Classification of Security Risks: Critical, High, Medium, Low and Warning

Discussion in 'Computer Security' started by dfox138, Dec 30, 2005.

  1. dfox138

    dfox138 Guest

    Appreciate any comments/suggestions/pointers to the following security
    risk classification system:

    (Did google, but could not find the ones meet my needs :-(

    Criticial - If an attack hits the target or an target is compromised,
    the intruder could use the compromised target to springboard to/attack
    other systems, e.g., password, some worms, or the classified
    information/data disclosed to unauthorized parties.

    High - 1) If an attack hits the target, the compromised target will
    stop functioning/malfunctioning, e.g., denial of service, but would not
    attack/spread to other systems. 2) "weak" password policy, 3) no
    security agreement with extranet connections with 3rd parties.

    Medium - 1) Lack of such implementations makes forensic / auditing
    activities impossible. 2) If an attack hits the target, the compromised
    target will sloooow down.

    Low - User's security awareness training

    Warning - Lack of implementation of "some best practice", for lack of
    better words, e.g., warning message prior anyone to log on.

    Any commens/suggestions/pointers are appreciated.

    DF
     
    dfox138, Dec 30, 2005
    #1
    1. Advertising

  2. dfox138

    Guest

    dfox138 <> wrote:
    > Appreciate any comments/suggestions/pointers to the following security
    > risk classification system:
    >
    > (Did google, but could not find the ones meet my needs :-(
    >
    > Criticial - If an attack hits the target or an target is compromised,
    > the intruder could use the compromised target to springboard to/attack
    > other systems, e.g., password, some worms, or the classified
    > information/data disclosed to unauthorized parties.
    >
    > High - 1) If an attack hits the target, the compromised target will
    > stop functioning/malfunctioning, e.g., denial of service, but would not
    > attack/spread to other systems. 2) "weak" password policy, 3) no
    > security agreement with extranet connections with 3rd parties.
    >
    > Medium - 1) Lack of such implementations makes forensic / auditing
    > activities impossible. 2) If an attack hits the target, the compromised
    > target will sloooow down.
    >
    > Low - User's security awareness training
    >
    > Warning - Lack of implementation of "some best practice", for lack of
    > better words, e.g., warning message prior anyone to log on.
    >
    > Any commens/suggestions/pointers are appreciated.


    It is totally unclear to me on what basis you ordered these. Also, it is
    not at all clear whether you are talking about specific attacks (cf.
    'worms' in the description of critical problems) or vulnerabilities.

    For instance, if I look at 'critical' and 'high', I could think you are
    talking about what hosts to secure first. But 'medium' is clearly about
    something entirely different. Also, it essentially repeats the denial of
    service already mentioned under 'high'.

    Also, users' security awareness training is one of the most important
    aspects, as desktop computers usually provide very easy entrance points
    into the organisation. And while they may not be very useful in
    compromising the servers, it is typically quite possible to get a good
    chunk of data off the servers.

    There have been numerous, mostly inconclusive, attempts at a
    classification system over the years. You may wish to search the
    Full-Disclosure archives at lists.grok.org.uk.

    Joachim
     
    , Dec 30, 2005
    #2
    1. Advertising

  3. dfox138

    dfox138 Guest

    Hi Joachim;

    Thanks for your comments/input.

    Would you please share an IT security risk classification system you
    like most?

    Many thanks in advance!

    DF
     
    dfox138, Dec 30, 2005
    #3
  4. dfox138

    dfox138 Guest

    If backup tapes are not serialized, what type of risk would it be? Is
    it high, medium or low? (If backup tapes are not serialized, the
    administrator or an auditor could not account if any destroyed,
    retired, in-use, off-site storage backup tapes are missing.)

    If a server is not hardened or locked down according to industry best
    practice, what type of risk would it be? Is it high, medium, or low?

    If there is no documented disaster recovery plan, what type of risk
    would it be? Is it high, medium, or low?
     
    dfox138, Dec 30, 2005
    #4
  5. dfox138

    martin Guest

    Re: Classification of Security Risks: Critical, High, Medium, Lowand Warning

    dfox138 wrote:
    > If backup tapes are not serialized, what type of risk would it be? Is
    > it high, medium or low? (If backup tapes are not serialized, the
    > administrator or an auditor could not account if any destroyed,
    > retired, in-use, off-site storage backup tapes are missing.)
    >
    > If a server is not hardened or locked down according to industry best
    > practice, what type of risk would it be? Is it high, medium, or low?
    >
    > If there is no documented disaster recovery plan, what type of risk
    > would it be? Is it high, medium, or low?
    >

    three thoughts come to mind...

    1 - do your own homework
    2 - pay for a security consultant to help you out
    3 - go and do a training course

    We charge very reasonable rates :)
     
    martin, Dec 30, 2005
    #5
  6. dfox138

    Winged Guest

    Re: Classification of Security Risks: Critical, High, Medium, Lowand Warning

    dfox138 wrote:
    > Appreciate any comments/suggestions/pointers to the following security
    > risk classification system:
    >
    > (Did google, but could not find the ones meet my needs :-(
    >
    > Criticial - If an attack hits the target or an target is compromised,
    > the intruder could use the compromised target to springboard to/attack
    > other systems, e.g., password, some worms, or the classified
    > information/data disclosed to unauthorized parties.
    >
    > High - 1) If an attack hits the target, the compromised target will
    > stop functioning/malfunctioning, e.g., denial of service, but would not
    > attack/spread to other systems. 2) "weak" password policy, 3) no
    > security agreement with extranet connections with 3rd parties.
    >
    > Medium - 1) Lack of such implementations makes forensic / auditing
    > activities impossible. 2) If an attack hits the target, the compromised
    > target will sloooow down.
    >
    > Low - User's security awareness training
    >
    > Warning - Lack of implementation of "some best practice", for lack of
    > better words, e.g., warning message prior anyone to log on.
    >
    > Any commens/suggestions/pointers are appreciated.
    >
    > DF
    >

    secunia has a good definition page that I believe better defines categories:


    http://secunia.com/about_secunia_advisories/?menu=info

    You do not define your usage of the various terms, but secunia's are
    pretty clear.

    Winged
     
    Winged, Jan 5, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. dudds
    Replies:
    1
    Views:
    410
    Spencer Teran
    Jul 20, 2005
  2. Ed Mullikin

    Camera Classification

    Ed Mullikin, Oct 19, 2004, in forum: Digital Photography
    Replies:
    21
    Views:
    1,706
    David J Taylor
    Oct 26, 2004
  3. Sponge Bob Square Pants
    Replies:
    5
    Views:
    755
    Mike Easter
    Jul 21, 2006
  4. gradiant82

    classification shceme of security concept

    gradiant82, Apr 2, 2007, in forum: Computer Security
    Replies:
    9
    Views:
    799
    kurt wismer
    Apr 4, 2007
  5. Privacy

    Security Risks of Firewire and PCMCIA DMA

    Privacy, Jun 6, 2007, in forum: Computer Security
    Replies:
    10
    Views:
    968
    David Lesher
    Jun 12, 2007
Loading...

Share This Page