Risk Management
VerifiedAdded on 2023/04/22
|9
|2006
|299
AI Summary
This document discusses vulnerability scans, threat vectors, types of vulnerabilities, attack surface, OCTAVE, CVSSv2, and the relationship between vulnerability, threat, and risks with examples using mathematical calculations.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: RISK MANAGEMENT
Risk Management
Name of the Student:
Name of the University:
Risk Management
Name of the Student:
Name of the University:
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1RISK MANAGEMENT
Table of Contents
1. Differentiation between vulnerability scans and vulnerability assessment.................................2
2. The effect of threat vectors in vulnerability assessment..............................................................2
3. Different types of vulnerabilities and their causes......................................................................3
4. Attack surface and vulnerability assessment...............................................................................4
5. Analysis of the use of operational critical threat, asset, and vulnerability evaluation
(OCTAVE) and the common vulnerability scoring system (CVSSv2) as open vulnerability
scoring systems................................................................................................................................5
6. Development of a relationship between vulnerability, threat, and risks with examples using
mathematical calculations................................................................................................................6
References........................................................................................................................................7
Table of Contents
1. Differentiation between vulnerability scans and vulnerability assessment.................................2
2. The effect of threat vectors in vulnerability assessment..............................................................2
3. Different types of vulnerabilities and their causes......................................................................3
4. Attack surface and vulnerability assessment...............................................................................4
5. Analysis of the use of operational critical threat, asset, and vulnerability evaluation
(OCTAVE) and the common vulnerability scoring system (CVSSv2) as open vulnerability
scoring systems................................................................................................................................5
6. Development of a relationship between vulnerability, threat, and risks with examples using
mathematical calculations................................................................................................................6
References........................................................................................................................................7
2RISK MANAGEMENT
1. Differentiation between vulnerability scans and vulnerability assessment
The concepts of vulnerability scans and vulnerability assessment are important processes
which are used in network security to ensure that the system can function properly and there are
not getting attacks with Trojans and viruses (Mattsson & Jenelius, 2015). Difference between
vulnerability scans and vulnerability assessment is shown as follows:
Vulnerability assessment is a process comprise of range of various sub-processes. This
process deals to identify, quantify and rank various vulnerabilities might present in the system
(Swartz et al., 2015). It is considered as important step in the company as it wants to prevent of
unauthorized access to the system.
Vulnerability scans is carried out for various resources to determine possible
vulnerabilities lie in network system. This process permits the company to search whether the
resources are being vulnerable or not. Vulnerability scanning is automatic software is linked to
set database of recognized flaws. It runs through network to discover whether flaws are existed
or not (Singhal & Ou, 2017). The vulnerability scan is being completed and detailed report is
made of findings permits the company to hire network Security Company help to reinforce the
defenses of company.
2. The effect of threat vectors in vulnerability assessment
The threat vector is a method used to turn on threat and create from three sources such as
external, internal and supply chain. Effect of threat vector is to gain access to device, system as
well as network to launch attacks, collect information and deliver malicious items in network
system (Ganin et al., 2017). The vulnerability assessment helps the business organization to
1. Differentiation between vulnerability scans and vulnerability assessment
The concepts of vulnerability scans and vulnerability assessment are important processes
which are used in network security to ensure that the system can function properly and there are
not getting attacks with Trojans and viruses (Mattsson & Jenelius, 2015). Difference between
vulnerability scans and vulnerability assessment is shown as follows:
Vulnerability assessment is a process comprise of range of various sub-processes. This
process deals to identify, quantify and rank various vulnerabilities might present in the system
(Swartz et al., 2015). It is considered as important step in the company as it wants to prevent of
unauthorized access to the system.
Vulnerability scans is carried out for various resources to determine possible
vulnerabilities lie in network system. This process permits the company to search whether the
resources are being vulnerable or not. Vulnerability scanning is automatic software is linked to
set database of recognized flaws. It runs through network to discover whether flaws are existed
or not (Singhal & Ou, 2017). The vulnerability scan is being completed and detailed report is
made of findings permits the company to hire network Security Company help to reinforce the
defenses of company.
2. The effect of threat vectors in vulnerability assessment
The threat vector is a method used to turn on threat and create from three sources such as
external, internal and supply chain. Effect of threat vector is to gain access to device, system as
well as network to launch attacks, collect information and deliver malicious items in network
system (Ganin et al., 2017). The vulnerability assessment helps the business organization to
3RISK MANAGEMENT
identify along with categorize the threats. Once the organization identifies the possible threats in
organization, then it recognizes the security controls to prevent against the critical threats (Shah
& Mehtre, 2015). The threat vector is such a path by means of which the hacker can gain access
to the computer and network server to deliver malicious outcomes. In vulnerability assessment,
the threat vectors can enable the hackers to exploit of system vulnerabilities included human
elements.
