Managing risk starts with asking the right questions

by Tom Olzak in Data Centers

on May 16, 2007, 8:32 PM PDT

Managing risk starts with asking the right questions

Whether you’re a proponent of formal risk assessments or of less stringent methods for identifying security control requirements, it’s important to know what questions to ask. Missing a question can result in overlooking one or more critical vulnerabilities. The first step is to form a general hypothesis about the target system. For the purpose of ...

The first step is to form a general hypothesis about the target system. For the purpose of this post, the system consists of an application server, a Web server, and a database server. The Web server provides access to customer information via the Internet. Customer data consists of name, address, phone number, and credit card information.

The general hypothesis we’ll test is that the data is secure from unauthorized access — either internal or external. The testing process begins with assembling a team with a variety of skills. For example, our test requires a team consisting of one or more of the following:

Database administrator
Security analyst
Network administrator
Server engineer
LAN/WAN engineer
Developer

The team begins by brainstorming various attack objectives. As with any brainstorming activity, no suggestion should be eliminated when first volunteered. Once attack objectives are identified, the next step is to ask questions about how criminal elements might attempt to reach each objective. Table 1 offers an example of what the results might look like when documented. I’m sure you can think of quite a few additional objectives and questions very quickly.

Table 1

Of course, the first question you might ask is if it’s absolutely necessary to store the credit card information. If so, why is it necessary to expose that information to remote access? In any case, the answers to these questions provide valuable input into whatever risk assessment approach you prefer.

Although each network will be different, the list you come up for one system/network combination will be largely applicable to additional systems on that same network. In other words, only a few brainstorming sessions are necessary until a library of useful assessment questions is available.

If you’re like me and prefer pictures, you can convert the table above to an attack tree. The objective becomes the root with the questions used to construct various attack vectors. How to build and use an attack tree is covered in A Practical Approach to Threat Modeling.

By Tom Olzak

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.

Account Information

Contact Tom Olzak

Your message has been sent
|
See all of Tom's content

Editor's Picks

Image: Rawpixel/Adobe Stock

TechRepublic Premium
TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

TechRepublic Staff
Published: March 14, 2023, 9:10 AM EDT Modified: March 15, 2023, 9:16 AM EDT Read More See more TechRepublic Premium
Image: Blue Planet Studio/Adobe Stock

Payroll
The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

Ali Azhar
Published: February 28, 2023, 11:11 AM EST Modified: March 20, 2023, 4:45 PM EDT Read More See more Payroll
Image: Microsoft.

Software
Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

Mary Branscombe
Published: February 28, 2023, 2:59 PM EST Modified: February 28, 2023, 2:59 PM EST Read More See more Software
Image: tanatat/Adobe Stock

CXO
Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Owen Hughes
Published: March 3, 2023, 3:12 PM EST Modified: March 16, 2023, 12:56 PM EDT Read More See more CXO
Image: Nuthawut/Adobe Stock

Software
The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

Brenna Miles
Published: December 27, 2022, 11:45 AM EST Modified: March 16, 2023, 2:25 PM EDT Read More See more Software
Image: Song_about_summer/Adobe Stock

Security
1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

Karl Greenberg
Published: March 2, 2023, 3:44 PM EST Modified: March 7, 2023, 4:10 PM EST Read More See more Security

PURPOSE This Media disposal policy from TechRepublic Premium provides specific instructions for ensuring organization data is properly protected when disposing of old storage media. From the policy: POLICY DETAILS When disposing of damaged, unusable, obsolete, off-lease, decommissioned, old, or end-of-service-life equipment and media, the organization requires that the guidelines outlined herein be followed: Hard drives, ...

PURPOSE To take some of the effort out of writing (and rewriting) emails to share with company staff and executives, TechRepublic Premium has assembled basic templates to handle the most common types of communications. Simply copy the text into your favorite word processor and customize it to fit your needs. Then, paste it into an ...

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for developing mobile applications from a security, procedural and best practices standpoint. While it contains technical guidelines, it is not intended to serve as a programming guide but as a framework for operations. This policy can be customized as needed to fit ...

Managing risk starts with asking the right questions

Managing risk starts with asking the right questions

Editor's Picks

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

The Best Human Resources Payroll Software of 2023

Windows 11 update brings Bing Chat into the taskbar

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

The 10 best agile project management software for 2023

1Password is looking to a password-free future. Here’s why

Media disposal policy

IT email templates: Upcoming software release

Mobile app development policy

New client audit checklist

Account Information

Managing risk starts with asking the right questions

Daily Tech Insider Newsletter

Account Information

Share with Your Friends

Account Information

Contact Tom Olzak

Editor's Picks

Daily Tech Insider Newsletter