A DETAILED OVERVIEW OF RISK ANALYSIS
Risk is defined as a possibility of losing some or all data that is of utmost important to an organization.
Understanding the potential RISK and taking necessary actions to reduce the same would not only prove to be Fruitful but also help in preventing any threat to the Organization.
In other words, RISK ANALYSIS is the process to identify and assess factors that may jeopardize the success of a project or achieving a goal.
There can never be a scenario where security measures assure a 100% protection against all threats. Risk Analysis is therefore a process that evaluates the vulnerabilities and threats as part of Risk Management.
The process of analysis will identify the consequences which would be associated with the Vulnerabilities or threat so as to provide a cost-effective security solution.
Majority of the risk analysis solution would try to create a balance between the impact of risk and the cost of security solutions that would be needed to manage them.
To improve the Process of RISK ANALYSIS the definition of threat holds utmost importance.
This will not only allow us to articulate the threat but also clearly understand the entities that would be involved in the incident.
The below flow chart will help us understand the analysis that can be taken to work on any RISK.
Risk Analysis Terminology
Asset – Something that would be of value to the organization and would require protection.
Threat – Any potential negative action or event that can result in damage to the system or network or organization in any form. This is majorly facilitated due to vulnerability.
Vulnerability – When there exists any weakness that can be exploited by any attacker who would then take advantage of the data captured from the computer system is known as vulnerability.
Countermeasure – The methods or tools that can be used to reduce any vulnerability is known as a countermeasure.
Expected Loss – The negative impact of a vulnerability being exploited by an attacker.
Impact – Losses as a result of threat activity are normally expressed in one or more impact areas. Four areas are commonly used: Destruction, Denial of Service, Disclosure, and Modification.
To Understand how we characterize these terminologies let’s try to answer few of the questions that would help us analyse more about what needs to be taken care of in analysing a risk.
- What is it?
->Is it a server, a host machine, an application, a software etc
- What kind data does it hold?
->Clients credentials, Organizations financial data, an unpatented software and so on
- Who is the vendor?
->The device is it related to the company or is owned by the organization and provided support by another.
- What are the internal and external interfaces that are present?
->As in the first question if it is a server or a router or a switch or any other device which is the interface or port that is internal or external that are present and can be vulnerable.
- Who uses it?
->is it the CEO, the HR, the engineer, the client depending on the criticality and the data stored we can move ahead to understand the risk parameters involved in each of the system or the device or the software.
- What is the data flow?
->whatever data is being stored or used. How is the data travelling from the system to the network and vice versa, understanding this would not only help us understand the loopholes in the flow but also help us analyse the threat it possesses.
The Above questions and their subjective answers would help us determine the Asset as well as the type of data that the Asset holds. This will not only help us streamline our analysis but also help us to identify and select those areas which would be at the higher Risk.
Moving forward we would determine the methods to Identify Threats.
To understand what threats poses Risk to the Asset and the organization we need to understand what kinds of threats are present.
- Unauthorized Access– This can include getting access to any device, system or also the organization without being authorized or having the legal permission or documents or credentials.
- Information Misuse– This kind of threat can be internal or external. A privilege user can provide the confidential information to an outside source similarly it is also possible to use the internal information against the organization.
- Data Leakage– Once a device has been attacked and the information is leaked the attacker can use the data against the organization or can make it inaccessible to the authorized person and can defame the organization too. This also includes unintentional exposure of information such as unencrypted CD rom or a USB which is not password protected or any shared drive on the network can also have important information which can be misused if it is not protected.
These are some of the important points that are threats and should be considered in Risk Analysis. Threat also includes 2 more points as
- Data Loss
- Service/Production Disruption
As the above 2 points are the outcome of the earlier 3 threats mentioned Risk Analysis will include measures to be taken care when trying to implement a threat model and identify the same.
The next two terminologies are Vulnerabilities and their Countermeasure’s.
As defined earlier where there is a vulnerability it indicates it is a weakness in the system and that needs to be rectified or patched. The process of patching a vulnerability can be called a countermeasure also trying to find an alternative to the weakness so that it is not impacting the Asset is also considered as a Countermeasure.
To Find out the Weakness in any organization or in any system we would need to perform Vulnerability Assessment.
The Ability to identify the weakness in any system and protect it from attacks is called Vulnerability Assessment.
This includes multiple types of Assessment.
- Application Based
- Network Based
- Wireless Based
As mentioned in the Asset section an asset can be anything a device, a server, or a host. So, a weakness in any of the asset can be exploit by taking advantage of the vulnerability and then an attack can be performed.
Performing different types of vulnerability assessment in the Risk Analysis would ensure that all the possible sections where weakness can exist is take care of.
Once the Assessment is carried out the team can move ahead to understand the criticality of the weakness and then depending on the high, medium, low, and informative weakness Countermeasures can be taken to resolve them.
A dedicated team would be assigned to perform the assessment. This team would create a detailed report and provide remediation of each and every type of vulnerability that would be identified. This will not only help the organization reduce the risk of vulnerability but also prevent in any type of potential threat that can occur.
Risk Analysis would include performing this activity of assessment every quarter to keep track of the upcoming threats reduce the impact of the same.
We are now left with the final 2 Terminologies and they are Expected loss and Impact.
Expected Loss and Impact goes hand in hand and these parameters depends on the type of threat, depth of the vulnerability and the way it will be exploited depending upon what kind of information is being leaked or misused.
Let’s understand this further. On identifying a threat Risk Analysis procedure, we decide what kind of threat it is what kind of Asset is under the threat.
Once the Asset and Threat is Identified the team will then try to understand what if the threat that is identified is executed which means what if the vulnerability is exploited? This will give an overview of how much data is being lost what is being lost and how can it be lost.
So, When Expected Loss is to be considered we need to understand the above 4 Terminologies and accordingly understand the condition.
However, to Understand Impact we will again have to analyse how big the loss is. As mentioned in the definition Impact can be the threat it possesses for e.g.: if there is Denial of Service attack on the organization the Impact would be all the clients as well as the employees are unable to use the services and the production would stop until this is fixed. This would indirectly mean the company loses the reputation and as the production goes down there is a loss of Money too.
Get In Touch
How Can We Help ?
We make your product happen. Our dynamic, robust and scalable solutions help you drive value at the greatest speed in the market