risk matrix

profilepaupol2004
H2a_Risk_assessment_Matrix.xlsx

Vulnerability

WEIGHT: N/A=Not Applicable 1=Very Low 2=Low 3=Medium 4=High 5=Very High
VULNERABILITY WEIGHT RATIONALE
1 Inadequate Security Policy 2
2 Inadequate Training 2 Training is offered
3 Inadequate System Administration 2 Certified administrator with backup person assigned
4 Inadequate User Account Management 2 ISSO appointed
5 Inadequate Personnel Management 3
6 Incomplete Contingency Plan 1 Contingency Plan in place
7 Disclosure of Data 4
8 Modification of Data 5
9 Unlimited Access to Data 2 One root account
10 Objects Not Cleared Before Reuse 1
11 Inadequate Warning Banners 1
12 Use of Replayable I&A 2 Password encrypted, only one session permitted
13 Password Vulnerability to Cracking 5 Much effort but a lot to gain
14 Sharing of ID or Passwords 2 No concurrent sessios; Rules of Behavior in place
15 Session Timeout on Server 2 Cookies time out after 20 minutes
16 Concurrent Logon Sessions Permitted 2
17 Inadequate Audit Log 1
18 Inadequate Audit Analysis 3 Relying on human analysis
19 Data Transmissions in the Clear 5 SSL
20 Susceptibility to Line Tapping 5 SSL
21 Inconsistent Physical Perimeter Definition 2
22 Inadequate CM - Development 2
23 Inadequate CM - Operations / Maintenance 2
24 Facility Unavailability 3 Limited physical access
25 Data Unavailability 1 Availability of data is relatively low.
26 System / Component Unavailability 3
27 Unstable / Insufficient Communication Medium 4 Outages occur
28 Inadequate / Missing Documents 1 COOP in place
29 Failure to Achieve and Maintain Accreditation N/A
30 Inadequate Protection of Web Server 5
N/A
1
2
3
4
5

&"Courier,Regular"&14SENSITIVE // FOR OFFICIAL USE ONLY &"Times New Roman,Bold"&E&F

Page &P of &N &"Courier,Regular"&12SENSITIVE // FOR OFFICIAL USE ONLY &D

Threats

WEIGHT: N/A=Not Applicable 1=Very Low 2=Low 3=Medium 4=High 5=Very High
T H R E A T WEIGHT RATIONALE
Deception
1 False Denial of Origin 2
2 False Denial of Receipt 2
3 Falsification 4
4 Insertion 3
5 Malicious Logic-Masquerade 3
6 Masquerade 2
7 Repudiation 2
8 Substitution 4
Disruption
9 Hardware or Software Error-System 1
10 Hardware or Software Error-Data 1
11 Human Error 3
12 Environmental Failure 3
13 Incapacitation 1
14 Interference 4
15 Malicious Logic-Corruption 2
16 Malicious Logic- Disabling 3
17 Natural Catastrophe 1
18 Overload 4
19 Physical Destruction 1
20 Tampering-Corruption 5
Usurpation
21 Malicious Logic-Misuse 5
22 Misappropriation 5
23 Misuse 5
24 Tampering-Misuse 5
25 Theft of Data 4
26 Theft of Service 4
27 Violation of Permissions 2
Disclosure
28 Cryptanalysis 2
29 Eavesdropping 5
30 Exposure 3
31 Hardware or Software Error-System Failure 1
32 Human Error-Unintentional 2
33 Inference 5
34 Interception 5
35 Intrusion 5
36 Penetration 2
37 Reverse Engineering 2
38 Scavenging 2
39 Theft 1
40 Traffic Analysis 3
41 Trespass 3
42 Wiretapping 4
N/A
1
2
3
4
5

