SECURITY. This risk assessment
provides a structured qualitative assessment of the operational environment. It
addresses sensitivity, threats, vulnerabilities, risks and safeguards. The
assessment recommends cost-effective safeguards to mitigate threats and associated exploitable vulnerabilities.
SCOPE
The scope of this risk assessment assessed the system’s use of resources and
controls (implemented or planned) to eliminate and/or manage vulnerabilities
exploitable by threats internal and external to the NETWORK INFRASTRUCTURE
OF SCIT.
OBJECTIVE
The objective of this risk assessment is to analyse the risks associated with the
security controls that are in place and also to identify the additional threats and
vulnerabilities and provide a efficient and effective security measure.
RISK ASSESSMENT APPROACH
This risk assessment methodology and approach was conducted using the guidelines
in NIST SP 800-30, Risk Management Guide for Information Technology Systems. The
assessment is broad in scope and evaluates security vulnerabilities affecting
confidentiality, integrity, and availability.
RISK ASSESSMENT PROCESS
This section details the risk assessment process performed during this effort. The
process is divided into pre-assessment, assessment, and post-assessment phases.
1. PRE-ASSESSMENT PHASE
2. ASSESSMENT PHASE
3. POST ASSESSMENT PHASE
1. PRE-ASSESSMENT PHASE
SYSTEM CHARACTERIZATION
ASSETS QUANTITY
MAIN LAB 1 24 MAIN LAB 2 27 SAP LAB 24 POC LAB 34 SERVERS 7 LAPTOPS 3 STAFF/CLASSROOM PC’S 44 TOTAL 163
SENSITIVITY OF DATA
INFORMATION/SENSITIVITY HIGH MEDIUM LOW
PASSWORD POLICIES DATA SHARING INFORMATION TRANSFER DOWNLOAD/UPLOAD OTHER
2. ASSESSMENT PHASE
THREAT IDENTIFICATION
THREATS THREAT SOURCE THREAT ACTION
UNAUTHORIZED ACCESS HACKER CRACKER
HACKING SOCIAL ENGINEERING SYSTEM INTRUSION UNAUTHORIZED SYSTEM ACCESS
ACCIDENTAL DISCLOSURE STUDENTS, FACULTY, LAB ASSISTANTS
SOCIAL ENGINEERING PHISHING PIGGYBACKING
ALTERATION OF SOFTWARES STUDENTS, DISGRUNTLED EMPLOYEE
MALICIOUS CODE TROJAN HORSES TRAPDOORS VIRUSES
BANDWIDTH USAGE STUDENTS PROXY SERVER HIJACKING SERVER
ELECTRICAL INTERFERENCE/DISRUPTION
NATURAL DENIAL OF SERVICE TO AUTHORIZED USERS MODIFICATION OF DATA
ALTERATION OF DATA STUDENT FACULTY
UNAUTHORIZED ACCESS HACKING INTO SYSTEMS
DESTRUCTION OF INFORMATION
STUDENTS COMPUTER CRIME FRADULENT ACT INFORMATION BRIBERY SPOOFING SYSTEM INTRUSION
INDUSTRIAL ESPIONAGE OUTSIDE PERSONNEL ECONOMIC EXPLOITAITON INFORMATION THEFT SYSTEM PENETRATION UNAUTHORIZED SYSTEM ACCESS
INSIDE ATTACK DISGRUNTLED EMPLOYEES TERMINATED EMPLOYEES PAST STUDENTS DISHONEST STUDENTS OR EMPLOYEES
ASSAULT ON EMPLOYEE BLACKMAIL FRAUDANDTHEFT INFORMATION BRIBERY SYSTEM BUGS
SYSTEM INTRUSION SYSTEMSABOTAGE UNAUTHORIZED SYSTEM ACCESS
CYBER TERRORISM EX STUDENTS UNTRUSTED EMPLOYEES
MALICIOUS CODES MAN IN THE MIDDLE PHISHING HACKING
HARDWARE FAILURE UNINTENTIONAL NATURAL CALAMITY
DESTRUCTION OF MACHINES DATA LOSS INFORMATION LOSS
WORKPLACE VOILENCE STUDENTS LAB TEAM
PHYSICAL DESTRUCTION
EARTHQUAKE NATURAL LOSS OF ASSETS
FIRE NATURAL LOSS OF ASSETS
FLOODING/WATER DAMAGE NATURAL LOSS OF PHYSICAL INFRASTRUCTURE
VULNERABILITY IDENTIFICATION
VULNERABILITIES THREAT RISK DESCRIPTION
No Policies UNAUTHORIZED
ACCESS
Loss/leakage
of data
Lack of proper
policies can lead to
a number of
malpractices in the
labs
Bugs in Software
Programs
Accidental Disclosure Leakage of
sensitive
information
Due to non
upgradation of
already existing
application
programs there
maybe backdoor
bugs which might
leak the
information
Network Clogging/Slow
Net Speed
Bandwith usage Denial of
Service
Unnecessary usage
of bandwith may
lead to a number of
pending web
requests, thus
dialing down the
net speed.
