Phân tích & Quản lý rủi ro Võ Viết Minh Nhật Khoa CNTT – Trường ĐHKH Nội dung trình bày  Mở đầu  Định nghĩa rủi ro  Tính dể bị xâm hại (vulnerability)  Mối de dọa (threat)  Xác định rủi ro cho một tổ chức  Đo lường rủi ro Mở đầu  Security is about managing risk. Without an understanding of the security risks to an organization’s information assets, too many or not enough resources might be used or used in the wrong way.  Risk management also provides a basis for valuing of information assets. By identifying risk, you learn the value of particular types of information and the value of the systems that contain that information. What is risk?  Risk is the underlying concept that forms the basis for what we call “security.”  Risk is the potential for loss that requires protection. If there is no risk, there is no need for security.  And yet risk is a concept that is barely understood by many who work in the security industry. What is risk?  Example of the insurance industry  how much the car repair is likely to cost?  how much the likelihood that the person will be in an accident?  Two components of risk:  The money needed for the repair => vulnerability  the likelihood of the person to get into an accident => threat Relationship between vulnerability and threat Vulnerability  A vulnerability is a potential avenue of attack.  Vulnerabilities may exist in computer systems and networks  allowing the system to be open to a technical attack  or in administrative procedures  allowing the environment to be open to a non-technical or social engineering attack. Vulnerability  A vulnerability is characterized by the difficulty and the level of technical skill that is required to exploit it.  For instance, a vulnerability that is easy to exploit (due to the existence of a script to perform the attack) and that allows the attacker to gain complete control over a system is a high-value vulnerability.  On the other hand, a vulnerability that would require the attacker to invest significant resources for equipment and people and would only allow the attacker to gain access to information that was not considered particularly sensitive would be considered a low-value vulnerability.  Vulnerabilities are not just related to computer systems and networks. Physical site security, employee issues, and the security of information in transit must all be examined. Threat  A threat is an action or event that might violate the security of an information systems environment.  There are three components of threat:  Targets The aspect of security that might be attacked.  Agents The people or organizations originating the threat.  Events The type of action that poses the threat. Targets  The targets of threat or attack are generally the security services : confidentiality, integrity, availability, and accountability.  Confidentiality is targeted when the disclosure of information to unauthorized individuals or organizations is the motivation.  Exemples: government information, salary information or medical histories.  Integrity is the target when the threat wishes to change information.  Examples: bank account balance, important database [...]... taking corrective action Xác định rủi ro  Xác định rủi ro cho một tổ chức là xác định tính dể bị xâm hại (vulnerability) của họ và mối đe dọa (threat) đối với họ  Các rủi ro được xác định không nhất thiết liên quan đến rủi ro hiện thời của một tổ chức  Việc xác định rủi ro cho một tổ chức phải đáp ứng được nhu cầu của tổ chức đó Các thành phần trong đáng giá rủi ro của một tổ chức ...  Knowledge and access to specific systems may not be available but may be acquired if the appropriate vulnerabilities exist Agents to Consider  Terrorists    are always assumed to have a motivation to do harm to an organization Terrorists will generally target availability Therefore, access to high-profile systems or sites can be assumed (the systems are likely on the Internet and the sites are... organization is the important aspect of identifying terrorists as a probable threat to an organization Agents to Consider  Criminals    are always assumed to have a motivation to do harm to an organization tend to target items (both physical and virtual) of value Access to items of value, such as portable computers, is a key aspect of identifying criminals as a probable threat to an organization Agents to...Targets   Availability (of information, applications, systems, or infrastructure) is targeted through the performance of a denial-of-service attack Threats to availability can be short-term or long-term Accountability is rarely targeted The purpose of such an attack is to prevent an organization from reconstructing past events Accountability may be targeted as a prelude to an attack against another... agent may be able to gain access to the facility through some other means) The access that an agent has directly affects the agent’s ability to perform the action necessary to exploit a vulnerability and therefore be a threat A component of access is opportunity Opportunity may exist in any facility or network just because an employee leaves a door propped open Knowledge  An agent must have some knowledge...   Accidental physical interference with systems or operations Natural physical events that may interfere with systems or operations Introduction of malicious software (intentional or not) to systems Disruption of internal or external communications Passive eavesdropping of internal or external communications Theft of hardware Threat + Vulnerability = Risk  Risk is the combination of threat and vulnerability... An agent must have some knowledge of the target The knowledge useful for an agent includes         User IDs Passwords Locations of files Physical access procedures Names of employees Access phone numbers Network addresses Security procedures Knowledge  The more familiar an agent is with the target, the more likely it is that the agent will have knowledge of existing vulnerabilities  Agents... mechanisms actually in place within an organization Targets  Athreat may have multiple targets  For example, accountability may be the initial target to prevent a record of the attacker’s actions from being recorded, followed by an attack against the confidentiality of critical organizational data Agents  The agents of threat are the people who may wish to do harm to an organization To be a credible...  Hackers    are always assumed to have a motivation to do harm to an organization may or may not have detailed knowledge of an organization’s systems and networks Access may be acquired if the appropriate vulnerabilities exist within the organization Agents to Consider  Commercial rivals  should be assumed to have the motivation to learn confidential information about an organization  may have . Phân tích & Quản lý rủi ro Võ Viết Minh Nhật Khoa CNTT – Trường ĐHKH Nội dung trình bày  Mở đầu  Định nghĩa rủi ro  Tính dể bị xâm hại (vulnerability)  Mối. rủi ro  Tính dể bị xâm hại (vulnerability)  Mối de dọa (threat)  Xác định rủi ro cho một tổ chức  Đo lường rủi ro Mở đầu  Security is about managing risk. Without an understanding of the. information assets, too many or not enough resources might be used or used in the wrong way.  Risk management also provides a basis for valuing of information assets. By identifying risk, you learn