Performing a Risk Assessment

Objectives

• Selecting a Risk Assessment methodology

• Identifying the management structure
• Identifying assets and activities
• Identifying and evaluating threats
• Identifying and evaluating vulnerabilities
• Identifying and evaluating countermeasures
• Selecting a methodology based on the assessment needs
• Developing mitigation recommendations
• Presenting Risk Assessment Results
• Best practices
http://fpt.edu.vn 2/21/2025 2
 Selecting a Risk Assessment Methodology
• The two primary types are quantitative and qualitative
• Before progressing with the RA:
– Define the assessment:
• Operational characteristics define how the system operates in your
environment.
• Mission of the system defines what the system does.
– Review previous findings:
• Recommendations
• Current status of accepted recommendations
• Unapproved recommendations

http://fpt.edu.vn 2/21/2025 3
 Identifying the Management Structure
• The management structure: how responsibilities are assigned
• Small organizations may have a single IT section
• Larger organizations may have multiple IT sections or divisions
– Network infrastructure:
• Responsible for routers, switches and firewalls in the network..
– User and computer management:
• performs the day-to-day management of the network and accounts.
– E-mail servers:
• to manage e-mail, spam filtering and malicious attachments.
– Web servers:
• Configured in one or more Web farms, generating a significant amount of
revenue
– Database servers:
• The knowledge needed to manage these servers is specialized.
– Configuration and change management:
• oversees configuration and changes to either all servers or all systems.
http://fpt.edu.vn 2/21/2025 4
 Identifying Assets and Activities
Within Risk Assessment Boundaries
• Asset valuation is the process of determining the fair market
value of an asset
– Replacement value
– Recovery value
• Several elements to consider
– System access and system availability
– System functions
– Hardware assets
– Software assets
– Personnel assets
– Data and information assets (Public, Private and Proprietary Data)
– Facilities and supplies (Hot, Cold and Warm Sites)

http://fpt.edu.vn 2/21/2025 5
 Identifying Assets and Activities (cont.)

• Several elements to consider

– Hardware and software assets
– Personnel assets
– Data and information assets
– Facilities and supplies

http://fpt.edu.vn 2/21/2025 6
 Identifying and Evaluating Relevant Threats
• A threat is any potential danger:
– to the data, the hardware, or the systems
– a threat assessment is the process of identifying threats.
– relationship between threats, attacks, vulnerabilities, and loss (Fig. 6-4)
• Two primary methods to identify threats:
– Review historical data:
• Attacks, natural events, accidents and equipment failures.
– Modeling:
• The system, threat profile and threat analysis.

http://fpt.edu.vn 2/21/2025 7
 Identifying and Evaluating
Relevant Vulnerabilities
• A vulnerability is a weakness:
– All systems have vulnerabilities & Not all vulnerabilities result in a loss
• Two primary assessments:
– Vulnerability assessments (by using Nmap. Nessus, SATAN, SAINT, …):
• Identifying IP addresses - ping scanner tools.
• Identifying names - “whois” tools for computers on the Internet.
• Identifying operating systems - fingerprinting tools.
• Identifying open ports – port scanner tools.
• Identifying weak passwords - password cracker tools.
• Capturing and analyzing data.
– Exploit assessments:
• also referred to as “penetration tests”, attempts to discover what
vulnerabilities an attacker can exploit.
http://fpt.edu.vn 2/21/2025 8
 Identifying and Evaluating Countermeasures
• A countermeasure is a security control or a safeguard.
• In-Place and Planned Countermeasures
– In-place controls:
• currently installed in the operational system.
– Planned controls
• having a specified implementation date.
• Control categories:
– Administrative security controls (in-place controls): Policies and procedures,
Security plans, Insurance, Personnel checks, Awareness and training, Rules of
behavior
– Technical security controls (automated): Login identifier, Session timeout,
System logs, Audit trails, Input validation, Firewalls, Encryption
– Physical security controls: Locked doors, Guards and access logs, Video cameras,
Fire detection and suppression, Water detection, Temperature and humidity
detection, Electrical grounding and circuit breakers

http://fpt.edu.vn 2/21/2025 9
 Selecting a Methodology Based
on Assessment Needs
• Quantitative
– Identifying values SLE, ARO, ALE (before and after control), Safeguard
Cost/Benefit (Lecture 5)
– Scenario (p. 157-8)
• Qualitative:
– using the opinions of experts to determine two primary data points:
• Probability - the likelihood that the risk will occur (in percentage)
• Impact identifying the magnitude of the loss if the risk occurs.
– Prioritize the risks:
• Buffer overflow
• SQL injection attacks
• Web defacing
http://fpt.edu.vn 2/21/2025 10
 Develop Mitigating Recommendations
• Threat/vulnerability pairs:
– A control needs to address specific threat/vulnerability pairs.
• Estimate of cost and time to implement:
– included in the cost- benefit analysis
– important to accurately identify this cost by including both direct and indirect costs.
• Estimate of operational impact:
– identifying the operational impact of a control as negligible, low, medium, high, or
overwhelming.
– four primary resources of a computer system: Processor, Memory, Disk, Network
interface card (NIC)
• Prepare cost-benefit analysis

http://fpt.edu.vn 2/21/2025 11
 Present Risk Assessment Results

• After RA, create a report documenting the results

• Include two phases
– Presenting the recommendations to management
– Documenting the decisions made by management:
• Creating a plan of actions and milestones (POAM) to track and monitor
the controls (cf. Lecture 4)

http://fpt.edu.vn 2/21/2025 12
 Best Practices for Performing
Risk Assessments
• Ensuring systems are fully described
• Reviewing past audits
• Reviewing past Risk Assessments
• Matching the RA to the management structure
• Identifying assets within the RA boundaries
• Identifying and evaluate relevant threats
• Identifying and evaluate relevant vulnerabilities
• Identifying and evaluate countermeasures
• Tracking the results

http://fpt.edu.vn 2/21/2025 13