Unauthorised access Destruction of
information
Loss of data,
corruption of
data
Unauthorised
personnel entering
into the system can
alter sensitive data
as well as delete
important
information stored
on the network
Disgrunted Employee Inside Attack Loss of
information,
alteration of
data
A disgruntled
employee can
fiddle with the data
thus leading to data
loss or corruption
Terminated/ Ex-
employee
Inside attack Loss of
information,
alteration of
data
An ex-employee
can share the
information from
the student
database, as well as
disclose the various
policies of the
college to outside
parties
Improper security
protocol on SCIT
website
Cyber terrorism Alteration of
data, leakage
of college
information to
non-trusted
sources
IDENTIFYING CONTROLS
Softwares Microsoft Products
Hardware 163 workstations (including 10 servers)
People 6 person team
Firewall Fortigate 200A model
Access Points D-Link 2100
Access control lists Mac address binding
Subnetting 255.255.0.0 (Class A)
Password Policies Passwords changed every 3 months.
ISP Vsnl ( 8mbps leased line)
Databases used CMIE, ebesco, SQL2005
DETERMINING LIKELIHOOD
RATING LIKELIHOOD
LOW 0-25% chance of successful exercise of threat
during a one-year period
MEDIUM 26-75% chance of successful exercise of
threat during a one-year period
HIGH 76-100% chance of successful exercise of
threat during a one-year period
The following table shows the priority of the RISKS and their Likelihood.
RISKS LIKELIHOOD
Loss/leakage of data MEDIUM
Leakage of sensitive information HIGH
Denial of Service MEDIUM
corruption of data MEDIUM
Alteration of data, leakage of college
information to non-trustedsources
MEDIUM
Loss of information, alteration of data MEDIUM
Unauthorized use of previous employees
ID
LOW
Denial of Service Attack MEDIUM
Exploitation of un-patched application
security flaws
MEDIUM
Exploitation of Passwords MEDIUM
Compromise of Unchanged/Unexpired
passwords
LOW
Remote Accessibility Compromised HIGH
Unencrypted Passwords MEDIUM
DETERMINING THE IMPACT
CONFIDENTIALITY INTEGRITY AVAILABILITY
LOW Loss of confidentiality
leads to a limited
effect on the
organization.
Loss of integrity
leads to a limited
effect on the
Organization.
Loss of availability
leads to a limited
effect on the
organization.
MEDIUM Loss of confidentiality
leads to a serious
effect on the
organization.
Loss of integrity
leads to a serious
effect on the
organization.
Loss of availability
leads to a serious
effect on the
organization.
HIGH Loss of confidentiality
leads to a severe effect
on the organization.
Loss of integrity
leads to a severe
effect on the
organization.
Loss of availability
leads to a severe
effect on the
organization.
RISK IMPACT ANALYSIS
RISKS IMPACT IMPACT RATING
Loss/leakage of data Server/people confidentiality Compromise
Medium
Leakage of sensitive
information
Confidentiality breach High
Denial of Service Unavailability Medium
corruption of data Data integrity breach Medium
leakage of college
information to non-
trustedsources
Confidentiality compromised Low
Loss of information,
alteration of data
Integrity issues High
Unauthorised use of
Previous employee id
Authentication breach Medium
Exploitation of unpatched
Application security laws
Bugs in software application Execution
Medium
Exploitation of
unauthorised employee
passwords
Information leakage of sensitive data
High
Compromise of unchanged
Unexpired password
Data integrity error Medium
Remote accessibility
compromised passwords
Unauthorised usage of data High
Unencrypted passwords Vulnerable to user account thefts
High
PHASE 3: POST ASSESSMENT
RISK DETERMINATION
RISK LIKELIHOOD LOW (10)
MEDIUM (50)
HIGH (100)
HIGH (1.0)
LOW 10x1.0 = 10
MEDIUM 50X1.0 =50
HIGH 100x1.0=100
MEDIUM (0.5)
LOW 10x0.5 = 5
MEDIUM 50X0.5 =25
HIGH 100x0.5=50
LOW (0.1)
LOW 10x0.1 = 1
MEDIUM 50x0.1 =5
HIGH 100x0.1=10
OVERALL RISK RATING TABLE
RISK RISK LIKELIHOOD RATING
RISK IMPACT RATING OVERALL RISK RATING
Loss/leakage of
data
MEDIUM Medium
MEDIUM
Leakage of sensitive
