[ Pobierz całość w formacie PDF ]
.R9 Internal attack leading to Low: High:unauthorized modification of dataThorough selection Damage to reputationcontent:procedures for internalProbable loss of customersThis is an attack carried out staffLong-term sustainedfrom the internal network byLimited use of externaldamage to the image ofa user with no specialservice providersthe bankprivileges.The attack leads toa modification of publisheddata.This attack includesnotably the hacking of Webpages.R10 Internal attack leading to Low: High:unauthorized modification of WebThorough selection Possible change inserver configuration:procedures for internal behavior of Web serverThis is an attack carried out staffIf visible, will result infrom the internal network byLimited use of external damage to reputationa user with no specialservice providersMay facilitate attack onprivileges.The attack leads todatasome form of reconfigurationof the Web server software.R11 Internal attack leading to Low: High:unauthorized modification ofThorough selection Loss of control of OSsystem configuration:procedures for internal configuration.This is an attack carried out staffFacilitates attack on Webfrom the internal network byLimited use of external server configuration anda user with no specialservice providers dataprivileges.The attack leads toMay be used as a basis forsome form of reconfigurationpenetrating the internalof the OS.networkTLFeBOOK246 Appendix: Fast risk analysisTable A.1 (continued)Id Description Probability ImpactR12 Internal attack leading to Low: High:compromise of user workstationsThorough selection Damage to reputationby implementing malicious mobileprocedures for internalProbable loss of customerscode:staffPossible legal actionThis is an attack carried outLimited use of externalagainst the bankfrom the internal network byservice providersa user with no specialprivileges.The attack involvesthe installation of maliciousmobile code components onthe server.These componentsare then downloaded byclients and result in localdamage to the client.R13 Internal attack resulting in denial Low: Medium:of service:Thorough selection Limited impact onThis is an attack carried out procedures for internal reputationfrom the Internet that leads to staffLimited impact ondenial of service.Limited use of external home-banking clientsservice providersR14 Spoofing of the site by a third Low: Medium:party:Attack judged to be Newer clients may trustThis is when a third party sets difficult to carry out the site and engage inup a spoofed site in order to risky investmentslure clients into risky financialEstablished clients areinvestments.The site usesexpected to check firstsimilar logos and designwith their contact pointcharacteristics.R15 Unavailability of service due to Low Medium:fire, flood, or other environmentalLimited impact oncauses:reputationThis covers all naturalLimited impact ondisasters.home-banking clientsTable A.2 Results of Risk AnalysisId Mitigating Service Residual Risk CommentsR1 Firewall services: A limitation of protocols Low Networkand services through router directives, authentication servicepacket filtering, and proxy services.will be required oncehome banking isNetwork intrusion detection: NIDS on Webimplementedperimeter segment.R2 Firewall services: Limitation of protocols and Low Host-oriented securityservices through router directives, packet scanner must befiltering and proxy services.capable of recognizingand analyzing WebNetwork intrusion detection: NIDS on Webserver softwareperimeter segment.Defensive configuration of Web server: Theconfiguration of the Web server is verifiedby a host-oriented scanning tool on aperiodic basis.TLFeBOOKA.4 Comments 247Table A.2 (continued)Id Mitigating Service Residual Risk CommentsR3 Firewall services: Limitation of protocols and Lowservices through router directives, packetfiltering, and proxy services.Network intrusion detection: NIDS on Webperimeter segment.Defensive configuration of OS: Theconfiguration of the OS is verified by anetwork scanning tool.R4 Firewall services: Limitation of protocols and Low Home banking willservices through router directives, packet require additionalfiltering, and proxy services.protection, anddownloaded codeNetwork intrusion detection: NIDS on Webshould be signedperimeter segment.Defensive configuration of Web server:Cryptographic checksums are kept formobile code components.Theconfiguration of the Web server is verifiedby a host-oriented scanning tool on aperiodic basis.R5 Firewall services: Limitation of protocols and Low Requires fail-overservices through router directives, packet procedures capable offiltering and proxy services.retrieving dataNetwork intrusion detection: NIDS on Webperimeter segment.Backup server: A backup server that can bebrought on-line in less than 30 minuteswill be maintained at a remote site.R6 Procedural controls on published material: Low Security staff will beData to be published on the Web server notified in case ofwill be inspected by a business problemsrepresentative before publication.R7 Procedural controls on published material: Low Security staff will beData to be published on the Web server notified in case ofwill be inspected by a business problemsrepresentative before publication.R8 Risk accepted: Existing random code Lowinspection procedures are judged to besufficient.R9 Network segregation: Network segregation Low Implemented astechniques will be used to limit the packet-filtering rulesvisibility of the Web server from the on internal router andinternal networks.internal interface offirewallR10 Network segregation: Network segregation Low Implemented astechniques will be used to limit the packet-filtering rulesvisibility of the Web server from the on internal router andinternal networks.internal interface offirewallR11 Network segregation: Network segregation Low Implemented astechniques will be used to limit the packet-filtering rulesvisibility of the Web server from the on internal router andinternal networks.internal interface offirewallTLFeBOOK248 Appendix: Fast risk analysisTable A [ Pobierz całość w formacie PDF ]