Highest Voted 'risk' Questions - IT Security Stack Exchange

3

votes

2 answers

How to estimate threat and risk associated with that threat and not only vulnerability severity?

Having this simple formula Risk = Threat x Vulnerability x Information Value it is quite difficult to estimate risks quantitatively because of threat estimation seems to me the most difficult part. I aware about CVSS and other vulnerability scoring…

asked Nov 24 '20 at 10:53

progmastery

131
2

3

votes

1 answer

Why are full port scans more susceptible to being logged than half-open port scans?

Many resources I come across state that one major advantage of full-port scans (e.g. SYN scans) is the fact that there is a lower risk of being logged. But why? In my opinion, the sequence of segments exchanged in a SYN-scan (SYN >> SYN/ACK >> RST)…

risk scan

asked Jun 08 '20 at 15:36

Max

45
5

3

votes

0 answers

What risks are associated with SPO/Onedrive/O365 external user accounts in active directory?

We've recently started using O365/SPO/OneDrive for business as a sharing platform over a previous niche provider platform. I've noticed that each time a user shares content externally, the external user gets an account in our AD. It's unprivileged…

active-directory risk-management risk-analysis risk business-risk

asked Jun 04 '18 at 00:56

Karlhuna

153
4

3

votes

1 answer

Is allow_url_fopen always a security risk?

Is allow_url_fopen always a security risk or only when you let others to insert URL? like when you want to set video stream links from your another server, and the only way to add new URL is from your Admin area, and the only person who have access…

php configuration risk

asked Apr 26 '18 at 15:58

Zargaripour

33
6

3

votes

1 answer

What is the risk of reusing the ATM Pin elsewhere when they tie to EMV cards?

What is the risk in the following scenario: A bank wants to use an ATM pin (debit card and/or credit card) as an additional form of authentication after the customer logs in to her online/mobile banking platform As the bank owns the cards, it may…

threat-modeling risk atm

asked Jan 16 '18 at 02:27

RavingCheetah

31
2

3

votes

1 answer

What does the EC_POINT_FORMAT TLS extension protect against and what is the risk of not using it?

The SSL test of htbridge pointed out that the server supports the elliptic curves but not the EC_POINT_FORMAT TLS extension. What does that TLS extension protect against? What is the (potential) risk of not using it?

encryption tls cryptography openssl risk

asked Jul 17 '17 at 18:06

Bob Ortiz

6,234
8
43
90

3

votes

1 answer

CVSS Score Remote or Local Scenario

I have to deal with a lot of CVSSv2 and CVSSv3 scores for many, many years. What troubles me like forever is what default attack scenario shall be defined for a vulnerability. Let's take a malicious Office document as an example. As soon as it is…

risk-management risk-analysis risk cvss risk-classification

asked May 12 '17 at 06:52

Marc Ruef

1,060
5
12

2

votes

0 answers

Risks associated with switching ISPs/Telco providers

What are the risks associated with switching Internet Service Providers and/or Telco providers (i.e. Telstra -> Optus), if any? This is in relation to a larger organisation with a wide area network.

risk-management risk

asked Aug 03 '15 at 04:10

KimberleyK

459
1
6
12

2

votes

0 answers

Suspicious web-application requests containing encoded JavaScript function(?)

I've been seeing some odd traffic in the logs for a web-application (Apache) that I'm wondering about, and I'm hoping that someone here has seen this before. The raw requests were variations…

web-application exploit javascript ajax risk

asked Jun 04 '15 at 16:09

Brian Allbee

21
2

2

votes

3 answers

Can risk mitigation controls bring down the impact?

While doing a Risk Assessment, I found that in some old RA documents, after controls have been placed, the Impact in the forcasted value was changed that did not make sense to me. To me the impact never changes as the impact of a critical service…

risk-analysis risk

asked Sep 02 '13 at 12:42

AdnanG

707
2
8
18

2

votes

0 answers

To what extent should security measures be ignored for the sake of operational efficiency?

I have recently started creating an online Tetris type of game, and I was wondering what amount of security I should implement for an online match. I am in a conflict where I want to make my game as secure as possible, but if someone were to try…

risk-management risk-analysis risk

asked Mar 29 '22 at 17:16

Hentoad1

21
2

2

votes

2 answers

CVSS and chained vulnerabilities

Let's say a website has two vulnerabilities: Information Disclosure reflected XSS Their impact by themselves is limited on the specific site, but when chained together, the impact is raised too high (e.g. transfer money to another account) What…

risk cvss

asked Dec 11 '19 at 21:35

tturbox

101
1
4

2

votes

1 answer

What are the dangers of extending my PATH?

Are there any dangers of extending my PATH, say by adding /Users/me/bin?

macos unix risk path-injection

asked Sep 20 '19 at 21:47

gen

1,660
2
18
18

2

votes

1 answer

Sqlmap, update query and risk param

I was reading about the 'risk' param for sqlmap, and the docs contain information, that risk 3 level can update tables. What does it mean? As far as I understand, this can happen either in the app update injection or if the app's logic updates some…

sql-injection sqlmap risk

asked Mar 24 '19 at 13:41

Avit

23
2

2

votes

1 answer

What will happen if I use weak passwords in a free SMS-sending website that exposes few personal information?

There's a free SMS sending service in our country. It requires a phone number to log in. Once registered, you can send SMS to any phone number within this country. The phone number which you use to send the SMS will be displayed to the…

authentication passwords privacy sms risk

asked Apr 25 '18 at 11:14

popeye_the_sailorman

21
1

Questions tagged [risk]