IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [risk-analysis]

Risk Analysis is a practice used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Security Risk Analysis or Risk Assessment could be Quantitative and Qualitative

Quantitative risk analysis is based on potential loss multiplying by probability. Qualitative risk analysis is based on analysis of interrelated elements: Threats, Vulnerabilities and Controls (countermeasures for vulnerabilities)

158 questions
13
votes
3 answers

Security analysis of Dashlane

I've been asked by a user whether I would recommend using the Dashlane password manager. I'm aware that other password managers have had some significant security problems, including XSS and CSRF (see below). Is the Dashlane password manager…
D.W.
  • 98,420
  • 30
  • 267
  • 572
13
votes
5 answers

How can I detect backdoors?

I have a machine running Mac OS X and I suspect there may be a backdoor installed. I know that I could take it to a professional security firm for analysis, or nuke it from orbit, but I'm interested in dealing with it myself. What forensic…
mac
  • 131
  • 1
  • 1
  • 3
12
votes
3 answers

Is CentOS a good choice from a security perspective?

How secure is the CentOS Linux distribution? I noticed there were times when there were no up-to-date patches for some version of CentOS (e.g., 5.6). I read this on some mailing list that I can't find now. I seem to recall the problem was that…
LanceBaynes
  • 6,149
  • 11
  • 60
  • 91
12
votes
2 answers

WireGuard VPN: how safe is it for production in its current state?

In our project we had to build a VPN to get through to computers residing behind NAT. I never did it before. While looking for suitable software I came across WireGuard which claimed to be very simple. After some reading I indeed was able to setup a…
user1876484
  • 279
  • 3
  • 6
11
votes
2 answers

Looking for an open risk assessment methodology

I'm looking for a fully open quantitative risk assessment methodology. Most of the methodologies have usage or licensing restrictions placed upon them. I define open as methodology covered by something equivalent to the Creative Commons CC BY or CC…
Ben
  • 605
  • 4
  • 11
11
votes
3 answers

How to calculate our application security debt?

Application security debt has some similarities to technical debt but there are few differences that we need to think about when deciding if our security debt load has gotten too high and needs to be paid off. I would like to know how to calculate…
Filipon
  • 1,204
  • 10
  • 22
10
votes
0 answers

Should the risk of antivirus products be reconsidered in light of the TrendMicro critical bug report

Tavis Ormandy of Google has recently discovered a critical TrendMicro design flaw identified in this bug report - TrendMicro node.js HTTP server listening on localhost can execute commands. The bug report reads to me like a Stephen King novel of…
zedman9991
  • 3,377
  • 15
  • 22
9
votes
3 answers

Is "Discoverability = low" an acceptable reason to reduce the risk of a vulnerability?

The outdated DREAD risk model (wikipedia) lists Discoverability as a criteria for judging the severity of a vulnerability. The idea being that something which is not publicly known and you would be unlikely to discover without deep knowledge of the…
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
8
votes
1 answer

Is exposing website performance data a security risk?

I am currently adding a subsite to some websites that allows me to monitor performance data live as the server software perceives it. The data is mostly stuff like amount of memory used, memory allocated, memory freed during last garbage collection,…
MarLinn
  • 238
  • 1
  • 5
7
votes
4 answers

How to choose/compromise between data protection, and device recovery?

I'm sure many of you have probably seen (online or in-person) the DEFCON 18 presentation, demonstrating what can happen if you steal a hacker's computer. For those who haven't, the link is below. It's quite an entertaining presentation. (Warning: …
Iszi
  • 26,997
  • 18
  • 98
  • 163
7
votes
5 answers

What are the risks associated with SSL interception in an Organization?

If an SSL interceptor is installed for security reasons in an Organization, and a certificate from intermediate CA is installed on all domain machines, what kind of risks this setup presents?
AdnanG
  • 707
  • 2
  • 8
  • 18
7
votes
2 answers

Should content delivery depend on FCrDNS (forward-confirmed reverse DNS) look-ups and why?

First, let me clear that this isn't a duplicate of Does deliberately wrong information from a DNS server violate standards generally accepted good practices? thread, as I'm not interested in legal aspects or DNS standards, nor ISP best practices.…
TildalWave
  • 10,801
  • 11
  • 45
  • 84
7
votes
3 answers

Risk Control - Ignored risks and accepted risks

Some say that ignored risks as part of an organization's behavior are much worse than accepted risks. I would like to test that axiom (in the eyes of some). When I am handling a risk and I choose to accept it, it means that I have done risk analysis…
Franko
  • 1,530
  • 5
  • 18
  • 30
7
votes
1 answer

What theoretical risks are posed by compromised 5G infrastructure?

A certain large Asian company and leader in 5G infrastructure has recently been accused of being compromised by its authoritarian government. Aside from the fact that it's nearly impossible to audit closed-source hardware as free of backdoors, what…
Jordan Rieger
  • 131
  • 10
6
votes
2 answers

Annual Rate of Occurrence (ARO) and Exposure Factor (EF) Data

I'm calculating loss expectancy (SLE/ALE) but where or how does one get data on annual rates of occurrences for various things? From simple hard-drive failure rates to something complex like the exploitation of client browsers? Or how about the…
jvff
  • 61
  • 1
  • 2
1
2
3
10 11