Collaborate Disseminate
I noticed that I seem to think of network services in three categories wrt the risk of exposing one to the internet (or a hostile network):
"Low risk" services are extensively hardened. If a bad guy gets access to one, nothing h… Continue reading Is there an established way to classify network services by risk level?
An asset has a value of Rs 2,000,000. In an attack, it is expected to lose 60 percent of its value. Countermeasure X will cut the loss by one-third. Countermeasure Y will cut the loss by half. Both countermeasures will cost Rs 2000 per Mon… Continue reading Calculate risk in this scenario [closed]
What would be good assessments of cyber resilience? I imagined something like a score on different topics e.g.:
Data Protection: HIGH RISK
Malware defense: MEDIUM RISK
Application/System Life Cycle: No RISK
Vulnerability ma… Continue reading Cyber resilience scoring
Our manager often asks us for a quick understanding of what the risks will be based on some idea that the department has been working on during the ideation phase (the business requirements are generally written but no impla… Continue reading How to create non-generic security requirements for an idea phase?
Does anyone know of any good Risk Registers to start logging security risk that are found on the fly?
The problem that I am having is that we find so much in a day, things start to get lost in emails and we tend to forget the risks that … Continue reading Security Risk Register
I am undertaking a risk assessment and trying to work out the risk impact on confidentiality for if a company employee (specifically a System Administrator) steals Server Hardware.
On the one hand the System Admin already h… Continue reading Should Risk Impact (not likelihood or overall risk) be quantified by the initial impact, or should you quantify by eventual (potential) impact [on hold]
I have to deal with a lot of CVSSv2 and CVSSv3 scores for many, many years. What troubles me like forever is what default attack scenario shall be defined for a vulnerability. Let’s take a malicious Office document as an example. As soon as it is opened it is able to run code within the context of the user. There are two possible scenarios which lead to two different CVSSv3 vectors:
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L -> 6.3
This is the traditional scenario applied by malware which spreads via email over the Internet (AV:N). An user (victim) has to open the file willingly (UI:R) to initiate the code execution.
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L -> 5.3
This is the other scneario where a local attacker (AV:L) abuses the vulnerability to gain elevated privileges. No unwanted user interaction (UI:N) is required by the “victim” (because the attacker and the victim are not the same person in this scenario).
Which one is right or better? We tend to use the one with the higher score if it is a realistic scenario. This discussion applies to every vulnerability that might also be used willingly within a local attack scenario (e.g. most browser-based attacks).
I can’t seem to find a suitable CWE for classifying hardware-specific security weaknesses. Particularly, I’m looking for a CWE that applies to power glitching or clock glitching against a microcontroller or microprocessor.
Are there any C… Continue reading Are there any Common Weakness Entries (CWEs) applicable for hardware security weaknesses?
Can information security risks essentially only be triaged according to the CIA triangle (Confidentiality, Integrity and Availability) or are there other possibilities?