Risk management is essential for any business to recognize, respond, and resolve potential consequences. Solid risk management plans are vital to managing exposure associated with risks. Company’s use of certain communications such as electronic mail and supplementary company application exposed them to elevated risk. This amplified risk necessitates why companies need to decide how much danger they are prepared to allow and to put into practice security structures to administer the threats linked with online company actions ("Risk management", 2010, p. 1). There is multitude of sources available for security experts regarding proper risk guidance and assessment. For example, the National Institute of Standards and Technology (NIST) standard 800-30 provides a great framework to build a risk management plan (Stoneburner G., Goguen A., & Feringa A., 2002).
Calcuating Risk
First, Single Loss Expectancy (SLE) is the expected monetary loss every time a risk occurs. The Single Loss Expectancy is calculated by the following formula - Asset Value (AV) multiplied by Exposure Factor (EF) and is written as SLE = AV * EF ("Single Loss Expectancy", 2010, p. 1). The Exposure Factor (EF) is the amount of the asset’s worth, which is likely to be destroyed by a particular risk and is usually expressed in terms of a percentage (Ciampa, 2009, p. 309).
The second method is the Annualized Loss Expectancy (ALE). Annualized Loss Expectancy (ALE) is the projected monetary loss estimated for an asset due to a risk over a one-year period. ALE values are calculated by multiplying (Single Loss Expectancy) SLE and Annualized rate of occurrence (ARO). The Annualized rate of occurrence (ARO) is the likelihood of a risk occurring in a one-year period. This tool used is directly in a cost-benefit analysis ("Annualized Loss Expectancy", 2010, p. 1).
The text lists methods for assessing a company’s vulnerabilities. One of these methods is a table, which uses a ranking system based on impact. Impact classification is the process of devising different levels such as “No impact, Small impact, Significant, Major, and Catastrophic. In assessing risk, the tools previously mentioned and the use of the methods for calculating risk such as SLE and ALE are important steps in the overall risk assessment process. The next step would be to approximate the probability the vulnerability will occur. Again, this would be some type of ranking system such as one to five, where five is extremely probable and one is improbable V
Vulnerablilties
One of the other methodologies for identifying vulnerabilities is through the process of vulnerability scanning. The vulnerability scanning is the practice of identifying deficiencies in an organization and assist with escalating the level of security needed by these systems (Ciampa, 2009, p. 312). We have seen some of these scanners in the early weeks of our class. Port scanning is the act of scanning for TCP/IP suite of network ports. This includes both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) based ports. These ports can be broken down into three basic categories. Below is the classification by port and port ranges.
• Well Known Ports (0 – 1023)
• Registered Ports (1024 – 49151)
• Dynamic and/or Private Ports (49152 – 65535)
These ports assigned by the IANA (Internet Assigned Numbers Authority), which is the authority for assigning ports and global IP address allocation. Most network and/or security professionals will recognize these logical networking ports. For example, FTP = 21 (TCP), telnet = 23 (TCP), and DNS = 53 (UDP). There are several more ports used in the well-known category, but these are just a few examples of what a hacker may scan first ("Port Scanning", n.d., p. 1). User programs utilize the registered ports range. Dynamic and/or Private Ports are open for use and are not assigned to anything specific.
There are many additional devices – both software and hardware, which can provide expanded capabilities to reduce risk. One practice is to test a network’s defenses. The first is to test the password strengths of users. A password cracker program tests passwords. I found a site, which list the “Top 10 Password Crackers” ("Top 10 Password Crackers", 2006, p. 1). One of them - John the Ripper, we used on one of our exercises. The final practice to consider when assessing risks is network penetration testing. This is a more thorough testing practice compared to vulnerability scanning. Penetration testing will test a company or organization’s security and shed light on any weak points. This is a real world test versus some assessment conducted by reviewing a culmination of data and building theories regarding risks. This type of testing could be considered unethical, but it is a valuable tool for many good hackers - white hat attackers and network security administrators ("Penetration testing", 2010, p. 1). The results from this type of testing should be included in the overall risk management plan when factoring all the risk for a given company and/or organization. I suspect one of the chief obstacles of Risk Management is the IT managerial problems of classification, capture, and communication of risks. The difficulty for any company is the complexity of finding the sense of balance for the resources needed for “risk management (RM) controls, policies, people, and processes” (Meta Group, 2004, p. 1). In other words, not only the technique, but also the correct intensity of implementation is a challenge for appraising risks.
