Scribd Logo
Upload

Welcome to Scribd!

  • Risk Management

    Uploaded by

    Irwinu
    14 views17 pages
    The document discusses risk management assessment of information leakage on a website using the ISO 31000 framework. It identifies 6 risks related to discovering details about the website such as open ports, developer comments, system architecture and version numbers. It analyzes the likelihood and impact of each risk, determining most have medium risk. It then provides risk treatment controls including intrusion detection systems, port scanners and securing the website framework.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses risk management assessment of information leakage on a website using the ISO 31000 framework. It identifies 6 risks related to discovering details about the website such as open ports, developer comments, system architecture and version numbers. It analyzes the likelihood and impact of each risk, determining most have medium risk. It then provides risk treatment controls including intrusion detection systems, port scanners and securing the website framework.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views17 pages

    Risk Management

    Uploaded by

    Irwinu
    The document discusses risk management assessment of information leakage on a website using the ISO 31000 framework. It identifies 6 risks related to discovering details about the website such as open ports, developer comments, system architecture and version numbers. It analyzes the likelihood and impact of each risk, determining most have medium risk. It then provides risk treatment controls including intrusion detection systems, port scanners and securing the website framework.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 17

    START

    Communicating The
    Processes with
    Organization's
    Management

    Risk Management Assessment with ISO 31000 Framework

    Risk Identification Risk Analysis Risk Evaluation

    Risk Action

    END
    Risk Assessment Scope: Information Leakage of Website
    (Based on OWASP Testing Guide: Testing for Information Gathering module

    Number Risk Identification Risk Description

    Calculating the amount of web applications that


    Enumerating web applications
    R1 running on the target web server and knowing
    and web server
    the open ports of the target website.

    Discovering the developer comments on the


    R2 Reviewing website developer website target and find leaked information and
    comments and metadata
    metadata to have better system knowledge.

    R3 Website system and workflow Creating the system mapping of the target
    mapping website and understanding the main workflow.

    Discovering the type of used framework from


    Reviewing website developing the target website that will give better
    R4
    framework understanding and proper option of the
    security testing methodology.

    Discovering the version of the building


    component of the target website to determine
    R5 Reviewing website version
    weaknesses and exploitation methods that are
    suitable when system penetration occurs.

    Website main architecture Discovering and knowing the overall system


    R6 and overall connected system architecture and workflow of the target
    mapping website.
    e: Information Leakage of Website
    ng for Information Gathering module testing results)

    Risk Impact

    Attacker can discover amount of website that hosted on the server of website
    target, that can lead to the further knowledge of estimation average hosted
    website architecture. Knowing the open ports can also lead for choosing the
    effective attack that can go through directly to the specific ports function.

    Attacker can discover the source of building component or template that used
    for developing the target website. By knowing that information, the attacker
    will know the developing source and search for weaknesses related to the
    leaked information.

    Attacker can discover the entire mapping flow of website developing


    component used along with their specific functions.

    Attacker can discover the type of developing framework that used to build the
    target website that have purpose to learn weaknesses and attacks that well-
    matched for system penetration usage to the target website.

    Attacker can discover the version of the website builder component to


    investigate through about the weaknesses and types of attacks for system
    penetration usage to the target website.

    Attacker can discover the main and entire system architecture of the target
    website and take out the important information to be investigated further for
    carrying out the attacks on the target website.
    Likelihood Impact
    Rating Criteria Rating Criteria
    1 Rare 1 Insignificant
    2 Unlikely 2 Minor
    3 Possible 3 Moderate
    4 Likely 4 Major
    Almost
    5 5 Catastrophic
    Certain

    Likelihood
    5 Medium Medium
    4 Low Medium
    Impact 3 Low Medium
    2 Low Low
    1 Low Low
    1 2
    Likelihood
    High High High
    Medium High High
    Medium Medium High
    Medium Medium Medium
    Low Medium Medium
    3 4 5
    Risk Assessment Scope: Information Leakage of Website
    (Based on OWASP Testing Guide: Testing for Information Gathering module testing results)

    Risk Code Risk Description


    Calculating the amount of web applications that running on the target
    R1
    web server and knowing the open ports of the target website.
    Discovering the developer comments on the website target and find
    R2
    leaked information and metadata to have better system knowledge.
    Creating the system mapping of the target website and understanding
    R3
    the main workflow.
    Discovering the type of used framework from the target website that
    R4 will give better understanding and proper option of the security testing
    methodology.
    Discovering the version of the building component of the target website
    R5 to determine weaknesses and exploitation methods that are suitable
    when system penetration occurs.

    R6 Discovering and knowing the overall system architecture and workflow


    of the target website.

