Phân tích và Quản lý rủi ro
lượt xem 87
download
Security is about managing risk. Without an understanding of the security risks to an organization’s information assets, too many or not enough resources might be used or used in the wrong way. Risk management also provides a basis for valuing of information assets. By identifying risk, you learn the value of particular types of information and the value of the systems that contain that information.
Bình luận(0) Đăng nhập để gửi bình luận!
Nội dung Text: Phân tích và Quản lý rủi ro
- Phân tích & Quản lý rủi ro Võ Viết Minh Nhật Khoa CNTT – Trường ĐHKH
- Nội dung trình bày Mở đầu Định nghĩa rủi ro Tính dể bị xâm hại (vulnerability) Mối de dọa (threat) định rủi ro cho một tổ chức Xác Đo lường rủi ro
- Mở đầu Security is about managing risk. Without an understanding of the security risks to an organization’s information assets, too many or not enough resources might be used or used in the wrong way. Risk management also provides a basis for valuing of information assets. By identifying risk, you learn the value of particular types of information and the value of the systems that contain that information.
- What is risk? Risk is the underlying concept that forms the basis for what we call “security.” Risk is the potential for loss that requires protection. If there is no risk, there is no need for security. And yet risk is a concept that is barely understood by many who work in the security industry.
- What is risk? Example of the insurance industry how much the car repair is likely to cost? how much the likelihood that the person will be in an accident? Two components of risk: The money needed for the repair => vulnerability the likelihood of the person to get into an accident => threat
- Relationship between vulnerability and threat
- Vulnerability A vulnerability is a potential avenue of attack. Vulnerabilities may exist in computer systems and networks allowing the system to be open to a technical attack or in administrative procedures allowing the environment to be open to a non- technical or social engineering attack.
- Vulnerability A vulnerability is characterized by the difficulty and the level of technical skill that is required to exploit it. For instance, a vulnerability that is easy to exploit (due to the existence of a script to perform the attack) and that allows the attacker to gain complete control over a system is a high-value vulnerability. On the other hand, a vulnerability that would require the attacker to invest significant resources for equipment and people and would only allow the attacker to gain access to information that was not considered particularly sensitive would be considered a low-value vulnerability. Vulnerabilities are not just related to computer systems and networks. Physical site security, employee issues, and the security of information in transit must all be examined.
- Threat A threat is an action or event that might violate the security of an information systems environment. There are three components of threat: Targets The aspect of security that might be attacked. Agents The people or organizations originating the threat. Events The type of action that poses the threat.
- Targets The targets of threat or attack are generally the security services : confidentiality, integrity, availability, and accountability. Confidentiality is targeted when the disclosure of information to unauthorized individuals or organizations is the motivation. Exemples: government information, salary information or medical histories. Integrity is the target when the threat wishes to change information. Examples: bank account balance, important database
- Targets Availability (of information, applications, systems, or infrastructure) is targeted through the performance of a denial-of-service attack. Threats to availability can be short- term or long-term. Accountability is rarely targeted. The purpose of such an attack is to prevent an organization from reconstructing past events. Accountability may be targeted as a prelude to an attack against another target such as to prevent the identification of a database modification or to cast doubt on the security mechanisms actually in place within an organization.
- Targets Athreat may have multiple targets. For example, accountability may be the initial target to prevent a record of the attacker’s actions from being recorded, followed by an attack against the confidentiality of critical organizational data.
- Agents The agents of threat are the people who may wish to do harm to an organization. To be a credible part of a threat, an agent must have three characteristics: Access The ability an agent has to get to the target. Knowledge The level and type of information an agent has about the target. Motivation The reasons an agent might have for posing a threat to the target.
- Access An agent must have access to the system, network, facility, or information that is desired. This access may be direct (for example, the agent has an account on the system) or indirect (for example, the agent may be able to gain access to the facility through some other means). The access that an agent has directly affects the agent’s ability to perform the action necessary to exploit a vulnerability and therefore be a threat. A component of access is opportunity. Opportunity may exist in any facility or network just because an employee leaves a door propped open.
- Knowledge An agent must have some knowledge of the target. The knowledge useful for an agent includes User IDs Passwords Locations of files Physical access procedures Names of employees Access phone numbers Network addresses Security procedures
- Knowledge The more familiar an agent is with the target, the more likely it is that the agent will have knowledge of existing vulnerabilities. Agents that have detailed knowledge of existing vulnerabilities will likely also be able to acquire the knowledge necessary to exploit those vulnerabilities.