&"Courier,Regular"&12SENSITIVE // FOR OFFICIAL USE ONLY&"Arial,Bold"&14&E &F

Page &P of &N &"Courier,Regular"&12SENSITIVE // FOR OFFICIAL USE ONLY &D

Risk Computation

Vulnerabilities Inadequate Security Policy Inadequate Training Inadequate System Administration Inadequate User Account Management Inadequate Personnel Management Incomplete Contingency Plan Disclosure of Data Modification of Data Unlimited Access to Data Objects Not Cleared Before Reuse Inadequate Warning Banners Use of Replayable I&A Password Vulnerability to Cracking Sharing of ID or Passwords Session Timeout on Server Concurrent Logon Sessions Permitted Inadequate Audit Log Inadequate Audit Analysis Data Transmissions in the Clear Susceptibility to Line Tapping Inconsistent Physical Perimeter Inadequate CM - Development Inadequate CM - Operations Facility Unavailability Data Unavailability System / Component Unavailability Unstable / Insufficient Communication Inadequate / Missing Documents Failure to Achieve and Maintain Accreditation Inadequate Protection of Web Server
Threats Wts. 2 2 2 2 3 1 4 5 2 1 1 2 5 2 2 2 1 3 5 5 2 2 2 3 1 3 4 1 N/A 5 Risk Total for Threat Percent of Total Risk
Deception
False Denial of Origin 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
False Denial of Receipt 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Falsification 4 8 8 8 8 12 4 16 20 8 4 4 8 20 8 8 8 4 12 20 20 8 8 8 12 4 12 16 4 20 300 3%
Insertion 3 6 6 6 6 9 3 12 15 6 3 3 6 15 6 6 6 3 9 15 15 6 6 6 9 3 9 12 3 15 225 2%
Malicious Logic 3 6 6 6 6 9 3 12 15 6 3 3 6 15 6 6 6 3 9 15 15 6 6 6 9 3 9 12 3 15 225 2%
Masquerade 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Repudiation 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Substitution 4 8 8 8 8 12 4 16 20 8 4 4 8 20 8 8 8 4 12 20 20 8 8 8 12 4 12 16 4 20 300 3%
Disruption
Hardware or Software Error-System 1 2 2 2 2 3 1 4 5 2 1 1 2 5 2 2 2 1 3 5 5 2 2 2 3 1 3 4 1 5 75 1%
Hardware or Software Error-Data 1 2 2 2 2 3 1 4 5 2 1 1 2 5 2 2 2 1 3 5 5 2 2 2 3 1 3 4 1 5 75 1%
Human Error 3 6 6 6 6 9 3 12 15 6 3 3 6 15 6 6 6 3 9 15 15 6 6 6 9 3 9 12 3 15 225 2%
Environmental Failure 3 6 6 6 6 9 3 12 15 6 3 3 6 15 6 6 6 3 9 15 15 6 6 6 9 3 9 12 3 15 225 2%
Incapacitation 1 2 2 2 2 3 1 4 5 2 1 1 2 5 2 2 2 1 3 5 5 2 2 2 3 1 3 4 1 5 75 1%
Interference 4 8 8 8 8 12 4 16 20 8 4 4 8 20 8 8 8 4 12 20 20 8 8 8 12 4 12 16 4 20 300 3%
Malicious Logic-Corruption 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Malicious Logic- Disabling 3 6 6 6 6 9 3 12 15 6 3 3 6 15 6 6 6 3 9 15 15 6 6 6 9 3 9 12 3 15 225 2%
Natural Catastrophe 1 2 2 2 2 3 1 4 5 2 1 1 2 5 2 2 2 1 3 5 5 2 2 2 3 1 3 4 1 5 75 1%
Overload 4 8 8 8 8 12 4 16 20 8 4 4 8 20 8 8 8 4 12 20 20 8 8 8 12 4 12 16 4 20 300 3%
