More on risk assessment

A great example came up today of exactly what I was talking about in yesterdays blog. Some-one raised an issue with regards to our corporate Intranet and the fact that after performing a certain set of actions he could see a directory listing of files. The perceived risk was that data could be compromised.

Firstly, a word about trying to “test” security for yourself – it’s generally not a good idea to do so. Your efforts are likely to be interpreted as malicious.

Back to the point. In this particular instance we have:

1) Scenario: the Intranet site can be compromised through mis-configured directory security resulting in modified or deleted data

2) Threat: I rate the threat as low. The reason being that it’s an internal Intranet. There is no external access.

3) Vulnerability: I rate this as low/medium. There is clearly some vulnerability as the directory structure is available for all to see. An attacker with the right tools and knowledge might be able to compromise the data. However, as there is no external access I do not rate this vulnerability any higher.

4) Costs: Impact on revenue and reputation I would rate as zero. There is no confidential data available to compromise through this area of the Intranet and an attack would not have any external impact on the good name of the organisation. There are likely to be some resulting opportunity costs – restoring data from backups perhaps and support time to ensure that the server is correctly configured.

We can apply some maths to all of the above factors to give us a calculation thus:

Risk = Threat x Vulnerability x (operational costs + reputation costs + support costs)

In this instance, the result is going to be low risk.

However, why not try this at home! Take your organisation’s most important web product and try out this scenario for yourself. Test out a few other scenarios then take a moment to consider what controls you have in place to mitigate the risk. Are they sufficient given the level of risk that you have assessed?