Professional Documents
Culture Documents
Chapter 3
Risk Analysis and Management
Edited by: Bayan Abu Shawar
Recall
resource,
articulating the risk,
Avoid Ceasing (or not engaging in) the activity that is presenting the
risk altogether.
Transfer Shifting the responsibility or liability for a risk to another party.
or performance degradation
All these costs need to be balanced against the likely cost of
not implementing the recommended control.
The total expense of the controls should never cost
more than the asset is worth or the potential impact of
the risk.
Making Risk Decisions (Cont’d)
4. Documentation
The documentation of risk is listed as an explicit stage in
the workflow,
but really you need to be documenting your
Business justification
user community.
Again, this option would not limit the severity of the exposure or
change the sensitivity of the Web server, but it would reduce the
likelihood of abuse by reducing the number of entities who can
access the server.
An Example
To limit severity of the impact:
An active alert triggered from a log file that detects
brute forcing of user account passwords may be too
late to prevent someone from compromising a
single account, but:
you can quickly disable the account before any
damage is done or the attacker is able to move to
another system.
Or originally, limiting the scope of access the attacker
would have when exploiting the account. If you can
limit the access to a standard “user privilege” level as
opposed to an “administrative privilege” level, then you
have reduced the potential magnitude of the exposure.
Mitigation Planning and Long-term
Strategy
configuration review.
The intent of testing is to detect any areas where the controls don’t
satisfactorily mitigate the risk or may have been misconfigured.