Physical Destruction 1 2 2 2 2 3 1 4 5 2 1 1 2 5 2 2 2 1 3 5 5 2 2 2 3 1 3 4 1 5 75 1%
Tampering 5 10 10 10 10 15 5 20 25 10 5 5 10 25 10 10 10 5 15 25 25 10 10 10 15 5 15 20 5 25 375 4%
Usurpation
Malicious Logic-Misuse 5 10 10 10 10 15 5 20 25 10 5 5 10 25 10 10 10 5 15 25 25 10 10 10 15 5 15 20 5 25 375 4%
Misappropriation 5 10 10 10 10 15 5 20 25 10 5 5 10 25 10 10 10 5 15 25 25 10 10 10 15 5 15 20 5 25 375 4%
Misuse 5 10 10 10 10 15 5 20 25 10 5 5 10 25 10 10 10 5 15 25 25 10 10 10 15 5 15 20 5 25 375 4%
Tampering-Misuse 5 10 10 10 10 15 5 20 25 10 5 5 10 25 10 10 10 5 15 25 25 10 10 10 15 5 15 20 5 25 375 4%
Theft of Data 4 8 8 8 8 12 4 16 20 8 4 4 8 20 8 8 8 4 12 20 20 8 8 8 12 4 12 16 4 20 300 3%
Theft of Service 4 8 8 8 8 12 4 16 20 8 4 4 8 20 8 8 8 4 12 20 20 8 8 8 12 4 12 16 4 20 300 3%
Violation of Permissions 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Disclosure
Cryptanalysis 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Eavesdropping 5 10 10 10 10 15 5 20 25 10 5 5 10 25 10 10 10 5 15 25 25 10 10 10 15 5 15 20 5 25 375 4%
Exposure 3 6 6 6 6 9 3 12 15 6 3 3 6 15 6 6 6 3 9 15 15 6 6 6 9 3 9 12 3 15 225 2%
Hardware or Software Error-System Failure 1 2 2 2 2 3 1 4 5 2 1 1 2 5 2 2 2 1 3 5 5 2 2 2 3 1 3 4 1 5 75 1%
Human Error-Unintentional 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Inference 5 10 10 10 10 15 5 20 25 10 5 5 10 25 10 10 10 5 15 25 25 10 10 10 15 5 15 20 5 25 375 4%
Interception 5 10 10 10 10 15 5 20 25 10 5 5 10 25 10 10 10 5 15 25 25 10 10 10 15 5 15 20 5 25 375 4%
Intrusion 5 10 10 10 10 15 5 20 25 10 5 5 10 25 10 10 10 5 15 25 25 10 10 10 15 5 15 20 5 25 375 4%
Penetration 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Reverse Engineering 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Scavenging 2 4 4 4 4 6 2 8 10 4 2 2 4 10 4 4 4 2 6 10 10 4 4 4 6 2 6 8 2 10 150 2%
Theft 1 2 2 2 2 3 1 4 5 2 1 1 2 5 2 2 2 1 3 5 5 2 2 2 3 1 3 4 1 5 75 1%
Traffic Analysis 3 6 6 6 6 9 3 12 15 6 3 3 6 15 6 6 6 3 9 15 15 6 6 6 9 3 9 12 3 15 225 2%
Trespass 3 6 6 6 6 9 3 12 15 6 3 3 6 15 6 6 6 3 9 15 15 6 6 6 9 3 9 12 3 15 225 2%
Wiretapping 4 8 8 8 8 12 4 16 20 8 4 4 8 20 8 8 8 4 12 20 20 8 8 8 12 4 12 16 4 20 300 3%
Risk Total for Vulnerability 252 252 252 252 378 126 504 630 252 126 126 252 630 252 252 252 126 378 630 630 252 252 252 378 126 378 504 126 0 630 9450 100%
Percent of Total Risk 3% 3% 3% 3% 4% 1% 5% 7% 3% 1% 1% 3% 7% 3% 3% 3% 1% 4% 7% 7% 3% 3% 3% 4% 1% 4% 5% 1% 7% 9450 100%
RISK RATING VERY HIGH LOWEST RANK OF VULNERABILITIES AND THREATS TO FLAG: 9
VULNERABILITY 378 4%
THREAT 375 4% 1 2 3 4 5 6 7 8 9 10
MAXIMUM 25
RISK TOTALS 18900
TOTAL RISKS 1015
LOW 1015
MEDIUM 4060
HIGH 9135
VERY HIGH 16240

