risk matrix
Vulnerability
| WEIGHT: N/A=Not Applicable 1=Very Low 2=Low 3=Medium 4=High 5=Very High | |||
| VULNERABILITY | WEIGHT | RATIONALE | |
| 1 | Inadequate Security Policy | 2 | |
| 2 | Inadequate Training | 2 | Training is offered |
| 3 | Inadequate System Administration | 2 | Certified administrator with backup person assigned |
| 4 | Inadequate User Account Management | 2 | ISSO appointed |
| 5 | Inadequate Personnel Management | 3 | |
| 6 | Incomplete Contingency Plan | 1 | Contingency Plan in place |
| 7 | Disclosure of Data | 4 | |
| 8 | Modification of Data | 5 | |
| 9 | Unlimited Access to Data | 2 | One root account |
| 10 | Objects Not Cleared Before Reuse | 1 | |
| 11 | Inadequate Warning Banners | 1 | |
| 12 | Use of Replayable I&A | 2 | Password encrypted, only one session permitted |
| 13 | Password Vulnerability to Cracking | 5 | Much effort but a lot to gain |
| 14 | Sharing of ID or Passwords | 2 | No concurrent sessios; Rules of Behavior in place |
| 15 | Session Timeout on Server | 2 | Cookies time out after 20 minutes |
| 16 | Concurrent Logon Sessions Permitted | 2 | |
| 17 | Inadequate Audit Log | 1 | |
| 18 | Inadequate Audit Analysis | 3 | Relying on human analysis |
| 19 | Data Transmissions in the Clear | 5 | SSL |
| 20 | Susceptibility to Line Tapping | 5 | SSL |
| 21 | Inconsistent Physical Perimeter Definition | 2 | |
| 22 | Inadequate CM - Development | 2 | |
| 23 | Inadequate CM - Operations / Maintenance | 2 | |
| 24 | Facility Unavailability | 3 | Limited physical access |
| 25 | Data Unavailability | 1 | Availability of data is relatively low. |
| 26 | System / Component Unavailability | 3 | |
| 27 | Unstable / Insufficient Communication Medium | 4 | Outages occur |
| 28 | Inadequate / Missing Documents | 1 | COOP in place |
| 29 | Failure to Achieve and Maintain Accreditation | N/A | |
| 30 | Inadequate Protection of Web Server | 5 | |
| N/A | |||
| 1 | |||
| 2 | |||
| 3 | |||
| 4 | |||
| 5 |
&"Courier,Regular"&14SENSITIVE // FOR OFFICIAL USE ONLY &"Times New Roman,Bold"&E&F
Page &P of &N &"Courier,Regular"&12SENSITIVE // FOR OFFICIAL USE ONLY &D
Threats
| WEIGHT: N/A=Not Applicable 1=Very Low 2=Low 3=Medium 4=High 5=Very High | |||
| T H R E A T | WEIGHT | RATIONALE | |
| Deception | |||
| 1 | False Denial of Origin | 2 | |
| 2 | False Denial of Receipt | 2 | |
| 3 | Falsification | 4 | |
| 4 | Insertion | 3 | |
| 5 | Malicious Logic-Masquerade | 3 | |
| 6 | Masquerade | 2 | |
| 7 | Repudiation | 2 | |
| 8 | Substitution | 4 | |
| Disruption | |||
| 9 | Hardware or Software Error-System | 1 | |
| 10 | Hardware or Software Error-Data | 1 | |
| 11 | Human Error | 3 | |
| 12 | Environmental Failure | 3 | |
| 13 | Incapacitation | 1 | |
| 14 | Interference | 4 | |
| 15 | Malicious Logic-Corruption | 2 | |
