Highest Voted 'risk-classification' Questions

10

votes

3 answers

Are there any Common Weakness Entries (CWEs) applicable for hardware security weaknesses?

I can't seem to find a suitable CWE for classifying hardware-specific security weaknesses. Particularly, I'm looking for a CWE that applies to power glitching or clock glitching against a microcontroller or microprocessor. Are there any CWEs…

vulnerability-management risk-classification

asked May 11 '17 at 10:27

Polynomial

132,208
43
298
379

3

votes

1 answer

CVSS Score Remote or Local Scenario

I have to deal with a lot of CVSSv2 and CVSSv3 scores for many, many years. What troubles me like forever is what default attack scenario shall be defined for a vulnerability. Let's take a malicious Office document as an example. As soon as it is…

risk-management risk-analysis risk cvss risk-classification

asked May 12 '17 at 06:52

Marc Ruef

1,060
5
12

3

votes

3 answers

Risk classification of authenticated XSS

During a security test I was wondering what the risk classification would be in an authenticated XSS vulnerability. I understand that it depends on classification schemes, so the focus in this question is "what are the leftover risks?" and would…

xss risk-classification

asked Mar 23 '17 at 12:14

Wealot

879
2
12
25

2

votes

1 answer

Impact of SQL injection on SELECT statement

During a routine penetration test I encountered a possibility for SQL injection. The following criteria apply: Microsoft SQL Server (2016); Query has to start with SELECT; The semicolon ; is not allowed to break a statement and to start a new…

sql-injection sql-server risk-classification

asked Jul 11 '18 at 17:17

Vincent

23
4

2

votes

1 answer

Can information security risks essentially only be triaged according to the CIA triangle?

Can information security risks essentially only be triaged according to the CIA triangle (Confidentiality, Integrity and Availability) or are there other possibilities?

risk-management risk-analysis risk risk-classification

asked Feb 21 '17 at 23:50

Bob Ortiz

6,234
8
43
90

1

vote

2 answers

How to create non-generic security requirements for an idea phase?

Our manager often asks us for a quick understanding of what the risks will be based on some idea that the department has been working on during the ideation phase (the business requirements are generally written but no implantation done). These…

risk-analysis threat-modeling business-risk risk-classification

asked Dec 03 '18 at 15:50

Filipon

1,204
10
22

1

vote

3 answers

Security Risk Register

Does anyone know of any good Risk Registers to start logging security risk that are found on the fly? The problem that I am having is that we find so much in a day, things start to get lost in emails and we tend to forget the risks that was found…

risk-management risk-analysis risk business-risk risk-classification

asked Jun 08 '18 at 19:47

Sublime1914

31
1
8

0

votes

1 answer

Cyber resilience scoring

What would be good assessments of cyber resilience? I imagined something like a score on different topics e.g.: Data Protection: HIGH RISK Malware defense: MEDIUM RISK Application/System Life Cycle: No RISK Vulnerability management: EXTREM…

risk-management risk-classification

asked May 29 '19 at 13:39

kiara

671
1
6
9

-1

votes

3 answers

Should Risk Impact (not likelihood or overall risk) be quantified by the initial impact, or should you quantify by eventual (potential) impact

I am undertaking a risk assessment and trying to work out the risk impact on confidentiality for if a company employee (specifically a System Administrator) steals Server Hardware. On the one hand the System Admin already has a in depth knowledge…

risk-management confidentiality risk-analysis risk risk-classification

asked Jul 12 '17 at 11:39

Kay

1
1

Questions tagged [risk-classification]