&"Courier,Regular"&14SENSITIVE - FOR OFFICIAL USE ONLY&"Arial,Bold"&E &F

Page &P of &N &"Courier,Regular"&12SENSITIVE // FOR OFFICIAL USE ONLY &D

Risk Computation Exploited

Vulnerabilities Inadequate Security Policy Inadequate Training Inadequate System Administration Inadequate User Account Management Inadequate Personnel Management Incomplete Contingency Plan Disclosure of Data Modification of Data Unlimited Access to Data Objects Not Cleared Before Reuse Inadequate Warning Banners Use of Replayable I&A Password Vulnerability to Cracking Sharing of ID or Passwords Session Timeout on Server Concurrent Logon Sessions Permitted Inadequate Audit Log Inadequate Audit Analysis Data Transmissions in the Clear Susceptibility to Line Tapping Inconsistent Physical Perimeter Inadequate CM - Development Inadequate CM - Operations Facility Unavailability Data Unavailability System / Component Unavailability Unstable / Insufficient Communication Inadequate / Missing Documents Failure to Achieve and Maintain Accreditation Inadequate Protection of Web Server
Threats Wts. 2 2 2 2 3 1 4 5 2 1 1 2 5 2 2 2 1 3 5 5 2 2 2 3 1 3 4 1 N/A 5 Risk Total for Threat Percent of Total Risk
Deception
False Denial of Origin 2 4 4 8 0%
False Denial of Receipt 2 4 4 8 0%
Falsification 4 8 20 4 32 2%
Insertion 3 6 15 3 24 1%
Malicious Logic-Masquerade 3 6 6 6 6 6 3 15 48 2%
Masquerade 2 4 6 4 14 1%
Repudiation 2 4 4 8 0%
Substitution 4 8 8 20 4 40 2%
Disruption
Hardware or Software Error-System 1 2 1 1 2 2 1 3 5 2 2 2 3 3 4 5 38 2%
Hardware or Software Error-Data 1 2 1 2 1 1 3 5 1 1 5 22 1%
Human Error 3 6 6 9 15 6 6 3 9 15 6 6 3 9 3 15 117 6%
Environmental Failure 3 3 6 9 18 1%
Incapacitation 1 2 1 3 6 0%
Interference 4 4 20 16 20 60 3%
Malicious Logic-Corruption 2 4 10 4 4 2 6 10 40 2%
Malicious Logic- Disabling 3 6 15 6 6 3 9 15 60 3%
Natural Catastrophe 1 1 2 3 6 0%
Overload 4 8 8 4 12 12 20 64 3%
Physical Destruction 1 2 1 2 3 8 0%
Tampering-Corruption 5 10 25 10 10 10 15 25 105 5%
Usurpation
Malicious Logic-Misuse 5 10 10 10 5 35 2%
Misappropriation 5 10 15 25 1%
Misuse 5 10 10 5 10 5 15 25 25 10 10 5 15 5 150 7%
Tampering-Misuse 5 10 10 10 10 15 25 5 5 15 25 25 5 15 5 180 9%
Theft of Data 4 12 4 16 8 4 44 2%
Theft of Service 4 12 4 12 20 48 2%
Violation of Permissions 2 4 4 4 4 6 4 4 2 6 38 2%
Disclosure
Cryptanalysis 2 8 4 10 10 32 2%
Eavesdropping 5 20 10 25 25 80 4%
Exposure 3 9 3 12 3 27 1%
Hardware or Software Error-System Failure 1 2 1 4 1 1 3 5 5 2 2 1 1 5 33 2%
Human Error-Unintentional 2 4 4 4 6 8 4 2 6 10 10 4 4 2 2 10 80 4%
Inference 5 5 20 25 50 2%
Interception 5 5 20 25 25 25 100 5%
Intrusion 5 5 20 10 5 15 25 80 4%
Penetration 2 4 4 8 10 4 10 4 4 4 2 6 10 10 2 82 4%
Reverse Engineering 2 8 4 12 1%
Scavenging 2 6 8 14 1%
Theft 1 3 1 4 2 3 1 14 1%
Traffic Analysis 3 12 3 9 15 15 12 15 81 4%
Trespass 3 3 12 6 15 9 45 2%
Wiretapping 4 16 20 20 20 76 4%
Risk Total for Vulnerability 44 78 80 40 84 43 196 130 32 3 10 30 55 18 14 16 34 102 210 240 24 60 60 36 51 108 32 17 0 205 2052 100%
Percent of Total Risk 2% 4% 4% 2% 4% 2% 10% 6% 2% 0% 0% 1% 3% 1% 1% 1% 2% 5% 10% 12% 1% 3% 3% 2% 2% 5% 2% 1% 10% 2052 100%
RISK RATING VERY HIGH LOWEST RANK OF VULNERABILITIES AND THREATS TO FLAG: 8
VULNERABILITY 84 5%
THREAT 80 4% 1 2 3 4 5 6 7 8 9 10
MAXIMUM 25
RISK TOTALS 4104
TOTAL RISKS 231
LOW 231
MEDIUM 924
HIGH 2079
VERY HIGH 3696