| 16 | Malicious Logic- Disabling | 3 | |
| 17 | Natural Catastrophe | 1 | |
| 18 | Overload | 4 | |
| 19 | Physical Destruction | 1 | |
| 20 | Tampering-Corruption | 5 | |
| Usurpation | |||
| 21 | Malicious Logic-Misuse | 5 | |
| 22 | Misappropriation | 5 | |
| 23 | Misuse | 5 | |
| 24 | Tampering-Misuse | 5 | |
| 25 | Theft of Data | 4 | |
| 26 | Theft of Service | 4 | |
| 27 | Violation of Permissions | 2 | |
| Disclosure | |||
| 28 | Cryptanalysis | 2 | |
| 29 | Eavesdropping | 5 | |
| 30 | Exposure | 3 | |
| 31 | Hardware or Software Error-System Failure | 1 | |
| 32 | Human Error-Unintentional | 2 | |
| 33 | Inference | 5 | |
| 34 | Interception | 5 | |
| 35 | Intrusion | 5 | |
| 36 | Penetration | 2 | |
| 37 | Reverse Engineering | 2 | |
| 38 | Scavenging | 2 | |
| 39 | Theft | 1 | |
| 40 | Traffic Analysis | 3 | |
| 41 | Trespass | 3 | |
| 42 | Wiretapping | 4 | |
| N/A | |||
| 1 | |||
| 2 | |||
| 3 | |||
| 4 | |||
| 5 |
&"Courier,Regular"&12SENSITIVE // FOR OFFICIAL USE ONLY&"Arial,Bold"&14&E &F
Page &P of &N &"Courier,Regular"&12SENSITIVE // FOR OFFICIAL USE ONLY &D
Risk Computation
| Vulnerabilities | Inadequate Security Policy | Inadequate Training | Inadequate System Administration | Inadequate User Account Management | Inadequate Personnel Management | Incomplete Contingency Plan | Disclosure of Data | Modification of Data | Unlimited Access to Data | Objects Not Cleared Before Reuse | Inadequate Warning Banners | Use of Replayable I&A | Password Vulnerability to Cracking | Sharing of ID or Passwords | Session Timeout on Server | Concurrent Logon Sessions Permitted | Inadequate Audit Log | Inadequate Audit Analysis | Data Transmissions in the Clear | Susceptibility to Line Tapping | Inconsistent Physical Perimeter | Inadequate CM - Development | Inadequate CM - Operations | Facility Unavailability | Data Unavailability | System / Component Unavailability | Unstable / Insufficient Communication | Inadequate / Missing Documents | Failure to Achieve and Maintain Accreditation | Inadequate Protection of Web Server | |||
| Threats | Wts. | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 5 | 2 | 1 | 1 | 2 | 5 | 2 | 2 | 2 | 1 | 3 | 5 | 5 | 2 | 2 | 2 | 3 | 1 | 3 | 4 | 1 | N/A | 5 | Risk Total for Threat | Percent of Total Risk |
| Deception | |||||||||||||||||||||||||||||||||
| False Denial of Origin | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| False Denial of Receipt | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Falsification | 4 | 8 | 8 | 8 | 8 | 12 | 4 | 16 | 20 | 8 | 4 | 4 | 8 | 20 | 8 | 8 | 8 | 4 | 12 | 20 | 20 | 8 | 8 | 8 | 12 | 4 | 12 | 16 | 4 | 20 | 300 | 3% | |
| Insertion | 3 | 6 | 6 | 6 | 6 | 9 | 3 | 12 | 15 | 6 | 3 | 3 | 6 | 15 | 6 | 6 | 6 | 3 | 9 | 15 | 15 | 6 | 6 | 6 | 9 | 3 | 9 | 12 | 3 | 15 | 225 | 2% | |