3. Different types of vulnerabilities and their causes
The cyber vulnerabilities are actions which can target the computer information system
and computer networks and personal computer devices using methods to steal and destroy the
information system. Following are types of vulnerabilities and its causes such as:
Denial-of-service attacks: The denial of service (DoS) attacks overwhelms the resources
of system such that it cannot respond to the request of services (Shameli-Sendi, Aghababaei-
Barzegar, & Cheriet, 2016). DoS attack takes the system offline such that various kind of attacks
are being launched. Common example of DoS is session hijacking.
Access control problems: This range from controlling of physical access to the computer
keeps the server in locked room. The access control methods are being enforced by operating
system, some by the application or server and some by services (Shedden et al., 2016). Most
vulnerability is caused due to improper usage of the access controls and failure of it.
Drive-by attack: This is a common method of spreading malware. The hackers are
looking for in-secured websites in HTTP or PHP code on one of the pages. It installs of malware
directly in the computer those can visit the site and might have re-direct victim to site controlled
identify along with categorize the threats. Once the organization identifies the possible threats in
organization, then it recognizes the security controls to prevent against the critical threats (Shah
& Mehtre, 2015). The threat vector is such a path by means of which the hacker can gain access
to the computer and network server to deliver malicious outcomes. In vulnerability assessment,
the threat vectors can enable the hackers to exploit of system vulnerabilities included human
elements.
3. Different types of vulnerabilities and their causes
The cyber vulnerabilities are actions which can target the computer information system
and computer networks and personal computer devices using methods to steal and destroy the
information system. Following are types of vulnerabilities and its causes such as:
Denial-of-service attacks: The denial of service (DoS) attacks overwhelms the resources
of system such that it cannot respond to the request of services (Shameli-Sendi, Aghababaei-
Barzegar, & Cheriet, 2016). DoS attack takes the system offline such that various kind of attacks
are being launched. Common example of DoS is session hijacking.
Access control problems: This range from controlling of physical access to the computer
keeps the server in locked room. The access control methods are being enforced by operating
system, some by the application or server and some by services (Shedden et al., 2016). Most
vulnerability is caused due to improper usage of the access controls and failure of it.
Drive-by attack: This is a common method of spreading malware. The hackers are
looking for in-secured websites in HTTP or PHP code on one of the pages. It installs of malware
directly in the computer those can visit the site and might have re-direct victim to site controlled
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4RISK MANAGEMENT
by the hackers. This vulnerability is caused at the time of visiting the website and view email
message or pop-up window (Tweneboah-Koduah & Buchanan, 2018). It contains of security
flaws because of unsuccessful updates and lack of updates.
SQL injection attack: It is common issues with the database driven websites. This
vulnerability is occurred when malefactor is executed SQL query to database via the input data
from side of client to server (Macher et al., 2016). Exploit of SQL injection can read of sensitive
data from database, improve database data, determine administration operations on database and
recover content of provided file.
4. Attack surface and vulnerability assessment
The attack surface of software environment is sum of various points when the
unauthorized users can try to enter data to extract data from the environment. The attack surface
is kept as small as it is possible is considered as security measures. Due to boost in probable
vulnerable points each project has, there is a raise in improvement of the hackers as well as
attackers as it is necessary to determine one vulnerable point to be successful in the attacks. The
attack surface is completed profile of functions in code running in provider system which are
available to unauthenticated users (Radanliev et al., 2018). The user can authenticate with valid
credentials which may access of unprotected data beyond the authorization levels when there is
implementation of access controls.
Vulnerability assessment is a process to describe, categorize, classify and prioritize the
vulnerabilities into the computer systems and network infrastructures. It can provide the
organization to do assessment in required knowledge, awareness and background to comprehend
the possible threats to the network system (Swartz et al., 2015). This is integral component for
by the hackers. This vulnerability is caused at the time of visiting the website and view email
message or pop-up window (Tweneboah-Koduah & Buchanan, 2018). It contains of security
flaws because of unsuccessful updates and lack of updates.
SQL injection attack: It is common issues with the database driven websites. This
vulnerability is occurred when malefactor is executed SQL query to database via the input data
from side of client to server (Macher et al., 2016). Exploit of SQL injection can read of sensitive
data from database, improve database data, determine administration operations on database and
recover content of provided file.