&"Arial,Bold"&14&E &F

Page &P of &N &D

CounterMeasure

RISK COUNTERMEASURE RATIONALE APPROXIMATE COSTS NOTES
Wireless LANS are easy access Enforce Strong Access Control: Networks should place access points outside of security perimeter devices such as firewalls, and administrators should consider using VPNs to provide access to the corporate network. Ensuring that wireless networks are subject to strong access control can mitigate the risk of wireless network deployment. LOW The AirWISE analysis engine can perform in-depth analysis on frames and can detect several common 802.11 security problems. i.e. identifies known weak WEP implementations that reuse IVs, have a predictable IV pattern, or use "weak" IVs that provide information to WEP cracking programs such as AirSnort.
Rogue Access Points Regular Site Audits: 1) Provide frequent physical site audits. 2) Walk-through detection using handheld scanners to detect unauthorized networks while administrators respond to user support calls throughout the hospital Given the ease with which many of these technologies can be exploited for network access, learning when unauthorized networks have been deployed is a task of great importance. HIGH/LOW AirMagnet uses passive analysis to discover AP transmissions in the air, and will uncover any access point within range of its antenna. Many tools can be used to perform site audits and track rogue access points, but network administrators must be conscious of the need to keep up with the latest techniques used in the cat-and-mouse game played out in the site audit.
Unauthorized Use of Service Design and Audit for Strong Authentication: Provide frequent physical site audits. Strong, cryptographically protected authentication is a precondition for authorization because access privileges are based on user identity. LOW VPN solutions deployed to protect traffic in transit across the radio link provide strong authentication.
Service and Performance Constraints Monitor the Network Analyzers are often used near trouble spots to aid in diagnosis, and are ideally positioned to observe many denial of service attacks. LOW Addressing performance problems starts with monitoring and discovering them.
MAC Spoofing and Session Hijacking Adopt Strong Protocols and Use Them Session hijacking can be prevented only by using a strong cryptographic protocol such as IPSec. LOW Until the ratification of 802.11i, MAC spoofing will be a threat.
Traffic Analysis and Eavesdropping 1) Perform Risk Analysis 2) As an extra precaution, use key management protocols to change the WEP key every fifteen minutes. When using WEP, audit wireless network to ensure that it is not susceptible to the AirSnort attack. LOW A great deal has been written about the flaws in WEP. It protects only the initial association with the network and user data frames.
Higher Level Attacks Protect the Core from the Wireless LAN Once an attacker gains access to a wireless network, it can serve as a launch point for attacks on other systems. LOW Many companies provide guest access ports in training rooms or lobbies. Wireless LANs can be treated as conceptually similar to guest access ports due to higher probability of access by untrustworthy users.

&"Arial,Bold"&14&E &F

Page &P of &N &D