| Malicious Logic | 3 | 6 | 6 | 6 | 6 | 9 | 3 | 12 | 15 | 6 | 3 | 3 | 6 | 15 | 6 | 6 | 6 | 3 | 9 | 15 | 15 | 6 | 6 | 6 | 9 | 3 | 9 | 12 | 3 | 15 | 225 | 2% | |
| Masquerade | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Repudiation | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Substitution | 4 | 8 | 8 | 8 | 8 | 12 | 4 | 16 | 20 | 8 | 4 | 4 | 8 | 20 | 8 | 8 | 8 | 4 | 12 | 20 | 20 | 8 | 8 | 8 | 12 | 4 | 12 | 16 | 4 | 20 | 300 | 3% | |
| Disruption | |||||||||||||||||||||||||||||||||
| Hardware or Software Error-System | 1 | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 5 | 2 | 1 | 1 | 2 | 5 | 2 | 2 | 2 | 1 | 3 | 5 | 5 | 2 | 2 | 2 | 3 | 1 | 3 | 4 | 1 | 5 | 75 | 1% | |
| Hardware or Software Error-Data | 1 | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 5 | 2 | 1 | 1 | 2 | 5 | 2 | 2 | 2 | 1 | 3 | 5 | 5 | 2 | 2 | 2 | 3 | 1 | 3 | 4 | 1 | 5 | 75 | 1% | |
| Human Error | 3 | 6 | 6 | 6 | 6 | 9 | 3 | 12 | 15 | 6 | 3 | 3 | 6 | 15 | 6 | 6 | 6 | 3 | 9 | 15 | 15 | 6 | 6 | 6 | 9 | 3 | 9 | 12 | 3 | 15 | 225 | 2% | |
| Environmental Failure | 3 | 6 | 6 | 6 | 6 | 9 | 3 | 12 | 15 | 6 | 3 | 3 | 6 | 15 | 6 | 6 | 6 | 3 | 9 | 15 | 15 | 6 | 6 | 6 | 9 | 3 | 9 | 12 | 3 | 15 | 225 | 2% | |
| Incapacitation | 1 | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 5 | 2 | 1 | 1 | 2 | 5 | 2 | 2 | 2 | 1 | 3 | 5 | 5 | 2 | 2 | 2 | 3 | 1 | 3 | 4 | 1 | 5 | 75 | 1% | |
| Interference | 4 | 8 | 8 | 8 | 8 | 12 | 4 | 16 | 20 | 8 | 4 | 4 | 8 | 20 | 8 | 8 | 8 | 4 | 12 | 20 | 20 | 8 | 8 | 8 | 12 | 4 | 12 | 16 | 4 | 20 | 300 | 3% | |
| Malicious Logic-Corruption | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Malicious Logic- Disabling | 3 | 6 | 6 | 6 | 6 | 9 | 3 | 12 | 15 | 6 | 3 | 3 | 6 | 15 | 6 | 6 | 6 | 3 | 9 | 15 | 15 | 6 | 6 | 6 | 9 | 3 | 9 | 12 | 3 | 15 | 225 | 2% | |
| Natural Catastrophe | 1 | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 5 | 2 | 1 | 1 | 2 | 5 | 2 | 2 | 2 | 1 | 3 | 5 | 5 | 2 | 2 | 2 | 3 | 1 | 3 | 4 | 1 | 5 | 75 | 1% | |
| Overload | 4 | 8 | 8 | 8 | 8 | 12 | 4 | 16 | 20 | 8 | 4 | 4 | 8 | 20 | 8 | 8 | 8 | 4 | 12 | 20 | 20 | 8 | 8 | 8 | 12 | 4 | 12 | 16 | 4 | 20 | 300 | 3% | |
| Physical Destruction | 1 | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 5 | 2 | 1 | 1 | 2 | 5 | 2 | 2 | 2 | 1 | 3 | 5 | 5 | 2 | 2 | 2 | 3 | 1 | 3 | 4 | 1 | 5 | 75 | 1% | |
| Tampering | 5 | 10 | 10 | 10 | 10 | 15 | 5 | 20 | 25 | 10 | 5 | 5 | 10 | 25 | 10 | 10 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 10 | 15 | 5 | 15 | 20 | 5 | 25 | 375 | 4% | |
| Usurpation | |||||||||||||||||||||||||||||||||
| Malicious Logic-Misuse | 5 | 10 | 10 | 10 | 10 | 15 | 5 | 20 | 25 | 10 | 5 | 5 | 10 | 25 | 10 | 10 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 10 | 15 | 5 | 15 | 20 | 5 | 25 | 375 | 4% | |
