Example of security, Challenges of security

2. Example of Security
Low
• Loss should have a limited effect on Org
operations, assets or individuals
• Cause degradation in mission capability
• Reduce effectiveness of function
• Minor damage to assets
• Minor functional loss
• Minor harm to individual

3. Example of Security
Moderate
• Loss should have a serious effect on Org
operations, assets or individuals
• Cause significant degradation in mission
capability
• significantly reduce effectiveness of
function
• significant damage to assets
• significant functional loss
• significant harm to individual

4. Example of Security
High
• Loss should have a sever effect on Org
operations, assets or individuals
• Cause sever degradation in mission
capability
• Organization is not able to perform one or
more primary function
• major damage to assets
• Major functional loss
• Major harm to individual

5. Example of Security
Confidentiality
example
Integrity
example
Availability
example

6. Challenges for Security
• Not simple, major requirement of CIA,
• While designing security mechanism
consider potential attack.
• Security mechanism is complex
• It is necessary to decide where to use
them (physical / logical).
• Involves more than one protocol/algorithm,
problem of secret information (encryption
key)

7. Challenges for Security
• War between attacker and admin/designer
• Problem of human tendency, security
investment until failure
• Need regular, constant monitoring
• Security is often afterthought ( consider at
design time)

8. Risk and Threat Analysis
• Risk analysis is review of data gathered
and analysis of risk
• Risk assessment team determine asset
values, system criticality, likely threats,
and existence of vulnerabilities.
• Risk calculations
– Risk = Assets X Threats X Vulnerabilities

9. Risk and Threat Analysis
Assets
• Those items that an organization wishes
to protect.
• Asset can be any data, device or other
component that support information
related security.
• Assets can be hardware, software,
confidential information.
• Valuing of assets scope and guide
security risk assessment

10. Risk and Threat Analysis
Threats
• An undesired event that may result in loss,
disclosure or damage to org asset.
• Threat is potential for violation of security
• When exist there is circumstance, capability,
action or event could breach security
• Threat can identified by damage done in asset.
– Spoofing identity of users
– Information may be disclosure
– User get more previledges

11. Risk and Threat Analysis
Vulnerability
• Vulnerability is a weakness in the information
infrastructure of org.
• It will accidentally or intentionally damage the
asset
• Vulnerabilities can be
– Programs with unnecessary privilege
– Accounts default password not changed
– Program with known faults.
– Weak access control
– Weak firewall.