Bài giảng: Phân tích & Quản lý rủi ro

Trong kinh doanh trên Internet, rủi ro có thểđược đo lường bằng thiệt hại về số lượngnhững khách hàng mới không phục vụ được,các mặt hàng mới cần bán, các sản phẩmphải sản xuất … khi có một sự kiện đe dọaxảy ra.Rõ ràng, nếu tất cả các rủi ro đều có thể chuyểnđược thành tiền thì việc đo lường sẽ trở nên dễ dàng.Tuy nhiên, thực tế không phải rủi ro nào đều có thểlàm được như thế....
Nội dung trích xuất từ tài liệu:
Bài giảng: Phân tích & Quản lý rủi ro Phân tích & Quản lý rủi ro Võ Viết Minh NhậtKhoa CNTT – Trường ĐHKHNội dung trình bày Mở đầu Định nghĩa rủi ro Tính dể bị xâm hại (vulnerability)  Mối de dọa (threat)  định rủi ro cho một tổ chức Xác Đo lường rủi roMở đầu Security is about managing risk. Without an understanding of the security risks to an organization’s information assets, too many or not enough resources might be used or used in the wrong way. Risk management also provides a basis for valuing of information assets. By identifying risk, you learn the value of particular types of information and the value of the systems that contain that information.What is risk? Risk is the underlying concept that forms the basis for what we call “security.” Risk is the potential for loss that requires protection. If there is no risk, there is no need for security. And yet risk is a concept that is barely understood by many who work in the security industry.What is risk? Example of the insurance industry how much the car repair is likely to cost?  how much the likelihood that the person will be in  an accident? Two components of risk: The money needed for the repair => vulnerability  the likelihood of the person to get into an accident  => threatRelationship betweenvulnerability and threatVulnerabilityA vulnerability is a potential avenue of attack. Vulnerabilities may exist in computer systems and networks allowing the system to be open to a technical  attack or in administrative procedures allowing the environment to be open to a non-  technical or social engineering attack.Vulnerability A vulnerability is characterized by the difficulty and the level of technical skill that is required to exploit it.  For instance, a vulnerability that is easy to exploit (due to the existence of a script to perform the attack) and that allows the attacker to gain complete control over a system is a high-value vulnerability.  On the other hand, a vulnerability that would require the attacker to invest significant resources for equipment and people and would only allow the attacker to gain access to information that was not considered particularly sensitive would be considered a low-value vulnerability. Vulnerabilities are not just related to computer systems and networks. Physical site security, employee issues, and the security of information in transit must all be examined.ThreatA threat is an action or event that might violate the security of an information systems environment. There are three components of threat: Targets The aspect of security that might be  attacked. Agents The people or organizations originating  the threat. Events The type of action that poses the threat. Targets The targets of threat or attack are generally the security services : confidentiality, integrity, availability, and accountability. Confidentiality is targeted when the disclosure of  information to unauthorized individuals or organizations is the motivation. Exemples: government information, salary information  or medical histories. Integrity is the target when the threat wishes to  change information. Examples: bank account balance, important database Targets Availability (of information, applications, systems, or  infrastructure) is targeted through the performance of a denial-of-service attack. Threats to availability can be short- term or long-term. Accountability is rarely targeted. The purpose of such an  attack is to prevent an organization from reconstructing past events. Accountability may be targeted as a prelude to an attack against another target such as to prevent the identification of a database modification or to cast doubt on the security mechanisms actually in place within an organization.Targets Athreat may have multiple targets. For example, accountability may be the initial  target to prevent a record of the attacker’s actions from being recorded, followed by an attack against the confidentiality of critical organizational data.Agents The agents of threat are the people who may wish to do harm to an organization. To be a credible part of a threat, an agent must have three characteristics: Access The ability an agent has to get to the  target. Knowledge The level and type of information an  agent has about the target. Motivation The reasons an agent might have for  posing a threat to the target.Access An agent must have access to the system, network, ...