| Misappropriation | 5 | 10 | 10 | 10 | 10 | 15 | 5 | 20 | 25 | 10 | 5 | 5 | 10 | 25 | 10 | 10 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 10 | 15 | 5 | 15 | 20 | 5 | 25 | 375 | 4% | |
| Misuse | 5 | 10 | 10 | 10 | 10 | 15 | 5 | 20 | 25 | 10 | 5 | 5 | 10 | 25 | 10 | 10 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 10 | 15 | 5 | 15 | 20 | 5 | 25 | 375 | 4% | |
| Tampering-Misuse | 5 | 10 | 10 | 10 | 10 | 15 | 5 | 20 | 25 | 10 | 5 | 5 | 10 | 25 | 10 | 10 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 10 | 15 | 5 | 15 | 20 | 5 | 25 | 375 | 4% | |
| Theft of Data | 4 | 8 | 8 | 8 | 8 | 12 | 4 | 16 | 20 | 8 | 4 | 4 | 8 | 20 | 8 | 8 | 8 | 4 | 12 | 20 | 20 | 8 | 8 | 8 | 12 | 4 | 12 | 16 | 4 | 20 | 300 | 3% | |
| Theft of Service | 4 | 8 | 8 | 8 | 8 | 12 | 4 | 16 | 20 | 8 | 4 | 4 | 8 | 20 | 8 | 8 | 8 | 4 | 12 | 20 | 20 | 8 | 8 | 8 | 12 | 4 | 12 | 16 | 4 | 20 | 300 | 3% | |
| Violation of Permissions | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Disclosure | |||||||||||||||||||||||||||||||||
| Cryptanalysis | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Eavesdropping | 5 | 10 | 10 | 10 | 10 | 15 | 5 | 20 | 25 | 10 | 5 | 5 | 10 | 25 | 10 | 10 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 10 | 15 | 5 | 15 | 20 | 5 | 25 | 375 | 4% | |
| Exposure | 3 | 6 | 6 | 6 | 6 | 9 | 3 | 12 | 15 | 6 | 3 | 3 | 6 | 15 | 6 | 6 | 6 | 3 | 9 | 15 | 15 | 6 | 6 | 6 | 9 | 3 | 9 | 12 | 3 | 15 | 225 | 2% | |
| Hardware or Software Error-System Failure | 1 | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 5 | 2 | 1 | 1 | 2 | 5 | 2 | 2 | 2 | 1 | 3 | 5 | 5 | 2 | 2 | 2 | 3 | 1 | 3 | 4 | 1 | 5 | 75 | 1% | |
| Human Error-Unintentional | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Inference | 5 | 10 | 10 | 10 | 10 | 15 | 5 | 20 | 25 | 10 | 5 | 5 | 10 | 25 | 10 | 10 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 10 | 15 | 5 | 15 | 20 | 5 | 25 | 375 | 4% | |
| Interception | 5 | 10 | 10 | 10 | 10 | 15 | 5 | 20 | 25 | 10 | 5 | 5 | 10 | 25 | 10 | 10 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 10 | 15 | 5 | 15 | 20 | 5 | 25 | 375 | 4% | |
| Intrusion | 5 | 10 | 10 | 10 | 10 | 15 | 5 | 20 | 25 | 10 | 5 | 5 | 10 | 25 | 10 | 10 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 10 | 15 | 5 | 15 | 20 | 5 | 25 | 375 | 4% | |
| Penetration | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Reverse Engineering | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Scavenging | 2 | 4 | 4 | 4 | 4 | 6 | 2 | 8 | 10 | 4 | 2 | 2 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 4 | 6 | 2 | 6 | 8 | 2 | 10 | 150 | 2% | |
| Theft | 1 | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 5 | 2 | 1 | 1 | 2 | 5 | 2 | 2 | 2 | 1 | 3 | 5 | 5 | 2 | 2 | 2 | 3 | 1 | 3 | 4 | 1 | 5 | 75 | 1% | |
