«

Appreciate any comments/suggestions/pointers to the following security
risk classification system:

(Did google, but could not find the ones meet my needs

Criticial - If an attack hits the target or an target is compromised,
the intruder could use the compromised target to springboard to/attack
other systems, e.g., password, some worms, or the classified
information/data disclosed to unauthorized parties.

High - 1) If an attack hits the target, the compromised target will
stop functioning/malfunctioning, e.g., denial of service, but would not
attack/spread to other systems. 2) "weak" password policy, 3) no
security agreement with extranet connections with 3rd parties.

Medium - 1) Lack of such implementations makes forensic / auditing
activities impossible. 2) If an attack hits the target, the compromised
target will sloooow down.

Low - User's security awareness training

Warning - Lack of implementation of "some best practice", for lack of
better words, e.g., warning message prior anyone to log on.

Any commens/suggestions/pointers are appreciated.

DF

dfox138 <> wrote:
> Appreciate any comments/suggestions/pointers to the following security
> risk classification system:
>
> (Did google, but could not find the ones meet my needs
>
> Criticial - If an attack hits the target or an target is compromised,
> the intruder could use the compromised target to springboard to/attack
> other systems, e.g., password, some worms, or the classified
> information/data disclosed to unauthorized parties.
>
> High - 1) If an attack hits the target, the compromised target will
> stop functioning/malfunctioning, e.g., denial of service, but would not
> attack/spread to other systems. 2) "weak" password policy, 3) no
> security agreement with extranet connections with 3rd parties.
>
> Medium - 1) Lack of such implementations makes forensic / auditing
> activities impossible. 2) If an attack hits the target, the compromised
> target will sloooow down.
>
> Low - User's security awareness training
>
> Warning - Lack of implementation of "some best practice", for lack of
> better words, e.g., warning message prior anyone to log on.
>
> Any commens/suggestions/pointers are appreciated.

It is totally unclear to me on what basis you ordered these. Also, it is
not at all clear whether you are talking about specific attacks (cf.
'worms' in the description of critical problems) or vulnerabilities.

For instance, if I look at 'critical' and 'high', I could think you are
talking about what hosts to secure first. But 'medium' is clearly about
something entirely different. Also, it essentially repeats the denial of
service already mentioned under 'high'.

Also, users' security awareness training is one of the most important
aspects, as desktop computers usually provide very easy entrance points
into the organisation. And while they may not be very useful in
compromising the servers, it is typically quite possible to get a good
chunk of data off the servers.

There have been numerous, mostly inconclusive, attempts at a
classification system over the years. You may wish to search the
Full-Disclosure archives at lists.grok.org.uk.

Joachim

Hi Joachim;

Thanks for your comments/input.

Would you please share an IT security risk classification system you
like most?

Many thanks in advance!

DF

If backup tapes are not serialized, what type of risk would it be? Is
it high, medium or low? (If backup tapes are not serialized, the
administrator or an auditor could not account if any destroyed,
retired, in-use, off-site storage backup tapes are missing.)

If a server is not hardened or locked down according to industry best
practice, what type of risk would it be? Is it high, medium, or low?

If there is no documented disaster recovery plan, what type of risk
would it be? Is it high, medium, or low?

dfox138 wrote:
> If backup tapes are not serialized, what type of risk would it be? Is
> it high, medium or low? (If backup tapes are not serialized, the
> administrator or an auditor could not account if any destroyed,
> retired, in-use, off-site storage backup tapes are missing.)
>
> If a server is not hardened or locked down according to industry best
> practice, what type of risk would it be? Is it high, medium, or low?
>
> If there is no documented disaster recovery plan, what type of risk
> would it be? Is it high, medium, or low?
>
three thoughts come to mind...

1 - do your own homework
2 - pay for a security consultant to help you out
3 - go and do a training course

We charge very reasonable rates

dfox138 wrote:
> Appreciate any comments/suggestions/pointers to the following security
> risk classification system:
>
> (Did google, but could not find the ones meet my needs
>
> Criticial - If an attack hits the target or an target is compromised,
> the intruder could use the compromised target to springboard to/attack
> other systems, e.g., password, some worms, or the classified
> information/data disclosed to unauthorized parties.
>
> High - 1) If an attack hits the target, the compromised target will
> stop functioning/malfunctioning, e.g., denial of service, but would not
> attack/spread to other systems. 2) "weak" password policy, 3) no
> security agreement with extranet connections with 3rd parties.
>
> Medium - 1) Lack of such implementations makes forensic / auditing
> activities impossible. 2) If an attack hits the target, the compromised
> target will sloooow down.
>
> Low - User's security awareness training
>
> Warning - Lack of implementation of "some best practice", for lack of
> better words, e.g., warning message prior anyone to log on.
>
> Any commens/suggestions/pointers are appreciated.
>
> DF
>
secunia has a good definition page that I believe better defines categories:


http://secunia.com/about_secunia_advisories/?menu=info

You do not define your usage of the various terms, but secunia's are
pretty clear.

Winged