Mythology risks

--Originally published at Diego's Password

tumblr_mhhv7oRsbv1rjl16lo1_500.gif

Risk assessment mythologies, haha funny right… Methodologies. What could it mean…

The evaluation or estimation with of the nature, quality or ability of someone or something.

So is the actual quantification of a risk, being quantitative or qualitative. How could we even count or grade a risk; well, that’s when the mythologies comes in. Normally two factors are taken into consideration, the consequences and the probability. The consequences being all the potential loss, counted either monetary or by a given parameter and the probability being the actual percentage, the likeliness of happening or occurring.

giphy.gif

He’s probably right, but first we need to learn how to analyze a risk and take a wise decision. There’s a really interesting articule written by the GIAC. I’ve written about them before, I’ll link the post here. This post will be based on that article.

There are three mythologies… haha enough. Three methodologies used in risk management in information systems, I wrote another post in that manner, linked here. Anyways I’ll explain them briefly.

  • Asset Audit
    This asset takes in consideration information flows, specifically if it’s protected at all times. It has in consideration around seven areas in the system that evaluates their security and behavior. Based on this study the threads and risk are analyzed.
  •  Pipeline model
    In this approach, risks are analyzed in a pipeline manner with five main sections: active processes, communication processes, stable data processes, enquiry processes and access control processes. This sections are different kind of process with distinct tasks and responsibilities. Once the pipeline is define, we need to look for the weakest link and its gaps, finally we would define be how that given risk would be assessed.
  • Attack trees
    This methodology focus on these questions: who, when, how, why and with what probability an attack will happen. The root of the
    would represent the final goal of the attacker and the nodes all his possible ways. This structure help visualize all the possible threads and points of opportunist in the security area.

We think this topic is rather technical and repetitive with the linked post. We learned some ways to represent possible risks and analyze them.

I wrote this post with Ivan. Lucrative and fun experience. I’ll link his blog here.