HOME ARTICLES REVIEWS IT TOOLS NEWS RELEASES ADVERTISING
You are here: IT-Observer È Articles È Information Security RSS | White Papers | ÊÊ

Security Risk Assessment in Web Application Security

By Caleb Sima founder and CTO of SPI Dynamics
Tuesday, 20 December 2005 00:00 EST



Security risk assessment and security risk management have become vital tasks for security officers and IT managers. Corporations face increased levels of risk almost daily: from software vulnerabilities hidden in their business-technology systems to hackers and cyber crooks trying to steal proprietary corporate intellectual property, including sensitive customer information. An ever-growing list of government regulations aimed to ensure the confidentiality, integrity, and availability of many types of financial and health-related information also is increasing IT risks and making a comprehensive security risk assessment a modern day corporate necessity.

But how do organizations perform an accurate security risk assessment of their IT systems and the critical information they store? Risk surrounds us everyday in the physical world, and we take precautions to mitigate those risks: everything from wearing seat belts to purchasing life insurance. But it's not so easy to comprehend Web security risk management: How much does it actually cost a company when a Web server is breached, or if an attack disrupts the availability of critical Web systems? What are the costs associated with a hacker or competitor snatching proprietary information or customer lists from an insecure Web server? How Web security risk management is performed depends entirely on knowing the answers to these questions.

The Security Risk Assessment Equation

Such risks can be seen more clearly through the following simple equation that quantifies a security risk assessment:

Risk = Value of the Asset x Severity of the Vulnerability x Likelihood of an Attack

In this equation, you can provide a weighting of 1-10 (10 being the most severe or highest) for each risk factor. By multiplying the factors, it’s easy to arrive at an aggregate security risk assessment for any asset. Let’s take an everyday example: we have an e-commerce server that performs 40 percent of all customer transactions for the organization, and it has a very severe and easy-to-exploit vulnerability:

E-commerce Server Risk = 10 (Value of the Asset) x 10 (Severity of the Vulnerability) x 10 (Likelihood of an Attack).

In this example, the e-commerce server risk equals 1,000: the highest security risk assessment possible. The company would then structure its security risk management policies accordingly, allotting more resources to mitigating this risk.

Now, let’s compare the results of a security risk assessment in two other instances: a moderate vulnerability with an e-commerce server and a severe vulnerability with an Intranet server used to publish internal announcements:

E-commerce Server Risk = 10 (Value of the Asset) x 4 (Severity of the Vulnerability) x 4 (Likelihood of an Attack). The e-commerce Server Risk = 160, a moderate risk ranking. Intranet Server Risk = 2 (Value of the Asset) x 8 (Severity of the Vulnerability) x 6 (Likelihood of an Attack). The Intranet Server Risk = 96, a lower security risk assessment ranking.



Pages: 1 | 2 | 3
GFI LANguard N.S.S. NEW v8 out now!
Complete network vulnerability management, providing powerful vulnerability scanning, patch management and auditing solution. DOWNLOAD A 30-DAY TRIAL TODAY!

Visit GFI Security Software page for more information.

Ê

FREE IP PBX: 3CX VOIP Phone System for Windows. No timeouts or limitations

Ê

Latest News

Essential Bluetooth hacking tools
25.05.07ÊÊBluetooth provides an easy way for a wide range of mobile devices to communicate with each other without the need for cables or wires.

DEP for IE7 in Vista
22.05.07ÊÊSecurity tips blog, security-hacks, has posted details on how to enable DEP for Internet Explorer 7 in Vista.

SMB over SSH: Secure File Sharing
18.05.07ÊÊSecurity tips blog, security-hacks, has published an simple guide to share files securely in heterogeneous networks.

Avoid data leaks by clearing the page file
14.05.07ÊÊSecurity-Hacks publishes a useful tip to avoid potential data leaks when you run out of memory.

How to set Master Password in Firefox
11.05.07ÊÊNowadays many web sites require you to type a user name and password before you can enter the site.

How to test your firewall?
10.05.07ÊÊSecurity tips blog, Security-Hacks, has published a compilation of tools to test your firewall: "We’ve compiled a list of tools we believe will be of value to both home users and advance users.

eEye released integer overflow auditing tool
16.02.07ÊÊVulnerability research company eEye Security has released a free security vulnerability auditing tool that helps spotting possible integer overflow vulnerabilities.
Copyright © IT-Observer Online Publication 2000 - 2007 Top | RSS Feeds | About Us ÊÊ
Site Meter