Administrating Security (Risk Assessment Methodologies)

--Originally published at TC2027 – Will It Blog?

It is a fact that system administrators may found themselves also doing some security tasks within their organizations or projects, having to carry  on the security of both users (technical aspects) and upper management (explain costs).

What is risk analysis?

This is procedure is used to estimate potential losses that may result from system vulnerabilities and to quantify the damage of those. So as a  primary goal of risk analysis we have the selection of cost-effective safeguards to reduce risk to an acceptable level.

In more simple words,  is a way to figure out how important is your system and how far you are willing to go to protect it.

Yahoo Screen fire tim tebow on fire puppies

First we want to detect the most valuable asset (information and puppies) aside from the tangible assets (equipment). Also consider the importance and vulnerability of that information.Costs. The cost of losing or compromising the information and the cost of protecting the information (maintenance)

Contingency plan

Plan for disaster, it may spell the difference between a problem and a catastrophe.Backups are the key to disaster planning. As simple as invoking activities as backing up data for storage at remote secure facilities and arranging other equipment facilities.

Thread Modeling

Getting into more technical stuff one of the first steps into any kind of security developing life cycle model is threat modeling therefore is a procedure that optimizes any kind of app or network instance by identifying objectives and vulnerabilities, and then countermeasures to prevent or mitigate its effect.

The image below (courtesy of Microsoft) are the steps of a generic threat modeling process

http://kenscourses.com/tc2027fall2016/wp-content/uploads/2016/11/8c43d285179ecd434575d5911015ad24.jpg

Once done, the next thing you want to do is to find security issues by performing several code reviews or penetration tests, otherwise the problems will not be discovered until production time and that just compromises the

slows down its release and increases its overall cost.

Risk Rating Methodology

What is the risk between a DDoS and a phishing attack? How probably is each one? What are the fixing costs? The capacity to estimate the associated risks and impacts it has on the business. The following represents the formula that tells what a risk is composed of

Risk = likelihood * impact

There are a series of steps in order to measure the severity of the risk:

  1. Identify the risk
  2. Estimate the likelihood
  3. Estimate the impact
  4. Determine the severity of the risk
  5. Fix
  6. Adapt the risk rating model to the specific project.