IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [risk-analysis]

Risk Analysis is a practice used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Security Risk Analysis or Risk Assessment could be Quantitative and Qualitative

Quantitative risk analysis is based on potential loss multiplying by probability. Qualitative risk analysis is based on analysis of interrelated elements: Threats, Vulnerabilities and Controls (countermeasures for vulnerabilities)

158 questions
4
votes
1 answer

SCADA, ICS Specfic Testing Tools and Methodologies

I have been contracted to perform a security risk assessment that relates specifically to ICS and SCADA systems. I have performed many IT security risk assessments, however, I am new to assessing these types of environments specifically. I am…
eficker
  • 644
  • 1
  • 6
  • 13
4
votes
1 answer

IPS fail close vs IPS fail open, what are the risks and benefits?

If a desicion is to be be made on selecting a mode of fail for an inline IPS that is protecting servers, what are the criteria that should be considored for selecting one of the failure modes: 1- Fail close: if the IPS fails, it will disconnect the…
AdnanG
  • 707
  • 2
  • 8
  • 18
4
votes
2 answers

Likelihoods for risk assessment

I have been looking at risk assessments lately and I am looking for a way to practically estimate likelihood. Most people recommend assessing based on historical precedent which sounds great to me, however some risks have never materialized at my…
Mattey
  • 45
  • 4
4
votes
3 answers

Realistically, how likely it is to have a computer compromised from browsing random websites?

Another question inspired by a recent discussion in the 'The DMZ' chatroom. Long story short: IT guys are worried that accountants' workstations may become compromised because accountants watch cat meme websites. Proposed solution: Lock down the…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
4
votes
3 answers

Security Assessment vs. Risk Analysis

What the real difference between IT Security Assessment based on ISO 27001 (or in general other international standard) and qualitative risk analysis? In some way the approach is much similar - environment, question towards process owner, gap…
emc2
  • 43
  • 1
  • 3
4
votes
1 answer

How can I do a maintainable and significant risk assessment in an organisation with thousands of assets?

The problems I see with the typical risk assessment are as follows: Maintaining the list of assets updated Maintaining the status of the treatments updated and the risk level coherent with that. Maintaining the dependency of the assets in a way…
Forced Port
  • 251
  • 1
  • 9
4
votes
1 answer

Which questions should be asked when evaluating the risk of a policy exception?

I've been tasked with updating my department's exception request form, and I am trying to come up with YES/NO questions that can be scored to determine the risk of the request. I am having trouble with this task, because I need questions that can…
Brandon Mcwilliams
  • 41
  • 2
4
votes
1 answer

How to Audit an Email System

I am working on an auditing process for my company's email system (Exchange 2010). From this process, we're hoping to expand it out to other systems and start to clean up the rampant security issues we have (my place of employment neglected…
Tchotchke
  • 151
  • 4
4
votes
3 answers

Information Security Risk Analytics

The company where I work at is evaluating different risk analytics solutions to purchase, but one of the security guys introduced the idea to actually build our own internal platform/engine. I have done lots of research to understand it better, but…
Fox2020
  • 51
  • 1
4
votes
1 answer

Why doesn't CVSSv2 consider XSS to have a confidentiality impact?

From the CVSSv2 specification: SCORING TIP #2: When scoring a vulnerability, consider the direct impact to the target host only. For example, consider a cross-site scripting vulnerability: the impact to a user's system could be much greater than…
tim
  • 29,018
  • 7
  • 95
  • 119
4
votes
2 answers

Do high-level programming languages have more vulnerabilities or security risks than low-level languages?

Do high-level programming languages have more vulnerabilities or security risks than low-level programming languages and if so, why? Image source: http://a.files.bbci.co.uk/bam/live/content/znmb87h/large
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
3
votes
2 answers

Calculating the time required to brute force a random code

Say we have amount random entry codes of length characters from an alphabet of size alphabet. The number of possible codes is then easily calculated as keyspace = alphabet ^ length. Now take an attacker who is trying to gain entry using brute force…
Bart van Heukelom
  • 326
  • 3
  • 9
3
votes
1 answer

Can you securely allow users to create VM's on their workstations

I've moved from a job where developers were encouraged to use technologies like docker and vagrant to create VM's on their workstations for testing and development. At my new job, the IT manager insists that allowing a user to create a VM will…
spuder
  • 133
  • 7
3
votes
1 answer

Is it a security risk to have 'Control + j' functionality enabled in a production instance of PeopleSoft?

The control + j feature within PeopleSoft outputs a list of potentially interesting data for a potential attacker. The feature is generally used to aid in debugging. Here is a the [censored] output from a control + j: Is it a security risk to have…
Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
3
votes
2 answers

security metrics on softwares developed

Thinking about software security metrics currently I've thought about the following software security metrics: number/type of CWE detected by developers (bug reporting) number/type of CWE detected by static analysis number/type of warning at…
boos
  • 1,066
  • 2
  • 10
  • 21
1 2 3
10 11