| Traffic Analysis | 3 | 6 | 6 | 6 | 6 | 9 | 3 | 12 | 15 | 6 | 3 | 3 | 6 | 15 | 6 | 6 | 6 | 3 | 9 | 15 | 15 | 6 | 6 | 6 | 9 | 3 | 9 | 12 | 3 | 15 | 225 | 2% | |
| Trespass | 3 | 6 | 6 | 6 | 6 | 9 | 3 | 12 | 15 | 6 | 3 | 3 | 6 | 15 | 6 | 6 | 6 | 3 | 9 | 15 | 15 | 6 | 6 | 6 | 9 | 3 | 9 | 12 | 3 | 15 | 225 | 2% | |
| Wiretapping | 4 | 8 | 8 | 8 | 8 | 12 | 4 | 16 | 20 | 8 | 4 | 4 | 8 | 20 | 8 | 8 | 8 | 4 | 12 | 20 | 20 | 8 | 8 | 8 | 12 | 4 | 12 | 16 | 4 | 20 | 300 | 3% | |
| Risk Total for Vulnerability | 252 | 252 | 252 | 252 | 378 | 126 | 504 | 630 | 252 | 126 | 126 | 252 | 630 | 252 | 252 | 252 | 126 | 378 | 630 | 630 | 252 | 252 | 252 | 378 | 126 | 378 | 504 | 126 | 0 | 630 | 9450 | 100% | |
| Percent of Total Risk | 3% | 3% | 3% | 3% | 4% | 1% | 5% | 7% | 3% | 1% | 1% | 3% | 7% | 3% | 3% | 3% | 1% | 4% | 7% | 7% | 3% | 3% | 3% | 4% | 1% | 4% | 5% | 1% | 7% | 9450 | 100% | ||
| RISK RATING | VERY HIGH | LOWEST RANK OF VULNERABILITIES AND THREATS TO FLAG: | 9 | ||||||||||||||||||||||||||||||
| VULNERABILITY | 378 | 4% | |||||||||||||||||||||||||||||||
| THREAT | 375 | 4% | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | |||||||||||||||||||||
| MAXIMUM | 25 | ||||||||||||||||||||||||||||||||
| RISK TOTALS | 18900 | ||||||||||||||||||||||||||||||||
| TOTAL RISKS | 1015 | ||||||||||||||||||||||||||||||||
| LOW | 1015 | ||||||||||||||||||||||||||||||||
| MEDIUM | 4060 | ||||||||||||||||||||||||||||||||
| HIGH | 9135 | ||||||||||||||||||||||||||||||||
| VERY HIGH | 16240 | ||||||||||||||||||||||||||||||||
&"Courier,Regular"&14SENSITIVE - FOR OFFICIAL USE ONLY&"Arial,Bold"&E &F
Page &P of &N &"Courier,Regular"&12SENSITIVE // FOR OFFICIAL USE ONLY &D
Risk Computation Exploited
| Vulnerabilities | Inadequate Security Policy | Inadequate Training | Inadequate System Administration | Inadequate User Account Management | Inadequate Personnel Management | Incomplete Contingency Plan | Disclosure of Data | Modification of Data | Unlimited Access to Data | Objects Not Cleared Before Reuse | Inadequate Warning Banners | Use of Replayable I&A | Password Vulnerability to Cracking | Sharing of ID or Passwords | Session Timeout on Server | Concurrent Logon Sessions Permitted | Inadequate Audit Log | Inadequate Audit Analysis | Data Transmissions in the Clear | Susceptibility to Line Tapping | Inconsistent Physical Perimeter | Inadequate CM - Development | Inadequate CM - Operations | Facility Unavailability | Data Unavailability | System / Component Unavailability | Unstable / Insufficient Communication | Inadequate / Missing Documents | Failure to Achieve and Maintain Accreditation | Inadequate Protection of Web Server | |||
| Threats | Wts. | 2 | 2 | 2 | 2 | 3 | 1 | 4 | 5 | 2 | 1 | 1 | 2 | 5 | 2 | 2 | 2 | 1 | 3 | 5 | 5 | 2 | 2 | 2 | 3 | 1 | 3 | 4 | 1 | N/A | 5 | Risk Total for Threat | Percent of Total Risk |
