|
 |
| Top
Security News |
Watermarked
Music
Right now, the Sony's rootkit fiasco echoes around the music industry. Is there
no valid, legal way to protect copyrighted material?
What
Did Sony Know And When Did They Know It?
Everyone loves a great conspiracy story and Sony BMG is in the middle of one right
now. They've lied about things, they've damaged computers, and they've even got
the requisite cover-up.
Hackers
Break Windows, IE
The security folks at Microsoft, via the Microsoft Security Response Center Blog,
announced some additional problems with a previously announced vulnerability...
Symantec
Drops Sygate Personal Firewall
Free firewalls appear to be on their way out. Symantec closed the book on Sygate's
free and paid version of their personal firewall.
Choosey Kids Choose Illegal File Sharing
The scourge of record companies remains file sharing. It comes as no surprise
free songs are better than the ones people pay for, particularly to teenagers.
A recent study by Jupiter Research confirmed that fact and that it's unlikely
to change anytime in the near future.
Get
A Free Trojan With Your Hard Drive
"Have you seen a pack of Trojans? Nope. I just ran out." In a move of
complete and utter brilliance, Japanese hard drive maker I-O Data shipped their
portable hard drive HDP-U series complete with a Trojan, namely the Tompai-A.
They should've used protection.
Cybercrime
Pays Better Than Drugs
The adage was always that "crime doesn't pay. Unfortunately, the adage doesn't
ring true, at least in the cyber world. Experts say profits from cybercrime...
Scottrade
Gets Hacked
Online brokerage Scottrade sent letters out to customers saying they'd been hacked
back in October. Scottrade is just the latest in widespread hacking problem that
includes many firms much bigger than Scottrade.
Sobering
Up The FBI, CIA
Last week, new variants on the Sober computer virus began to spread. The variants,
Sober X, Y and Z spread in a new and dastardly manner, posing as emails from the
CIA and the FBI.
|
|
|
|
|
| >>>
Get To The Top With FREE Services - Click
Here |
|
|
12.01.05
Security Risk
Assessment And Management In Web Application Security
 By
Caleb Sima
Security risk assessment and security risk management have become vital tasks for security officers and IT managers. Corporations face increased levels of risk almost daily: from software vulnerabilities hidden in their business-technology systems...
...to hackers and cyber crooks trying to steal proprietary corporate intellectual property, including sensitive customer information.
An ever-growing list of government regulations aimed to ensure the confidentiality, integrity, and availability of many types of financial and health-related information also is increasing IT risks and making a comprehensive security risk assessment a modern day corporate necessity.
But how do organizations perform an accurate security risk assessment of their IT systems and the critical information they store? Risk surrounds us everyday in the physical world, and we take precautions to mitigate those risks: everything from wearing seat belts to purchasing life insurance. But it's not so easy to comprehend Web security risk management: How much does it actually cost a company when a Web server is breached, or if an attack disrupts the availability of critical Web systems? What are the costs associated with a hacker or competitor snatching proprietary information or customer lists from an insecure Web server? How Web security risk management is performed depends entirely on knowing the answers to these questions.
The Security Risk Assessment Equation
Such risks can be seen more clearly through the following simple equation that quantifies a security risk assessment:
Risk = Value of the Asset x Severity of the Vulnerability x Likelihood of an Attack.
|
Free Edition of Web CEO:
a Complete Software Toolkit for Search Engine Marketing - Download
Now
|
|
In this equation, you can provide a weighting of 1-10 (10 being the most severe or highest) for each risk factor. By multiplying the factors, it's easy to arrive at an aggregate security risk assessment for any asset. Let's take an everyday example: we have an e-commerce server that performs 40 percent of all customer transactions for the organization, and it has a very severe and easy-to-exploit vulnerability:
E-commerce Server Risk = 10 (Value of the Asset) x 10 (Severity of the Vulnerability) x 10 (Likelihood of an Attack).
In this example, the e-commerce server risk equals 1,000: the highest security risk assessment possible. The company would then structure its security risk management policies accordingly, allotting more resources to mitigating this risk.
Now, let's compare the results of a security risk assessment in two other instances: a moderate vulnerability with an e-commerce server and a severe vulnerability with an Intranet server used to publish internal announcements:
E-commerce Server Risk = 10 (Value of the Asset) x 4 (Severity of the Vulnerability) x 4 (Likelihood of an Attack). The e-commerce Server Risk = 160, a moderate risk ranking. Intranet Server Risk = 2 (Value of the Asset) x 8 (Severity of the Vulnerability) x 6 (Likelihood of an Attack). The Intranet Server Risk = 96, a lower security risk assessment ranking.
Even though the Intranet server has greater vulnerability, the value of the asset creates a lower relative risk value than the e-commerce server. Performing an overall security risk assessment this way allows organizations to make wise decisions when it comes time to deploy scarce resources to optimize the protection of their assets. Security risk management is a process of managing an organization's exposure to the threats to its assets and operating capabilities. The goals of the security risk management process are to provide the optimal level of protection to the organization within the constraints of budget, law, ethics, and safety.
Read
the Full Article
|
,
Inc. 2549 Richmond Rd. Lexington KY, 40509