- Motivation An agent requires motivation to act against the target. Motivation is usually the key characteristic to consider regarding an agent as it may also identify the primary target. Motivations to consider include Challenge A desire to see if something is possible and be able to brag about it. Greed A desire for gain. This may be a desire for money, goods, services, or information. Malicious Intent A desire to do harm to an organization or individual.
- Agents to Consider A threat occurs when an agent with access and knowledge gains the motivation to take action. Based on the existence of all three factors, the following agents must be considered: Employees have the necessary access and knowledge to systems because of their jobs. whether have the motivation to do harm to the organization. be counted when conducting a risk analysis.
- Agents to Consider Ex-employees have the necessary knowledge to systems due to the jobs that they held. may still have access to systems. Motivation depending upon the circumstances of the separation, for example, if the ex-employee bears a grudge against the organization.
- Agents to Consider Hackers are always assumed to have a motivation to do harm to an organization. may or may not have detailed knowledge of an organization’s systems and networks. Access may be acquired if the appropriate vulnerabilities exist within the organization.
CÓ THỂ BẠN MUỐN DOWNLOAD
-
Các sản phẩm tài chính quản lý rủi ro ở Việt Nam
47 p | 761 | 292
-
Bài giảng Quản trị rủi ro - PGS.TS Nguyễn Minh Duệ
93 p | 434 | 131
-
Bài giảng Quản trị rủi ro - Đặng Khánh Hào
93 p | 220 | 46
-
Bài giảng Quản trị tài chính: Bài 10 - PGS.TS. Nguyễn Minh Kiều
26 p | 140 | 39
-
Thực trạng quản lý rủi ro lãi suất trong sổ ngân hàng theo Basel 2 và những đề xuất cho các ngân hàng thương mại Việt Nam
7 p | 89 | 11
-
Quản lý rủi ro tín dụng định hướng theo tiêu chuẩn Basel II tại Ngân hàng Thương mại Cổ phần Quốc tế Việt Nam - chi nhánh Thái Nguyên
6 p | 91 | 10
-
Bài giảng Quản trị rủi ro tài chính: Chương 7 - ThS. Hà Lâm Oanh
3 p | 165 | 9
-
Bài giảng Quản trị rủi ro tài chính: Chương 5 - ThS. Hà Lâm Oanh
4 p | 138 | 9
-
Hoàn thiện công tác quản lý rủi ro tín dụng tại Ngân hàng Thương mại cổ phần Kiên Long
7 p | 92 | 6
-
Các giải pháp phòng ngừa rủi ro thị trường ngoại hối (Quản trị rủi ro tài chính): Phần 2
182 p | 14 | 6
-
Nghiên cứu các yếu tố tác động đến mức độ thực hiện kiểm toán nội bộ dựa trên rủi ro tại các ngân hàng thương mại Việt Nam
13 p | 43 | 5
-
Phân tích rổ cổ phiếu VN30 và kết quả khi áp dụng mô hình phân phối không đối xứng vào quản lý rủi ro
7 p | 77 | 4
-
Sử dụng công cụ quản lý rủi ro danh mục cho vay tại các ngân hàng thương mại Việt Nam
22 p | 22 | 3
-
Bài giảng Kế toán Ngân hàng thương mại – Bài 1: Rủi ro và quản lý rủi ro trong hoạt động kinh doanh của ngân hàng thương mại
20 p | 42 | 3
-
Ảnh hưởng của rủi ro tín dụng và hiệu quả tài chính của ngân hàng
10 p | 37 | 2
-
Vai trò của kiểm toán nội bộ trong nền kinh tế và thách thức trong việc đào tạo kiểm toán nội bộ ở các trường đại học hiện nay
10 p | 8 | 1
-
Hoàn thiện hệ thống kiểm soát nội bộ theo hướng quản trị rủi ro tại Ngân hàng thương mại cổ phần Quân đội – Chi nhánh Bắc Sài Gòn
8 p | 8 | 1
Chịu trách nhiệm nội dung:
Nguyễn Công Hà - Giám đốc Công ty TNHH TÀI LIỆU TRỰC TUYẾN VI NA
LIÊN HỆ
Địa chỉ: P402, 54A Nơ Trang Long, Phường 14, Q.Bình Thạnh, TP.HCM
Hotline: 093 303 0098
Email: support@tailieu.vn