IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [risk-analysis]

Risk Analysis is a practice used to identify and assess factors that may jeopardize the success of a project or achieving a goal. Security Risk Analysis or Risk Assessment could be Quantitative and Qualitative

Quantitative risk analysis is based on potential loss multiplying by probability. Qualitative risk analysis is based on analysis of interrelated elements: Threats, Vulnerabilities and Controls (countermeasures for vulnerabilities)

158 questions
3
votes
4 answers

Risk management with software code analysis

I am a programmer by day and I am working on a project that is focused around risk management based on PCI-DSS controls within an organisation. I have been thinking lately that a lot of PCI-DSS controls are focused on software patches, network…
OliverBS
  • 445
  • 5
  • 14
3
votes
2 answers

Uses of Threat Modeling outside of application development?

Is threat modeling useful outside of application development? Is it a useful tool for doing operational assessments of information systems already in existence? I am confused how threat modeling methodologies like STRIDE correlate with risk…
m3ta
  • 174
  • 2
  • 8
3
votes
4 answers

Risk of web admin portal without extra authentication steps

more of a philosophical question, suppose there is one behavior which allows an attacker to do something with high impact but by itself cannot be used to cause that impact. For example, internet accessible admin portal which even though still…
thevpt
  • 31
  • 1
3
votes
0 answers

What risks are associated with SPO/Onedrive/O365 external user accounts in active directory?

We've recently started using O365/SPO/OneDrive for business as a sharing platform over a previous niche provider platform. I've noticed that each time a user shares content externally, the external user gets an account in our AD. It's unprivileged…
Karlhuna
  • 153
  • 4
3
votes
1 answer

To workaround a FreeBSD ACL bug I need to grant "read attributes/ACLs" to untrusted Samba users. Not happy about security - can practical harm result?

I've found either one, or more than one, bug, in ACL evaluation, when running Samba on FreeBSD. I can't be sure if these are facets of the same bug or related bugs - they're very similar but do have distinct features and expose different specific…
Stilez
  • 1,664
  • 8
  • 13
3
votes
2 answers

how to identify p2p on network

Im trying to work out if the traffic in the below image is P2P file sharing? If you notice the source ports are all random but the time 17.24 from c.port 58338 runs for a good length maybe about 400 packets. Is there a way to identify if this is…
G Gr
  • 175
  • 2
  • 11
3
votes
1 answer

CVSS Score Remote or Local Scenario

I have to deal with a lot of CVSSv2 and CVSSv3 scores for many, many years. What troubles me like forever is what default attack scenario shall be defined for a vulnerability. Let's take a malicious Office document as an example. As soon as it is…
Marc Ruef
  • 1,060
  • 5
  • 12
3
votes
2 answers

How likely is an infection with an outdated skype on linux?

Today I found an article about a skype hotfix and noticed that the repo I use on my linux notebook: deb http://download.skype.com/linux/repos/debian/ stable non-free Doesn't have the new version, but a very old one. I'm running my current…
sfx
  • 903
  • 7
  • 14
3
votes
2 answers

Why is XSS scored with partial impact to integrity in CVSS V2?

From CVSS v2 complete guide : "SCORING TIP #2: When scoring a vulnerability, consider the direct impact to the target host only. For example, consider a cross-site scripting vulnerability: the impact to a user's system could be much greater…
Matt Elson
  • 269
  • 1
  • 3
  • 7
3
votes
1 answer

Risks of using UUID to identify user in mobile app

I've got an existing customer base. A customer has appointments. Currently they cannot access or change their appointments without contacting me directly. I want to offer them a way to access and change their upcoming appointments, with as little…
TragedyStruck
  • 165
  • 6
3
votes
1 answer

Web browser security comparison analysis

Secunia publishes an annual vulnerability review that covers web browsers and surprisingly Google Chrome leads the number of known vulnerabilities in comparison to the likes of Microsoft Internet Explorer and Mozilla Firefox. Akin to AV…
Motivated
  • 1,493
  • 1
  • 14
  • 25
3
votes
2 answers

SOMAP for risk assessment methodology or other Open Source IT Risk Management

Is SOMAP good for risk assessment or it is not in use any more? Is there any other Open Source IT Risk Management?
Dana Bayazeeed
  • 33
  • 3
2
votes
1 answer

Historical events in terms of risk assessment

How can historical events be leveraged in terms of a risk assessment. I know you could for instance look at malware infections over the past x months to perform a better estimation of for your malware infection likelihood and impact (even though you…
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
2
votes
3 answers

Exposure Factor when calculating SLE

I am studying for an exam and came across a question asking to find what the single loss expectance would be, but I am failing to understand exposure factor in the calculation. SLE = Asset Value * exposure factor The question: Your company owns a…
user1301708
  • 23
  • 1
  • 1
  • 3
2
votes
1 answer

Trying to GET "/iptac-xxxx" not found in nginx log. Is an attack?

I've found some messages like this one, in my nginx error.log. open() "[my-domain]/**iptac-***[a long long string]*/http:/[my-domain]/" failed (2: No such file or directory), client: , server: , request: "GET **/iptac-***[a long long string]* I've…
Faciunt
  • 31
  • 5
1 2 3
10 11