Phân tích &
Quản lý rủi ro
Võ Viết Minh Nhật
Khoa CNTT – Trường ĐHKH

Nội dung trình bày

Mở đầu

Định nghĩa rủi ro

Tính dể bị xâm hại (vulnerability)

Mối de dọa (threat)

Xác định rủi ro cho một tổ chức

Đo lường rủi ro

Mở đầu

Security is about managing risk. Without an understanding of the
security risks to an organization’s information assets, too many or
not enough resources might be used or used in the wrong way.

Risk management also provides a basis for valuing of information
assets. By identifying risk, you learn the value of particular types of
information and the value of the systems that contain that
information.



A vulnerability is a potential avenue of attack.

Vulnerabilities may exist in computer systems and networks

allowing the system to be open to a technical attack

or in administrative procedures

allowing the environment to be open to a non-technical or
social engineering attack.

Vulnerability

A vulnerability is characterized by the difficulty and the level of
technical skill that is required to exploit it.

For instance, a vulnerability that is easy to exploit (due to the
existence of a script to perform the attack) and that allows the
attacker to gain complete control over a system is a high-value
vulnerability.

On the other hand, a vulnerability that would require the attacker
to invest significant resources for equipment and people and
would only allow the attacker to gain access to information that
was not considered particularly sensitive would be considered a
low-value vulnerability.

Vulnerabilities are not just related to computer systems and
networks. Physical site security, employee issues, and the

Examples: bank account balance, important database

Targets

Availability (of information, applications, systems, or
infrastructure) is targeted through the performance of a
denial-of-service attack. Threats to availability can be
short-term or long-term.

Accountability is rarely targeted. The purpose of such an
attack is to prevent an organization from reconstructing
past events. Accountability may be targeted as a prelude to
an attack against another target such as to prevent the
identification of a database modification or to cast doubt on
the security mechanisms actually in place within an
organization.

Targets

Athreat may have multiple targets.

For example, accountability may be the initial target to
prevent a record of the attacker’s actions from being
recorded, followed by an attack against the confidentiality
of critical organizational data.

Agents

The agents of threat are the people who may wish to do harm to an
organization. To be a credible part of a threat, an agent must have

An agent must have some knowledge of the target.
The knowledge useful for an agent includes

User IDs

Passwords

Locations of files

Physical access procedures

Names of employees

Access phone numbers

Network addresses

Security procedures

Knowledge

The more familiar an agent is with the target, the more likely it is that
the agent will have knowledge of existing vulnerabilities.

Agents that have detailed knowledge of existing vulnerabilities will
likely also be able to acquire the knowledge necessary to exploit
those vulnerabilities.

Motivation



be counted when conducting a risk analysis.

Agents to Consider

Ex-employees

have the necessary knowledge to systems due to the
jobs that they held.

may still have access to systems.

Motivation depending upon the circumstances of the
separation, for example, if the ex-employee bears a
grudge against the organization.

Agents to Consider

Hackers

are always assumed to have a motivation to do harm
to an organization.

may or may not have detailed knowledge of an
organization’s systems and networks.

Access may be acquired if the appropriate
vulnerabilities exist within the organization.

Agents to Consider

Specific motivation for targeting a particular
organization is the important aspect of identifying
terrorists as a probable threat to an organization.

Agents to Consider

Criminals

are always assumed to have a motivation to do harm
to an organization.

tend to target items (both physical and virtual) of
value.

Access to items of value, such as portable computers,
is a key aspect of identifying criminals as a probable
threat to an organization.

Agents to Consider

general public

must always be considered as a possible source of
threat.

However, unless an organization has caused some
general offense to civilization, motivation must be
considered lacking. Likewise, access to and
knowledge about the specifics of an organization is
considered minimal.