You have joined as a Security administrator at a department store called Modern Home
Question:
For Example, You have joined as a Security administrator at a department store called Modern Home which
specializes in selling three types of products: home electronics, appliances, and furniture. Your
companies are running different web applications for providing different services to the customers.
You have a Windows server, Linux server, and Windows client. Moreover, you are using switches,
routers, firewalls, IDS/IPS, etc in your company. You also need to consider physical system security.
To ensuring security in your company, you have to perform the following tasks for your companies.
- a) How you will do a Risk assessment of your organization. Try to develop a risk assessment model using an example.
Summary:
A risk analysis is done while developing a risk without disturbing the physical system’s security. Finally, the risk assessment report is attached.
Explanation:
Risk assessment:
Risk assessment is nothing quite than a careful examination of what in work could cause harm. So that we will weigh up whether we’ve taken enough precautions or should do more to stop it.
Risk = Threat * Vulnerability * Asset
Steps for Risk assessment:
-
-
- Firstly to Identify the hazards.
- The next step is to determine the business assets would be negatively influenced.
- Evaluate the risk.
- Record the findings.
- Review and update the risk assessment regularly.
-
In an IT sector, basically, there are four key components involved in risk assessment.
They are:
-
-
- Threat
- Vulnerability
- Impact and
- Likelihood.
-
Threat:
A threat is any human, technical, or natural entity that can cause business interruption, destroy lack of customer and investor confidence, or in any other way impact an organization through unauthorized access to systems, networks, or data. Threats such as
- Cyber-criminal
- Roving malware
- Tornadoes, hurricanes, floods, etc.
Vulnerability:
A vulnerability is any weakness a threat can leverage to achieve one or more attack objectives.
- Missing patches.
- Misconfigured networking system devices/software.
- Poor coding practices.
Impact:
An impact is an actual risk it is the damage to the business caused when an attacker or natural event successfully achieves its objectives.
Likelihood:
The likelihood is the fourth key component which refers to the probability of a threat occurrence.
Steps in the risk assessment for the web applications in the company:
-
- Initially identify the information such as Software, Hardware, Date, Users, Criticality, Network topology, etc. for every asset.
- Threats include hardware failure, natural disasters, malicious behavior which incorporates any malware attack.
Then we have to identify the vulnerability. - Further, analyze the controls such that the probability of a threat exploiting a vulnerability is eliminated.
- Next, we must have to determine how the attack is. The organization categorizes the likelihood of attack as low, medium, and high.
- After that, we have to analyze the threat in advance to take some precautions.
- Next, the information security risks are prioritized.
- Finally, document the results as shown below.
Also, read Improving Database Design through Normalization.