jjjj

1. Case Exercise 1: Writing a security policy for an asset
2.  
3. We did the exercise by brainstorming about the most critical aspects of maintaining a secure database, and these ideas came to our minds.
4.  
5. Our chosen asset is a database containing product cost data information. In our example, the database has never been breached before and therefore it is an object-based approach. The asset is also a mix between an information asset and a software asset.
6.  
7.  
8. When writing the policy, we must consider at least the following issues regarding the database and its contents:
9.  
10. Identifying the asset:
11.  
12. The following aspects should be taken into account when creating a security policy for a database.
13.  
14. - Available budget: How much resources we can appoint to securing this critical asset.
15.  
16. - Location: In the server room, located in the IT department.
17.  
18. - Characteristic properties: Contains vital information for the continuation of the business. Information is in digital-form.
19.  
20. - Sensitivity: Critical, confidential (the business depends on the database being available for proper use)
21.  
22. - Availability: Can only be used or modified by authorized employees.
23.  
24. - Impact to profitability: High (contains product cost data)
25.  
26. Identifying the threats (Using threat taxonomy)
27.  
28. - Natural threats: Low (Major natural incidents are very rare in Finland)
29.  
30. -Man-made threats
31.  
32. - Accidental: Medium (Human Error, Software Fault, Hardware Fault)
33.  
34. The largest risk is the human error when handling the database, because software and hardware are usually more reliable than people.
35.  
36. - Intentional: Medium (Hacker, Insider)
37.  
38. There is always a risk with some employees leaking data outside for personal gain or a chance of getting hacked.
39.  
40. Identifying Vulnerabilities:
41.  
42. Possible vulnerabilities in our system could be:
43.  
44. An out of date operating system or software versions on the server.(Impact: High Likelihood: Low)
45.  
46. An out of date software versions on other linked devices such as routers etc.(Impact: High Likelihood:Very high)
47.  
48. An E-mail attack targeting our Database users.(Impact:Low to High Likelihood: Very high)
49.  
50. Authors: Tomi Lindfors & Juuso Myllylä
51.  
52. Case Exercise 3: Choose an asset, and using the worksheet for assessing impact and impact levels of a threat, explain your choice of impact levels for each of the 4 impacts.
53. The worksheet can be found on slide 44 of the Security Risk Management slides, and page 82 of Raggad, 2010.
54.  
55. Asset: Database containing customer credit card information
56.  
57. Impact 1: Unauthorized Disclosure of information
58.  
59. Level of impact: Very High
60.  
61. A leaking of our database information would have a high business impact, since our customers credit card information could potentially spread around.
62. This would likely make our both current and new customers less likely to trust us in security matters and also in our products. Could possibly even lead to bankruptcy.
63.  
64. Impact 2: Unauthorized Modification of Data
65.  
66. Level of impact Low to High
67.  
68. Varies greatly of the modified data, but any modifications made by unauthorized users results in loss of integrity. This could result in confused employees and customers, since some clients could be charged with payments they did not make etc.
69.  
70. Impact 3: Disruptions of Functions/Services
71.  
72. Level of impact: Low to Medium
73.  
74. This could possibly be caused by an DDOS attack, which could take our severs down and make our systems unable to process transactions. If the attack lasts longer than a couple of hours, it might result in higher loss of profits.
75.  
76. Impact 4: Deceptive Actions
77.  
78. Level of impact: None
79.  
80. We couldn't come up with any deceptive actions against a database.
81.  
82. Authors: Tomi Lindfors & Juuso Myllylä