information
HIGH High HIGH
Denial of Service MEDIUM Medium
MEDIUM
corruption of data MEDIUM Medium
MEDIUM
leakage of college
information to non-
trustedsources
MEDIUM Low LOW
Loss of information,
alteration of data
MEDIUM High
HIGH
Unauthorised use of
Previous employee
id
LOW Medium
MEDIUM
Exploitation of
unpatched
MEDIUM Medium
MEDIUM
Application security
laws
Exploitation of
unauthorised
employee passwords
MEDIUM High
HIGH
Compromise of
unchanged
Unexpired
password
MEDIUM Medium MEDIUM
Remote accessibility
compromised
passwords
LOW High
HIGH
Unencrypted
passwords
HIGH High
HIGH
RISK RECOMMENDATION
RISK RISK RATING RECOMMENDATION
Loss/leakage of data MEDIUM Data should be kept in secure conditions under proper monitoring
Leakage of sensitive
information
HIGH Data should be properly encrypted and password-protected
Denial of Service MEDIUM Limit the number of requests per user/ per system
corruption of data MEDIUM Proper backup of data should be done
leakage of college
information to non-
trustedsources
LOW Physical security measures should be in place to prevent unauthorised access to data
Loss of information,
alteration of data
HIGH Data should be backed up on regular intervals
Unauthorised use of
Previous employee id
MEDIUM Immediate removal of old id’s from the database
Exploitation of unpatched
Application security laws
MEDIUM Application softwares should be updated from time-to-time
Exploitation of
unauthorised employee
passwords
HIGH
Anti-Piggytailing policies should be in place.
Compromise of unchanged
Unexpired password
MEDIUM Password policies must be in place. Automated messages should prompt the change of passwords on regular periods
Remote accessibility
compromised passwords
HIGH Security firewalls should be functional even during remote connections.
Unencrypted passwords HIGH Strict encryption policies must be implemented for security of passwords and other sensitive data
RISK ASSESSMENT MATRIX
Risk No VULNERABILITIES THREAT RISK RISK LIKELIHOOD RATING
RISK IMPACT RATING
OVERALL RISK RATING
RECOMMENDATION Recomm-
endations
1 No Policies UNAUTHORIZED
ACCESS
Loss/leakage
of data MEDIUM Medium
MEDIUM Data should be kept
in secure conditions under proper monitoring
2 Bugs in
Software
Programs
Accidental
Disclosure
Leakage of
sensitive
information
HIGH High HIGH Data should be properly encrypted and password-protected
3 Network
Clogging/Slow
Net Speed
Bandwith usage Denial of
Service
MEDIUM Medium
MEDIUM Limit the number of requests per user/ per system
4 Unauthorised
access
Destruction of
information
corruption of
data
MEDIUM Medium
MEDIUM Proper backup of data should be done
5 Disgrunted
Employee
Inside Attack leakage of
college
information
to non-
trustedsources
MEDIUM Low LOW Physical security measures should be in place to prevent unauthorised access to data
6 Terminated/ Ex-
employee
Inside attack Loss of
information,
alteration of
data
MEDIUM High
HIGH Data should be backed up on regular intervals
7 Improper
security
protocol on
SCIT website
Cyber terrorism Unauthorised
use of
Previous
employee id
LOW Medium
MEDIUM Immediate removal of old id’s from the database
8 NO PROPER SOFTWARE UPDATATION
MODIFICATION OF SOFTWARE PROGRAMS
Exploitation
of unpatched
Application
MEDIUM Medium
MEDIUM Application softwares should be updated from time-to-time
9 NO PROPER POLICIES CONFIGURED
ACCESS TO SENSITIVE INFORMATION
Compromise
of unchanged
Unexpired
password
MEDIUM Medium MEDIUM Password policies must be in place. Automated messages should prompt the change
of passwords on regular periods
10 NO PROPER TOOLS MAINTAINED FOR MANAGING REMOTE ACCESS POLICIES
ILLEGAL ACCESS TO INFORMATION
Remote
accessibility
compromised
passwords
LOW High
HIGH Security firewalls should be functional even during remote connections.
11 NO PROPER ENCRYPTION TECHNIQUES USED
DATA LOSS/ INFORMATION LOSS
Unencrypted
passwords
HIGH High
HIGH Strict encryption policies must be implemented for security of passwords and other sensitive data
THANK YOU…..!!!