4. Attack surface and vulnerability assessment
The attack surface of software environment is sum of various points when the
unauthorized users can try to enter data to extract data from the environment. The attack surface
is kept as small as it is possible is considered as security measures. Due to boost in probable
vulnerable points each project has, there is a raise in improvement of the hackers as well as
attackers as it is necessary to determine one vulnerable point to be successful in the attacks. The
attack surface is completed profile of functions in code running in provider system which are
available to unauthenticated users (Radanliev et al., 2018). The user can authenticate with valid
credentials which may access of unprotected data beyond the authorization levels when there is
implementation of access controls.
Vulnerability assessment is a process to describe, categorize, classify and prioritize the
vulnerabilities into the computer systems and network infrastructures. It can provide the
organization to do assessment in required knowledge, awareness and background to comprehend
the possible threats to the network system (Swartz et al., 2015). This is integral component for
5RISK MANAGEMENT
good security program to deploy secured software. The security vulnerabilities enable the hacker
to access the IT system along with its applications. This process is required to identify the
weaknesses before it is being exploited.
5. Analysis of the use of operational critical threat, asset, and vulnerability
evaluation (OCTAVE) and the common vulnerability scoring system
(CVSSv2) as open vulnerability scoring systems
OCTAVE is a framework to identify and manage the information security issues. It is an
evaluation method allows the organization to recognize informational assets required for mission
of the organization. By means of putting the vulnerabilities, risk assets and threats, the
organization can understand what information is at risk. It is security framework to determine
risk levels and plan against the cyber assaults (Shedden et al., 2016). This framework is designed
to influence experiences as well as expertise of people in the organization. It defines three phases
such as:
Phase 1: Build asset based threat profiles
Phase 2: identify infrastructure vulnerabilities
Phase 3: Develop security strategy and plan
CVSSv2 is a standard to assess severity of the security vulnerabilities. It is used to
assign severity scores to the vulnerabilities, permit responders to determine responses and
resources as per the security threats (Ganin et al., 2017). This assessment measures mainly three
areas of concern such as:
good security program to deploy secured software. The security vulnerabilities enable the hacker
to access the IT system along with its applications. This process is required to identify the
weaknesses before it is being exploited.
5. Analysis of the use of operational critical threat, asset, and vulnerability
evaluation (OCTAVE) and the common vulnerability scoring system
(CVSSv2) as open vulnerability scoring systems
OCTAVE is a framework to identify and manage the information security issues. It is an
evaluation method allows the organization to recognize informational assets required for mission
of the organization. By means of putting the vulnerabilities, risk assets and threats, the
organization can understand what information is at risk. It is security framework to determine
risk levels and plan against the cyber assaults (Shedden et al., 2016). This framework is designed
to influence experiences as well as expertise of people in the organization. It defines three phases
such as:
Phase 1: Build asset based threat profiles
Phase 2: identify infrastructure vulnerabilities
Phase 3: Develop security strategy and plan
CVSSv2 is a standard to assess severity of the security vulnerabilities. It is used to
assign severity scores to the vulnerabilities, permit responders to determine responses and
resources as per the security threats (Ganin et al., 2017). This assessment measures mainly three
areas of concern such as:
6RISK MANAGEMENT
1. Base metrics for the qualities intrinsic to the security vulnerabilities
2. Temporal metrics evolve over lifetime of the security vulnerabilities
3. Environmental metrics for the vulnerabilities depend on implementation ad environment
6. Development of a relationship between vulnerability, threat, and risks with
examples using mathematical calculations
Risk is function of value of the threats and vulnerabilities. The objective of this risk
management is creating level of protection which mitigates vulnerabilities to the threats and
impacts therefore reduce the risks to acceptance levels (Shah & Mehtre, 2015). The
mathematical calculation used to determine relationship between vulnerability, threat, and risks
are as follows:
Risks = Threats * Vulnerabilities
As risk is calculated as combination of the threats along with vulnerabilities, it means in
some situations, the threats may exist, when there are no vulnerabilities, therefore there is no risk
in this case. It is calculated by means of defining set of mutually exclusive and exhaustive
outcomes from the course of actions (Radanliev et al., 2018). It can multiply probability of the
possible outcomes by utility. Both threats and vulnerabilities determine probability of possible
outcomes of the risks. Therefore, risk is potential losses and damages when the threat is being
exploited vulnerability. It can cause damages to the business, loss of financial resources, privacy
issue, legal implications as well as loss of the life of human beings.