Risk Management and Mitigation Process
A company may decide to transfer risk by shifting the repercussions of a certain risks to a third party much as my company does with moving certain risks to our subcontractors. A company’s ability to reduce risk involves being proactive by taking early action through more testing and evaluation as well as close monitoring – risk monitoring. As mentioned earlier, an additional step added to a risk management plan is risk monitoring. Risk monitoring methodically tracks and assesses the effectiveness of managing -risk actions. Integrating the management of risk actions into all plans ¬- forecasting and scheduling ensures significant risks are effectively monitored. Recognizing these risk events will aid companies in shaping the procedures regarding cost, schedule, and performance. In conclusion, the risk management process is an ongoing practice. I believe an important step a business can do to help recognize and manage risks is to create and maintain risk management related documents. There will be periods or circumstances when the risk management practices will require precautionary administration. A company must periodically evaluate risks within their business and prioritize them. As I have stated, there are extensive mechanisms for dealing with the risk management and evaluation procedures. One of the more significant actions a business needs to comprehend is how to manage risks and educated their organizations as well as their staff on the importance of following good risk management practices. If they are able to achieve this, then a company and its users will help reduce the overall risks a company may encounter. It is important for a company to emphasize risk management is everyone’s responsibility.
References
Annualized Loss Expectancy (Definition). (2010). Retrieved May 1, 2010, from http://www.riskythinking.com/glossary/annualized_loss_expectancy.php
CACI. (n.d.). Risk Contingency Planning. Retrieved April 27, 2010, from http://www.caci.com/
Ciampa, M. (2009). SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS (3rd ed.). Boston, MA: Course Technology.
Elyse. (2007). Qualitative Risk Analysis. Retrieved April 29, 2010, from http://www.anticlue.net/archives/000817.htm
Ipswitch, Inc.. (2010). WhatsUp Gold WhatsConnected: Network mapping. Retrieved May 9, 2010, from http://www.whatsupgold.com/products/whatsup-gold-plugins/whatsconnected/index.aspx
Meta Group, (2004). Selecting the risk assessment method of choice. Retrieved April 24, 2010, from http://searchitchannel.techtarget.com/generic/0,295582,sid19_gci1049908,00.html
Penetration testing. (2010). Retrieved May 9, 2010, from http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci929671,00.html
Port Scanning. (n.d.). Retrieved May 1, 2010, from http://www.auditmypc.com/port-scanning.asp
RADCOM. (n.d.). Protocol Analyzers. Retrieved May 9, 2010, from http://www.radcom.com/Products.aspx?boneId=659
Risk management. (2010). Retrieved April 28, 2010, from http://www.answers.com/topic/risk-management
Single Loss Expectancy (Definition). (2010). Retrieved May 1, 2010, from http://www.riskythinking.com/glossary/single_loss_expectancy.php
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology Systems (NIST SP 800-30). Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Top 10 Password Crackers. (2006). Retrieved May 9, 2010, from http://sectools.org/crackers.html
Verma, N., Huang, Y., & Sood, A. (2007). Proactively Managing Security Risk. Retrieved April 30, 2010, from http://www.symantec.com/connect/articles/proactively-managing-security-risk
solarwinds. (2010). Create Maps of Your Network to Visually Track Performance by Location. Retrieved April 30, 2010, from http://www.solarwinds.com/campaigns/register/orion/npm/mapping/?CMP=KNC-TAD-GGL-NPM_MAP-NPM-DL&HBX_PK=network%20mapper&gclid=CNnmsc3-xaECFQ0hnAodSFYW-A
Risk management is essential for any business to recognize, respond, and resolve potential consequences. Solid risk management plans are vital to managing exposure associated with risks. Company’s use of certain communications such as electronic mail and supplementary company application exposed them to elevated risk. This amplified risk necessitates why companies need to decide how much danger they are prepared to allow and to put into practice security structures to administer the threats linked with online company actions ("Risk management", 2010, p. 1). There is multitude of sources available for security experts regarding proper risk guidance and assessment. For example, the National Institute of Standards and Technology (NIST) standard 800-30 provides a great framework to build a risk management plan (Stoneburner G., Goguen A., & Feringa A., 2002).
