Information Technology Reference
In-Depth Information
network. A computer virus may spread all over world via Internet infrastructure and cost
billions of dollars.
The website of the SANS institute, which is the most powerful security institute in the
US, was hacked in 2001. Security breaches like this show us that it is not an easy task to
make networks and products secure in the complete life cycle. Network protocols,
operating systems and applications are called software in general. Software produced by
vendors and people definitely contains coding and configuration errors. This is
unavoidable because of human nature. These coding and configuration errors are
revealed by skilful people and coders, called hackers. After revelation of the errors,
hackers exploit these errors. The motivation behind this exploitation may be fame,
financial benefit or mostly just enjoyment. Even when absolute secure coding and
configuration is performed, intentional threats and natural disasters like fires will be
always on the agenda. With this scenario, it should be said that absolute security is an
impossible thing to achieve.
Because there is no absolute security, there is always a risk affecting the information
system. The purpose should not be to eliminate this risk, which is impossible because of
financial and technical difficulties. There is no technology that eliminates the risk in an
information system. To apply a more expensive countermeasure than the cost of asset
just in order to eliminate the risk of the asset is not a rational approach.
It is more of a realistic approach to live with the risk rather than try to eliminate it. In
order to achieve this, a tool is required which makes comparisons, interpretations and
calculations. A sample comparison is between the cost of countermeasure and the cost of
the asset itself. If the cost of a countermeasure is more than the cost of damage to the
asset, there is no need to apply a countermeasure. Risk management is the tool that
makes all these comparisons, calculations and interpretations.
The impossibility of absolute security and ubiquitous risk eliminates the view of
security as a result. Today, security of information technologies is the real time risk
management process. Briefly, security is not a technology concept but a business
concept. Risk management is the core of this concept and it is the main decision point for
the selection and development of security measures.
2.
RISK ANALYSIS OF THE NETWORK AND ASSETS
Five important concepts are commonly used in the context of risk management. These
concepts are asset, vulnerability, threat, countermeasure and risk. Asset is everything that
has a value and that needs to be protected. Hardware, software, data, staff and policy and
procedures are all assets. Vulnerabilities are errors and weaknesses in assets. For
example, vulnerability in software may be caused by coding errors or configuration
errors. All asset types may have vulnerabilities. Vulnerabilities are the main reason for
the risk. Threats are the factors that exploit the vulnerabilities in assets and damage
systems. Basically, there are three types of threats, which are intentional, unintentional
and natural threats. Threats are the potentials that have the possibility to damage at least
one of the confidentiality, integrity and availability mechanisms. Countermeasures are
precautions to minimize the damage that comes from threats. Countermeasures decrease
the level of risk as a result. To do this, a countermeasure may decrease the value of an
asset, the level of vulnerability or the damage potential of threat.
Search WWH ::
Custom Search