Classification of Security Risks: Critical, High, Medium, Low and Warning

Classification of Security Risks: Critical, High, Medium, Low and Warning
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Computer Software Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Classification of Security Risks: Critical, High, Medium, Low and Warning dfox138 12-30-2005
Posted by dfox138 on December 30, 2005, 10:45 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Appreciate any comments/suggestions/pointers to the following security
risk classification system:

(Did google, but could not find the ones meet my needs :-(

Criticial - If an attack hits the target or an target is compromised,
the intruder could use the compromised target to springboard to/attack
other systems, e.g., password, some worms, or the classified
information/data disclosed to unauthorized parties.

High - 1) If an attack hits the target, the compromised target will
stop functioning/malfunctioning, e.g., denial of service, but would not
attack/spread to other systems. 2) "weak" password policy, 3) no
security agreement with extranet connections with 3rd parties.

Medium - 1) Lack of such implementations makes forensic / auditing
activities impossible. 2) If an attack hits the target, the compromised
target will sloooow down.

Low - User's security awareness training

Warning - Lack of implementation of "some best practice", for lack of
better words, e.g., warning message prior anyone to log on.

Any commens/suggestions/pointers are appreciated.

DF


Posted by on December 30, 2005, 11:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Appreciate any comments/suggestions/pointers to the following security
> risk classification system:
>
> (Did google, but could not find the ones meet my needs :-(
>
> Criticial - If an attack hits the target or an target is compromised,
> the intruder could use the compromised target to springboard to/attack
> other systems, e.g., password, some worms, or the classified
> information/data disclosed to unauthorized parties.
>
> High - 1) If an attack hits the target, the compromised target will
> stop functioning/malfunctioning, e.g., denial of service, but would not
> attack/spread to other systems. 2) "weak" password policy, 3) no
> security agreement with extranet connections with 3rd parties.
>
> Medium - 1) Lack of such implementations makes forensic / auditing
> activities impossible. 2) If an attack hits the target, the compromised
> target will sloooow down.
>
> Low - User's security awareness training
>
> Warning - Lack of implementation of "some best practice", for lack of
> better words, e.g., warning message prior anyone to log on.
>
> Any commens/suggestions/pointers are appreciated.

It is totally unclear to me on what basis you ordered these. Also, it is
not at all clear whether you are talking about specific attacks (cf.
'worms' in the description of critical problems) or vulnerabilities.

For instance, if I look at 'critical' and 'high', I could think you are
talking about what hosts to secure first. But 'medium' is clearly about
something entirely different. Also, it essentially repeats the denial of
service already mentioned under 'high'.

Also, users' security awareness training is one of the most important
aspects, as desktop computers usually provide very easy entrance points
into the organisation. And while they may not be very useful in
compromising the servers, it is typically quite possible to get a good
chunk of data off the servers.

There have been numerous, mostly inconclusive, attempts at a
classification system over the years. You may wish to search the
Full-Disclosure archives at lists.grok.org.uk.

                Joachim

Posted by dfox138 on December 30, 2005, 1:03 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi Joachim;

Thanks for your comments/input.

Would you please share an IT security risk classification system you
like most?

Many thanks in advance!

DF


Posted by dfox138 on December 30, 2005, 1:22 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
If backup tapes are not serialized, what type of risk would it be? Is
it high, medium or low? (If backup tapes are not serialized, the
administrator or an auditor could not account if any destroyed,
retired, in-use, off-site storage backup tapes are missing.)

If a server is not hardened or locked down according to industry best
practice, what type of risk would it be? Is it high, medium, or low?

If there is no documented disaster recovery plan, what type of risk
would it be? Is it high, medium, or low?


Posted by martin on December 30, 2005, 1:44 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
dfox138 wrote:
> If backup tapes are not serialized, what type of risk would it be? Is
> it high, medium or low? (If backup tapes are not serialized, the
> administrator or an auditor could not account if any destroyed,
> retired, in-use, off-site storage backup tapes are missing.)
>
> If a server is not hardened or locked down according to industry best
> practice, what type of risk would it be? Is it high, medium, or low?
>
> If there is no documented disaster recovery plan, what type of risk
> would it be? Is it high, medium, or low?
>
three thoughts come to mind...

1 - do your own homework
2 - pay for a security consultant to help you out
3 - go and do a training course

We charge very reasonable rates :)

Similar ThreadsPosted
reach a high security-level June 22, 2006, 6:01 am
reach a high security-level June 22, 2006, 6:02 am
classification shceme of security concept April 2, 2007, 6:14 am
Security Risks of Firewire and PCMCIA DMA June 6, 2007, 12:30 am
More tech fails to exorcise security risks September 14, 2005, 3:06 pm
Re: Microsoft warns of "critical" security flaws June 13, 2006, 10:24 pm
Microsoft Security Bulletin (Critical 3, Important 4, Moderate 2) October 11, 2005, 8:22 pm
Second International Workshop on Critical Information Infrastructures Security (CRITIS'07) May 9, 2007, 3:45 pm
Second International Workshop on Critical Information Infrastructures Security (CRITIS'07) May 12, 2007, 2:36 pm
Second International Workshop on Critical Information Infrastructures Security (CRITIS'07) May 14, 2007, 5:19 am

The site map in XML format XML site map

Contact Us | Privacy Policy