Classification of Security Risks: Critical, High, Medium, Low and Warning

Discussion in 'Computer Security' started by dfox138, Dec 30, 2005.

  1. dfox138

    dfox138 Guest

    Appreciate any comments/suggestions/pointers to the following security
    risk classification system:

    (Did google, but could not find the ones meet my needs :-(

    Criticial - If an attack hits the target or an target is compromised,
    the intruder could use the compromised target to springboard to/attack
    other systems, e.g., password, some worms, or the classified
    information/data disclosed to unauthorized parties.

    High - 1) If an attack hits the target, the compromised target will
    stop functioning/malfunctioning, e.g., denial of service, but would not
    attack/spread to other systems. 2) "weak" password policy, 3) no
    security agreement with extranet connections with 3rd parties.

    Medium - 1) Lack of such implementations makes forensic / auditing
    activities impossible. 2) If an attack hits the target, the compromised
    target will sloooow down.

    Low - User's security awareness training

    Warning - Lack of implementation of "some best practice", for lack of
    better words, e.g., warning message prior anyone to log on.

    Any commens/suggestions/pointers are appreciated.

    dfox138, Dec 30, 2005
    1. Advertisements

  2. dfox138

    Guest Guest

    It is totally unclear to me on what basis you ordered these. Also, it is
    not at all clear whether you are talking about specific attacks (cf.
    'worms' in the description of critical problems) or vulnerabilities.

    For instance, if I look at 'critical' and 'high', I could think you are
    talking about what hosts to secure first. But 'medium' is clearly about
    something entirely different. Also, it essentially repeats the denial of
    service already mentioned under 'high'.

    Also, users' security awareness training is one of the most important
    aspects, as desktop computers usually provide very easy entrance points
    into the organisation. And while they may not be very useful in
    compromising the servers, it is typically quite possible to get a good
    chunk of data off the servers.

    There have been numerous, mostly inconclusive, attempts at a
    classification system over the years. You may wish to search the
    Full-Disclosure archives at

    Guest, Dec 30, 2005
    1. Advertisements

  3. dfox138

    dfox138 Guest

    Hi Joachim;

    Thanks for your comments/input.

    Would you please share an IT security risk classification system you
    like most?

    Many thanks in advance!

    dfox138, Dec 30, 2005
  4. dfox138

    dfox138 Guest

    If backup tapes are not serialized, what type of risk would it be? Is
    it high, medium or low? (If backup tapes are not serialized, the
    administrator or an auditor could not account if any destroyed,
    retired, in-use, off-site storage backup tapes are missing.)

    If a server is not hardened or locked down according to industry best
    practice, what type of risk would it be? Is it high, medium, or low?

    If there is no documented disaster recovery plan, what type of risk
    would it be? Is it high, medium, or low?
    dfox138, Dec 30, 2005
  5. dfox138

    martin Guest

    three thoughts come to mind...

    1 - do your own homework
    2 - pay for a security consultant to help you out
    3 - go and do a training course

    We charge very reasonable rates :)
    martin, Dec 30, 2005
  6. dfox138

    Winged Guest

    secunia has a good definition page that I believe better defines categories:

    You do not define your usage of the various terms, but secunia's are
    pretty clear.

    Winged, Jan 5, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.