    Risk Code Risk Description

    Calculating the amount of web applications that running on the target


    R1
    web server and knowing the open ports of the target website.

    Discovering the developer comments on the website target and find


    R2
    leaked information and metadata to have better system knowledge.
    Creating the system mapping of the target website and understanding
    R3
    the main workflow.

    Discovering the type of used framework from the target website that
    R4 will give better understanding and proper option of the security testing
    methodology.

    Discovering the version of the building component of the target website


    R5 to determine weaknesses and exploitation methods that are suitable
    when system penetration occurs.

    R6 Discovering and knowing the overall system architecture and workflow


    of the target website.
    kage of Website
    Gathering module testing results)

    Likelihood Level Impact Level Risk Level


    Possible (3) Major (4) Medium

    Rare (1) Insignificant (1) Low

    Possible (3) Minor (2) Medium

    Possible (3) Moderate (3) Medium

    Unlikely (2) Minor (2) Low

    Possible (3) Moderate (3) Medium

    Likelihood Level Impact Level Risk Level

    Possible (3) Major (4) 12

    Rare (1) Insignificant (1) 1


    Possible (3) Minor (2) 6

    Possible (3) Moderate (3) 9

    Unlikely (2) Minor (2) 4

    Possible (3) Moderate (3) 9


    5
    Impact 4
    3
    2
    1

    Risk Treatment / Control Skor Risk Treatment


    Implementing Intrusion Detection System (IDS) and
    Honeypot system which have functions to detect the
    incoming unauthorized activity and prevent attacks. Using
    7
    Activating the Port Scanner Detection function on router can
    be a good recommendation for avoiding further system
    penetration by attacker.

    Implementing Intrusion Detection System (IDS) and


    Honeypot system which have functions to detect the
    incoming unauthorized activity and prevent attacks. Usage of
    encryption and reducing the exposed sensitive information
    can also be done.
    Learning and implementing how to secure the used website
    framework, that have different method and procedure for
    every framework (in this case: CodeIgniter) to prevent the
    penetration and control by attacker. On the detailed
    3
    advanced security, administrator can use the advanced
    query to protect the website from many forms of dangerous
    attack, like XSS Scripting & SQL Injection, that will be
    explained later on other phase of OWASP Testing Guide.

    Website administrators can build and deploy the security


    system as strong as possible to secure the sensitive
    information from entire web architecture when attacker
    start the scanning or information gathering progress. Proxy 4
    servers, IDS, encryption, and security module on each part of
    website system can be used as a solution to secure website
    architecture information.
    Likelihood

    R1
    R4, R6
    R5 R3
    R2
    1 2 3 4 5
    Risk Risk Identification
    Code

    Enumerating web applications and


    R1
    web server

    Website system and workflow


    R3
    mapping

    R4 Reviewing website developing


    framework

    R6 Website main architecture and


    overall connected system mapping
    Risk Description Risk Level

    Calculating the amount of web applications that running


    on the target web server and knowing the open ports of Medium (12)
    the target website.

    Discovering the developer comments on the website


    target and find leaked information and metadata to have Medium (6)
    better system knowledge.

    Creating the system mapping of the target website and Medium (9)
    understanding the main workflow.

    Discovering the type of used framework from the target


    website that will give better understanding and proper Medium (9)
    option of the security testing methodology.
    Risk Treatment Risk Treatment
    Score

    Implementing Intrusion Detection System (IDS) and Honeypot system which


    have functions to detect the incoming unauthorized activity and prevent attacks.
    4
    Using Activating the Port Scanner Detection function on router can be a good
    recommendation for avoiding further system penetration by attacker.

    Implementing Intrusion Detection System (IDS) and Honeypot system which


    have functions to detect the incoming unauthorized activity and prevent attacks.
    4
    Usage of encryption and reducing the exposed sensitive information can also be
    done.

    Learning and implementing how to secure the used website framework, that
    have different method and procedure for every framework (in this case:
    CodeIgniter) to prevent the penetration and control by attacker. On the detailed 3
    advanced security, administrator can use the advanced query to protect the
    website from many forms of dangerous attack, like XSS Scripting & SQL Injection,
    that will be explained later on other phase of OWASP Testing Guide.

    Website administrators can build and deploy the security system as strong as
    possible to secure the sensitive information from entire web architecture when
    attacker start the scanning or information gathering progress. Proxy servers, IDS, 4
    encryption, and security module on each part of website system can be used as
    a solution to secure website architecture information.

    Impact
    Residual Risk

    Likelihood
    5
    4 R1
    3 R4, R6
    2 R5 R3
    1 R2
    1 2 3 4 5

    You might also like