70 likes | 181 Views
Information System Security Engineering and Management. Additional slides for INFORMATION SECURITY RISK MANAGEMENT Dr. William Hery hery@isis.poly.edu. Two Clarifications From Last Week.
E N D
Information System Security Engineering and Management Additional slides for INFORMATION SECURITY RISK MANAGEMENT Dr. William Hery hery@isis.poly.edu
Two Clarifications From Last Week • Since we are only looking at IT security, for our purposes an asset is at risk because some IT asset is at risk. An IT asset may be information, a process run on the IT system, or a piece of IT equipment. The corresponding “real world” asset is used to put a value on the IT asset. These added slides will relate the IT asset to the “real world” assets discussed in the POSA example last week. • Examples should have been included of the risks as • asset, threat, vulnerability combinations
POSA Functional Diagram CFAC 4 Sale & user information 8 Complete transaction 5 Y/N POSA 1 Sale information 7 Complete Trans. Register 6 Y/N 2 Display Sale Info 3 User CC information USER
Store Assets at Risk • Value of purchase (for incorrect approval) • IT asset: the approval process integrity, customer credit card data confidentiality • Loss of purchase profit (for incorrect denial, POSA unavailability) • IT assets: the approval process integrity, system availability • Loss of customer good will (for incorrect denial, unavailability) • IT assets: the approval process integrity, system availability • Store ability to process sales (if CFAC is taken down by an attack through POSA) • IT assets: system availability • Corporate reputation (for repeated problems, publicized problems) • IT asset: system availability, the approval process integrity, customer credit card data confidentiality • …
Credit Card Holder Assets at Risk • Credit card number/pin • Time, ability to purchase (for incorrect denial, unavailability due to cancelled card) • $50 (for incorrect approval on a lost/stolen card used by someone else) • $50 (for use of a credit card number stolen through the system) • Time cost to correct problem & possible temporary loss of credit (for use of a credit card number stolen through the system) • Temporary use of checking account (for use of a debit card number/pin stolen through the system) • IT Asset: approval system integrity, card number/pin confidentiality • …
Credit Card Company Assets at Risk • Credit card number/pin • Amount of purchase (for incorrect approval) • IT Asset: customer credit card data confidentiality • …
Sample POSA Risks • Confidentiality of customer information • read by insiders using internal network vulnerabilities • read by insiders using POSA terminal vulnerabilities • read by insiders using POSA-register link vulnerabilities • read by hackers using vulnerabilities on Internet connections • Integrity of verification process, modified by • insiders using internal network vulnerabilities • insiders using POSA-register link vulnerabilities • modified by insiders using POSA terminal vulnerabilities • modified by insiders using vulnerabilities on Internet connections • Availability of verification process, attacked by… • ...