| Deception | |||||||||||||||||||||||||||||||||
| False Denial of Origin | 2 | 4 | 4 | 8 | 0% | ||||||||||||||||||||||||||||
| False Denial of Receipt | 2 | 4 | 4 | 8 | 0% | ||||||||||||||||||||||||||||
| Falsification | 4 | 8 | 20 | 4 | 32 | 2% | |||||||||||||||||||||||||||
| Insertion | 3 | 6 | 15 | 3 | 24 | 1% | |||||||||||||||||||||||||||
| Malicious Logic-Masquerade | 3 | 6 | 6 | 6 | 6 | 6 | 3 | 15 | 48 | 2% | |||||||||||||||||||||||
| Masquerade | 2 | 4 | 6 | 4 | 14 | 1% | |||||||||||||||||||||||||||
| Repudiation | 2 | 4 | 4 | 8 | 0% | ||||||||||||||||||||||||||||
| Substitution | 4 | 8 | 8 | 20 | 4 | 40 | 2% | ||||||||||||||||||||||||||
| Disruption | |||||||||||||||||||||||||||||||||
| Hardware or Software Error-System | 1 | 2 | 1 | 1 | 2 | 2 | 1 | 3 | 5 | 2 | 2 | 2 | 3 | 3 | 4 | 5 | 38 | 2% | |||||||||||||||
| Hardware or Software Error-Data | 1 | 2 | 1 | 2 | 1 | 1 | 3 | 5 | 1 | 1 | 5 | 22 | 1% | ||||||||||||||||||||
| Human Error | 3 | 6 | 6 | 9 | 15 | 6 | 6 | 3 | 9 | 15 | 6 | 6 | 3 | 9 | 3 | 15 | 117 | 6% | |||||||||||||||
| Environmental Failure | 3 | 3 | 6 | 9 | 18 | 1% | |||||||||||||||||||||||||||
| Incapacitation | 1 | 2 | 1 | 3 | 6 | 0% | |||||||||||||||||||||||||||
| Interference | 4 | 4 | 20 | 16 | 20 | 60 | 3% | ||||||||||||||||||||||||||
| Malicious Logic-Corruption | 2 | 4 | 10 | 4 | 4 | 2 | 6 | 10 | 40 | 2% | |||||||||||||||||||||||
| Malicious Logic- Disabling | 3 | 6 | 15 | 6 | 6 | 3 | 9 | 15 | 60 | 3% | |||||||||||||||||||||||
| Natural Catastrophe | 1 | 1 | 2 | 3 | 6 | 0% | |||||||||||||||||||||||||||
| Overload | 4 | 8 | 8 | 4 | 12 | 12 | 20 | 64 | 3% | ||||||||||||||||||||||||
| Physical Destruction | 1 | 2 | 1 | 2 | 3 | 8 | 0% | ||||||||||||||||||||||||||
| Tampering-Corruption | 5 | 10 | 25 | 10 | 10 | 10 | 15 | 25 | 105 | 5% | |||||||||||||||||||||||
| Usurpation | |||||||||||||||||||||||||||||||||
| Malicious Logic-Misuse | 5 | 10 | 10 | 10 | 5 | 35 | 2% | ||||||||||||||||||||||||||
| Misappropriation | 5 | 10 | 15 | 25 | 1% | ||||||||||||||||||||||||||||
| Misuse | 5 | 10 | 10 | 5 | 10 | 5 | 15 | 25 | 25 | 10 | 10 | 5 | 15 | 5 | 150 | 7% | |||||||||||||||||
| Tampering-Misuse | 5 | 10 | 10 | 10 | 10 | 15 | 25 | 5 | 5 | 15 | 25 | 25 | 5 | 15 | 5 | 180 | 9% | ||||||||||||||||
| Theft of Data | 4 | 12 | 4 | 16 | 8 | 4 | 44 | 2% | |||||||||||||||||||||||||
| Theft of Service | 4 | 12 | 4 | 12 | 20 | 48 | 2% | ||||||||||||||||||||||||||
| Violation of Permissions | 2 | 4 | 4 | 4 | 4 | 6 | 4 | 4 | 2 | 6 | 38 | 2% | |||||||||||||||||||||
| Disclosure | |||||||||||||||||||||||||||||||||
| Cryptanalysis | 2 | 8 | 4 | 10 | 10 | 32 | 2% | ||||||||||||||||||||||||||
| Eavesdropping | 5 | 20 | 10 | 25 | 25 | 80 | 4% | ||||||||||||||||||||||||||
