[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] wie misst man Cyber-Risiken? (Securityfocus-Serie)
Teil eins einer neuen Serie bei Securityfocus. Die weiteren Folgen werde
ich hier nicht verteilen - wer interessiert ist, kann sie sich ja selber
Assessing Internet Security Risk, Part One: What is Risk Assessment?
by Charl Van der Walt
last updated June 11, 2002
The Internet, like the Wild West of old, is an uncharted new world, full
of fresh and exciting opportunities. However, like the Wild West, the
Internet is also fraught with new threats and obstacles; dangers the
average businessman and home user hasn't even begun to understand. But I
don?t have to tell you this. You?ve heard that exact speech at just
about every single security conference or seminar you?ve ever attended,
usually accompanied by a veritable array of slides and graphs
demonstrating exactly how serious the threat is and how many millions of
dollars your company stands to loose. The ?death toll? statistic are
then almost always followed by a sales pitch for some or other product
that?s supposed to make it all go away. Yeah right.
Am I saying the threat isn?t real? Am I saying the statistics aren?t
true? No. What I?m saying is that many users fail to see what relevance
any of this has to themselves and their company. Should the fact that
e-Bay supposedly spend $120,000 dollars recovering from Mafia Boy's DDoS
attack really have an impact on the reader's corporate IT policy?
And yet, users can't afford to ignore these facts completely. That would
be just plain dumb. What they need to do is to recognize that there are
new threats and challenges and, like the other threats and challenges
that businesses have always known, these need to be met and managed. No
need to panic. No need to spend any money. Yet.
What users really need to do is to understand what the specific risks
are that their company or home network faces from being connected to the
Internet. In the same way that you don't borrow your business strategy
from e-Bay, you probably shouldn't borrow your IT security strategy from
them either. You need to develop an IT security strategy to meet your
unique needs. You understand your company's own unique risk profile.
As with so many other things in life, the key to effective information
security is to work smarter, not harder. And in this case, working
smarter means investing your valuable time, money and human resources on
addressing the specific problems that are the most likely to cause the
most damage. The math is really quite simple. But before you can do the
sums, you have to identify the variables. Here are some of the questions
you'll have to ask yourself:
1. What are the resources - Information & Information Systems - I'm
actually interested in protecting?
2. What is the value of those resources, monetary or otherwise?
3. What are the all the possible threats that that those resources face?
4. What is the likelihood of those threats being realized?
5. What would be the impact of those threats on my business or personal
life, if they were realized?
Having answered the five questions above, you can then investigate
mechanisms (both technical and procedural) that might address those
risks, and then weigh up the cost of each possible solution against the
potential impact of the threat. Once again, the math is simple: if the
cost of the solution is higher then the potential financial impact of
the risk (or risks) being addressed, then one may need to investigate
other solutions, consider accepting and living with a part of the risk,
or accepting and living with the risk completely.
This article is the first of a series that is designed to help readers
to answer questions three and four in the context of Internet-connected
systems: What are the threats that my Internet-connected systems face
and what are the chances of those threats being realized. Over the next
few weeks we will explore the thinking around Internet Security
Assessments, not only why they are done, but also how they are done. By
the end of this series you should understand how performing an Internet
security assessment can contribute to an effective information security
strategy, what you should expect from such an assessment and even how
you could go about performing such an assessment yourself.
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.