Calcuating Risk
First, Single Loss Expectancy (SLE) is the expected monetary loss every time a risk occurs. The Single Loss Expectancy is calculated by the following formula - Asset Value (AV) multiplied by Exposure Factor (EF) and is written as SLE = AV * EF ("Single Loss Expectancy", 2010, p. 1). The Exposure Factor (EF) is the amount of the asset’s worth, which is likely to be destroyed by a particular risk and is usually expressed in terms of a percentage (Ciampa, 2009, p. 309).
The second method is the Annualized Loss Expectancy (ALE). Annualized Loss Expectancy (ALE) is the projected monetary loss estimated for an asset due to a risk over a one-year period. ALE values are calculated by multiplying (Single Loss Expectancy) SLE and Annualized rate of occurrence (ARO). The Annualized rate of occurrence (ARO) is the likelihood of a risk occurring in a one-year period. This tool used is directly in a cost-benefit analysis ("Annualized Loss Expectancy", 2010, p. 1).
The text lists methods for assessing a company’s vulnerabilities. One of these methods is a table, which uses a ranking system based on impact. Impact classification is the process of devising different levels such as “No impact, Small impact, Significant, Major, and Catastrophic. In assessing risk, the tools previously mentioned and the use of the methods for calculating risk such as SLE and ALE are important steps in the overall risk assessment process. The next step would be to approximate the probability the vulnerability will occur. Again, this would be some type of ranking system such as one to five, where five is extremely probable and one is improbable V
Vulnerablilties
One of the other methodologies for identifying vulnerabilities is through the process of vulnerability scanning. The vulnerability scanning is the practice of identifying deficiencies in an organization and assist with escalating the level of security needed by these systems (Ciampa, 2009, p. 312). We have seen some of these scanners in the early weeks of our class. Port scanning is the act of scanning for TCP/IP suite of network ports. This includes both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) based ports. These ports can be broken down into three basic categories. Below is the classification by port and port ranges.
• Well Known Ports (0 – 1023)
• Registered Ports (1024 – 49151)
• Dynamic and/or Private Ports (49152 – 65535)
These ports assigned by the IANA (Internet Assigned Numbers Authority), which is the authority for assigning ports and global IP address allocation. Most network and/or security professionals will recognize these logical networking ports. For example, FTP = 21 (TCP), telnet = 23 (TCP), and DNS = 53 (UDP). There are several more ports used in the well-known category, but these are just a few examples of what a hacker may scan first ("Port Scanning", n.d., p. 1). User programs utilize the registered ports range. Dynamic and/or Private Ports are open for use and are not assigned to anything specific.
There are many additional devices – both software and hardware, which can provide expanded capabilities to reduce risk. One practice is to test a network’s defenses. The first is to test the password strengths of users. A password cracker program tests passwords. I found a site, which list the “Top 10 Password Crackers” ("Top 10 Password Crackers", 2006, p. 1). One of them - John the Ripper, we used on one of our exercises. The final practice to consider when assessing risks is network penetration testing. This is a more thorough testing practice compared to vulnerability scanning. Penetration testing will test a company or organization’s security and shed light on any weak points. This is a real world test versus some assessment conducted by reviewing a culmination of data and building theories regarding risks. This type of testing could be considered unethical, but it is a valuable tool for many good hackers - white hat attackers and network security administrators ("Penetration testing", 2010, p. 1). The results from this type of testing should be included in the overall risk management plan when factoring all the risk for a given company and/or organization. I suspect one of the chief obstacles of Risk Management is the IT managerial problems of classification, capture, and communication of risks. The difficulty for any company is the complexity of finding the sense of balance for the resources needed for “risk management (RM) controls, policies, people, and processes” (Meta Group, 2004, p. 1). In other words, not only the technique, but also the correct intensity of implementation is a challenge for appraising risks.