1. Base metrics for the qualities intrinsic to the security vulnerabilities
2. Temporal metrics evolve over lifetime of the security vulnerabilities
3. Environmental metrics for the vulnerabilities depend on implementation ad environment
6. Development of a relationship between vulnerability, threat, and risks with
examples using mathematical calculations
Risk is function of value of the threats and vulnerabilities. The objective of this risk
management is creating level of protection which mitigates vulnerabilities to the threats and
impacts therefore reduce the risks to acceptance levels (Shah & Mehtre, 2015). The
mathematical calculation used to determine relationship between vulnerability, threat, and risks
are as follows:
Risks = Threats * Vulnerabilities
As risk is calculated as combination of the threats along with vulnerabilities, it means in
some situations, the threats may exist, when there are no vulnerabilities, therefore there is no risk
in this case. It is calculated by means of defining set of mutually exclusive and exhaustive
outcomes from the course of actions (Radanliev et al., 2018). It can multiply probability of the
possible outcomes by utility. Both threats and vulnerabilities determine probability of possible
outcomes of the risks. Therefore, risk is potential losses and damages when the threat is being
exploited vulnerability. It can cause damages to the business, loss of financial resources, privacy
issue, legal implications as well as loss of the life of human beings.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
7RISK MANAGEMENT
References
Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., & Linkov, I.
(2017). Multicriteria decision framework for cybersecurity risk assessment and
management. Risk Analysis.
Macher, G., Armengaud, E., Brenner, E., & Kreiner, C. (2016, September). A review of threat
analysis and risk assessment methods in the automotive context. In International
Conference on Computer Safety, Reliability, and Security (pp. 130-141). Springer, Cham.
Mattsson, L. G., & Jenelius, E. (2015). Vulnerability and resilience of transport systems–a
discussion of recent research. Transportation Research Part A: Policy and Practice, 81,
16-34.
Radanliev, P., De Roure, D. C., Nicolescu, R., Huth, M., Montalvo, R. M., Cannady, S., &
Burnap, P. (2018). Future developments in cyber risk assessment for the internet of
things. Computers in Industry, 102, 14-22.
Shah, S., & Mehtre, B. M. (2015). An overview of vulnerability assessment and penetration
testing techniques. Journal of Computer Virology and Hacking Techniques, 11(1), 27-49.
Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information
security risk assessment (ISRA). Computers & security, 57, 14-30.
Shedden, P., Ahmad, A., Smith, W., Tscherning, H., & Scheepers, R. (2016). Asset Identification
in Information Security Risk Assessment: A Business Practice Approach. CAIS, 39, 15.
References
Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., & Linkov, I.
(2017). Multicriteria decision framework for cybersecurity risk assessment and
management. Risk Analysis.
Macher, G., Armengaud, E., Brenner, E., & Kreiner, C. (2016, September). A review of threat
analysis and risk assessment methods in the automotive context. In International
Conference on Computer Safety, Reliability, and Security (pp. 130-141). Springer, Cham.
Mattsson, L. G., & Jenelius, E. (2015). Vulnerability and resilience of transport systems–a
discussion of recent research. Transportation Research Part A: Policy and Practice, 81,
16-34.
Radanliev, P., De Roure, D. C., Nicolescu, R., Huth, M., Montalvo, R. M., Cannady, S., &
Burnap, P. (2018). Future developments in cyber risk assessment for the internet of
things. Computers in Industry, 102, 14-22.
Shah, S., & Mehtre, B. M. (2015). An overview of vulnerability assessment and penetration
testing techniques. Journal of Computer Virology and Hacking Techniques, 11(1), 27-49.
Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information
security risk assessment (ISRA). Computers & security, 57, 14-30.
Shedden, P., Ahmad, A., Smith, W., Tscherning, H., & Scheepers, R. (2016). Asset Identification
in Information Security Risk Assessment: A Business Practice Approach. CAIS, 39, 15.
8RISK MANAGEMENT
Singhal, A., & Ou, X. (2017). Security risk analysis of enterprise networks using probabilistic
attack graphs. In Network Security Metrics (pp. 53-73). Springer, Cham.
Swartz, J. R., Knodt, A. R., Radtke, S. R., & Hariri, A. R. (2015). A neural biomarker of
psychological vulnerability to future life stress. Neuron, 85(3), 505-511.
Tweneboah-Koduah, S., & Buchanan, W. J. (2018). Security Risk Assessment of Critical
Infrastructure Systems: A Comparative Study. The Computer Journal.
Singhal, A., & Ou, X. (2017). Security risk analysis of enterprise networks using probabilistic
attack graphs. In Network Security Metrics (pp. 53-73). Springer, Cham.
Swartz, J. R., Knodt, A. R., Radtke, S. R., & Hariri, A. R. (2015). A neural biomarker of
psychological vulnerability to future life stress. Neuron, 85(3), 505-511.
Tweneboah-Koduah, S., & Buchanan, W. J. (2018). Security Risk Assessment of Critical
Infrastructure Systems: A Comparative Study. The Computer Journal.
1 out of 9
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.