Scribd Logo
Upload

Welcome to Scribd!

  • 5302901673684022920riskassessment Noura Al-Rasheed 16 Aug

    Uploaded by

    CROST
    8 views5 pages

    Original Title

    -5302901673684022920riskassessment Noura Al-rasheed 16 Aug

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    8 views5 pages

    5302901673684022920riskassessment Noura Al-Rasheed 16 Aug

    Uploaded by

    CROST

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    Security Risk Assessment

    Risk # Risk Risk Family Control Liklihood

    AES-128 Encryption is VPC3 File storage only


    no longer available, supports AES-128
    and it will no longer Encryption
    1 protect the VPC3 file. Secure Code Medium

    Unencrypted
    databases, data could
    be theft or used by Databases in production are
    2 anyone. User Access unencrypted High

    Couldn't be trusted, it
    has been lost of Databases in production are
    2b honesty. User Access unencrypted High

    Internal network users


    require a 7-character
    7 Password character
    password
    is short and can easily
    3 be cracked. Vulnerability Manageme Low

    Password never
    Passwords never expire
    expire might help you
    but it also have it
    4 disadvantages. Vulnerability Manageme High

    VPN Access does not


    require MFA

    5 Luck of MFA. Network Security Medium


    TLS V1.1 is used between
    the cloud production
    environment and
    SwiftTech’s physical
    TLS V1.1 encryption location
    6 marked as unsecured. Data at Rest Low
    A tiered application usually
    consists of 3 tiers, the web
    layer (presentation tier), the
    application layer (application
    logic tier), and the database
    layer (data storage tier).
    Using one system for hosting
    Application development
    all 3 tiers introduces risk that Tiers are not logically
    if one tier is compromised. segmented from Business
    7 Network Security Application servers High
    A tiered application usually
    consists of 3 tiers, the web
    layer (presentation tier), the
    application layer (application
    logic tier), and the database
    layer (data storage tier).
    Using one system for hosting
    all 3 tiers introduces risk that
    if one tier is compromised.

    Application development
    Tiers are not logically
    segmented from Business
    7b Network Security Application servers High

    The unpatched Development Tier servers


    servers are Vulnerability are unpatched and contain
    8 vulnerability. Management multiple vulnerabilities High

    Application not being


    scanned for Application code is not
    vulnerabilities migh scanned for vulnerabilities
    put your system in before being published into
    9 danger. Vulnerability Manageme production environment High

    Notes:
    Risk - descriptions should be some reasonable approximation of what is written above but does not need to be exact

    Reasoning - The reasoning should approximately match to the user's assessment of the liklihood and impact of a potential risk
    marked high, the reasoning should reflect why it might be high

    Mitigating Controls - For the purpose of this exercise we did not include mitigating controls

    Total Risk Score - Should not be less than a reasonable approximation of the liklihood x impact. For instance, if L=High and I=H
    essment
    Impact Reasoning Mitigating Controls Total Risk Score
    AES-128 encryption
    its not in use, its not a Change it from
    strong secure any AES-128 to AES-
    more. It could be 256.
    High hacked by a hacker. High

    The databases is
    secret and sensitive Encrypt the
    info and could not be database for
    High exposable. security reasons. High

    Databases shouldn't Encrypt the


    be reachable to database for
    High random sources. security reasons. High

    Password should
    be at least 8 or
    The password could more character in
    Medium be easily gussed. length. Medium

    It will give the


    attacker the Password should
    opportunity to access be expired in 30 or
    High into your accounts. more days. Medium

    MFA will be adding


    an additional layer in
    order to protect from
    being attacked. VPN should be
    Medium changed to MFA. High

    TLS V1.1 is bassed on


    a combination and
    its no longer avilable
    now, its damaged.
    Medium TLS V 1.2 is secure. Medium

    Being attacked to one Application tiers


    of the tiers, could should be
    cause damage to the segmented from
    entire tiers. business
    application
    High servers. High
    Being attacked to one
    of the tiers, could
    cause damage to the Application tiers
    entire tiers. should be
    segmented from
    business
    application
    High servers. High

    The servers is no
    longer activated, and
    it could have a high
    opportunity to be in
    risk of hacking. You have to
    High update the servers. High

    There's a high level of


    chance to be
    attacked.

    Update the
    High application code. High

    eed to be exact

    mpact of a potential risk. If, for instance the liklihood and impact are

    stance, if L=High and I=High (and no mitigating control exists) then Risk cannot equal Low
    Data at Rest
    Data in Transit
    User Access
    Secure Code
    Network Security
    Vulnerability Management

    Low
    Medium
    High

    You might also like