Risk Management and Mitigation Process
A company may decide to transfer risk by shifting the repercussions of a certain risks to a third party much as my company does with moving certain risks to our subcontractors. A company’s ability to reduce risk involves being proactive by taking early action through more testing and evaluation as well as close monitoring – risk monitoring. As mentioned earlier, an additional step added to a risk management plan is risk monitoring. Risk monitoring methodically tracks and assesses the effectiveness of managing -risk actions. Integrating the management of risk actions into all plans ¬- forecasting and scheduling ensures significant risks are effectively monitored. Recognizing these risk events will aid companies in shaping the procedures regarding cost, schedule, and performance. In conclusion, the risk management process is an ongoing practice. I believe an important step a business can do to help recognize and manage risks is to create and maintain risk management related documents. There will be periods or circumstances when the risk management practices will require precautionary administration. A company must periodically evaluate risks within their business and prioritize them. As I have stated, there are extensive mechanisms for dealing with the risk management and evaluation procedures. One of the more significant actions a business needs to comprehend is how to manage risks and educated their organizations as well as their staff on the importance of following good risk management practices. If they are able to achieve this, then a company and its users will help reduce the overall risks a company may encounter. It is important for a company to emphasize risk management is everyone’s responsibility.
References
Annualized Loss Expectancy (Definition). (2010). Retrieved May 1, 2010, from http://www.riskythinking.com/glossary/annualized_loss_expectancy.php
CACI. (n.d.). Risk Contingency Planning. Retrieved April 27, 2010, from http://www.caci.com/
Ciampa, M. (2009). SECURITY+ GUIDE TO NETWORK SECURITY FUNDAMENTALS (3rd ed.). Boston, MA: Course Technology.
Elyse. (2007). Qualitative Risk Analysis. Retrieved April 29, 2010, from http://www.anticlue.net/archives/000817.htm
Ipswitch, Inc.. (2010). WhatsUp Gold WhatsConnected: Network mapping. Retrieved May 9, 2010, from http://www.whatsupgold.com/products/whatsup-gold-plugins/whatsconnected/index.aspx
Meta Group, (2004). Selecting the risk assessment method of choice. Retrieved April 24, 2010, from http://searchitchannel.techtarget.com/generic/0,295582,sid19_gci1049908,00.html
Penetration testing. (2010). Retrieved May 9, 2010, from http://searchsoftwarequality.techtarget.com/sDefinition/0,,sid92_gci929671,00.html
Port Scanning. (n.d.). Retrieved May 1, 2010, from http://www.auditmypc.com/port-scanning.asp
RADCOM. (n.d.). Protocol Analyzers. Retrieved May 9, 2010, from http://www.radcom.com/Products.aspx?boneId=659
Risk management. (2010). Retrieved April 28, 2010, from http://www.answers.com/topic/risk-management
Single Loss Expectancy (Definition). (2010). Retrieved May 1, 2010, from http://www.riskythinking.com/glossary/single_loss_expectancy.php
Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk Management Guide for Information Technology Systems (NIST SP 800-30). Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Top 10 Password Crackers. (2006). Retrieved May 9, 2010, from http://sectools.org/crackers.html
Verma, N., Huang, Y., & Sood, A. (2007). Proactively Managing Security Risk. Retrieved April 30, 2010, from http://www.symantec.com/connect/articles/proactively-managing-security-risk
solarwinds. (2010). Create Maps of Your Network to Visually Track Performance by Location. Retrieved April 30, 2010, from http://www.solarwinds.com/campaigns/register/orion/npm/mapping/?CMP=KNC-TAD-GGL-NPM_MAP-NPM-DL&HBX_PK=network%20mapper&gclid=CNnmsc3-xaECFQ0hnAodSFYW-A