Computer Security notes- Risk Identification

Risk Identification

Why is it a concern?

Security will never be perfect, there is always a weakness to be exploited

A business must be able to spend effectively- money spent vs potential lost for security

The higher the likelihood and impact, the higher the risk to the business

The general lifecycle

This will contain the risk planning, identification and assessment, treatment and monitoring

All of which should be documented

Methods of risk identification

Vulnerability analysis- penetration testing

Threat analysis

Event tree analysis

Attack trees

Decision trees

Taken from: https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project

The image shows the threat in white then vulnerability and finally control

Threat trees

Analysis with a tree structure

Basic threat followed by sub threats

Attack tree

Very similar

Top level attack is identified, then sub attacks

Taken from: https://www.schneier.com/academic/archives/1999/12/attack_trees.html

Note the prices; they help to identify the cheapest attacks and most expensive

So someone could cut open at a cost of 10k

Whereas to get target to state, would cost 150k