| Exposure | 3 | 9 | 3 | 12 | 3 | 27 | 1% | ||||||||||||||||||||||||||
| Hardware or Software Error-System Failure | 1 | 2 | 1 | 4 | 1 | 1 | 3 | 5 | 5 | 2 | 2 | 1 | 1 | 5 | 33 | 2% | |||||||||||||||||
| Human Error-Unintentional | 2 | 4 | 4 | 4 | 6 | 8 | 4 | 2 | 6 | 10 | 10 | 4 | 4 | 2 | 2 | 10 | 80 | 4% | |||||||||||||||
| Inference | 5 | 5 | 20 | 25 | 50 | 2% | |||||||||||||||||||||||||||
| Interception | 5 | 5 | 20 | 25 | 25 | 25 | 100 | 5% | |||||||||||||||||||||||||
| Intrusion | 5 | 5 | 20 | 10 | 5 | 15 | 25 | 80 | 4% | ||||||||||||||||||||||||
| Penetration | 2 | 4 | 4 | 8 | 10 | 4 | 10 | 4 | 4 | 4 | 2 | 6 | 10 | 10 | 2 | 82 | 4% | ||||||||||||||||
| Reverse Engineering | 2 | 8 | 4 | 12 | 1% | ||||||||||||||||||||||||||||
| Scavenging | 2 | 6 | 8 | 14 | 1% | ||||||||||||||||||||||||||||
| Theft | 1 | 3 | 1 | 4 | 2 | 3 | 1 | 14 | 1% | ||||||||||||||||||||||||
| Traffic Analysis | 3 | 12 | 3 | 9 | 15 | 15 | 12 | 15 | 81 | 4% | |||||||||||||||||||||||
| Trespass | 3 | 3 | 12 | 6 | 15 | 9 | 45 | 2% | |||||||||||||||||||||||||
| Wiretapping | 4 | 16 | 20 | 20 | 20 | 76 | 4% | ||||||||||||||||||||||||||
| Risk Total for Vulnerability | 44 | 78 | 80 | 40 | 84 | 43 | 196 | 130 | 32 | 3 | 10 | 30 | 55 | 18 | 14 | 16 | 34 | 102 | 210 | 240 | 24 | 60 | 60 | 36 | 51 | 108 | 32 | 17 | 0 | 205 | 2052 | 100% | |
| Percent of Total Risk | 2% | 4% | 4% | 2% | 4% | 2% | 10% | 6% | 2% | 0% | 0% | 1% | 3% | 1% | 1% | 1% | 2% | 5% | 10% | 12% | 1% | 3% | 3% | 2% | 2% | 5% | 2% | 1% | 10% | 2052 | 100% | ||
| RISK RATING | VERY HIGH | LOWEST RANK OF VULNERABILITIES AND THREATS TO FLAG: | 8 | ||||||||||||||||||||||||||||||
| VULNERABILITY | 84 | 5% | |||||||||||||||||||||||||||||||
| THREAT | 80 | 4% | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | |||||||||||||||||||||
| MAXIMUM | 25 | ||||||||||||||||||||||||||||||||
| RISK TOTALS | 4104 | ||||||||||||||||||||||||||||||||
| TOTAL RISKS | 231 | ||||||||||||||||||||||||||||||||
| LOW | 231 | ||||||||||||||||||||||||||||||||
| MEDIUM | 924 | ||||||||||||||||||||||||||||||||
| HIGH | 2079 | ||||||||||||||||||||||||||||||||
| VERY HIGH | 3696 | ||||||||||||||||||||||||||||||||
&"Arial,Bold"&14&E &F
Page &P of &N &D
CounterMeasure
| RISK | COUNTERMEASURE | RATIONALE | APPROXIMATE COSTS | NOTES |
| Wireless LANS are easy access | Enforce Strong Access Control: Networks should place access points outside of security perimeter devices such as firewalls, and administrators should consider using VPNs to provide access to the corporate network. | Ensuring that wireless networks are subject to strong access control can mitigate the risk of wireless network deployment. | LOW | The AirWISE analysis engine can perform in-depth analysis on frames and can detect several common 802.11 security problems. i.e. identifies known weak WEP implementations that reuse IVs, have a predictable IV pattern, or use "weak" IVs that provide information to WEP cracking programs such as AirSnort. |
| Rogue Access Points | Regular Site Audits: 1) Provide frequent physical site audits. 2) Walk-through detection using handheld scanners to detect unauthorized networks while administrators respond to user support calls throughout the hospital | Given the ease with which many of these technologies can be exploited for network access, learning when unauthorized networks have been deployed is a task of great importance. | HIGH/LOW | AirMagnet uses passive analysis to discover AP transmissions in the air, and will uncover any access point within range of its antenna. Many tools can be used to perform site audits and track rogue access points, but network administrators must be conscious of the need to keep up with the latest techniques used in the cat-and-mouse game played out in the site audit. |
| Unauthorized Use of Service | Design and Audit for Strong Authentication: Provide frequent physical site audits. | Strong, cryptographically protected authentication is a precondition for authorization because access privileges are based on user identity. | LOW | VPN solutions deployed to protect traffic in transit across the radio link provide strong authentication. |
| Service and Performance Constraints | Monitor the Network | Analyzers are often used near trouble spots to aid in diagnosis, and are ideally positioned to observe many denial of service attacks. | LOW | Addressing performance problems starts with monitoring and discovering them. |
| MAC Spoofing and Session Hijacking | Adopt Strong Protocols and Use Them | Session hijacking can be prevented only by using a strong cryptographic protocol such as IPSec. | LOW | Until the ratification of 802.11i, MAC spoofing will be a threat. |
| Traffic Analysis and Eavesdropping | 1) Perform Risk Analysis 2) As an extra precaution, use key management protocols to change the WEP key every fifteen minutes. | When using WEP, audit wireless network to ensure that it is not susceptible to the AirSnort attack. | LOW | A great deal has been written about the flaws in WEP. It protects only the initial association with the network and user data frames. |
| Higher Level Attacks | Protect the Core from the Wireless LAN | Once an attacker gains access to a wireless network, it can serve as a launch point for attacks on other systems. | LOW | Many companies provide guest access ports in training rooms or lobbies. Wireless LANs can be treated as conceptually similar to guest access ports due to higher probability of access by untrustworthy users. |
&"Arial,Bold"&14&E &F
Page &P of &N &D