CASES.LU

Glossary

  1. ▹ Antivirus
  2. ▹ Assets
  3. ▹ Authentication
  4. ▹ Availability
  5. ▹ Basic criteria for risk analysis
  6. ▹ Computer Hacks
  7. ▹ Confidentiality
  8. ▹ Control
  9. ▹ Cryptography
  10. ▹ Cybercrime
  11. ▹ Cybercriminals
  12. ▹ DRP – Disaster Recovery Plan
  13. ▹ Data backups
  14. ▹ Data loss
  15. ▹ Defacement
  16. ▹ Disinfect machine with a live CD
  17. ▹ Disposal
  18. ▹ Email
  19. ▹ Firewall
  20. ▹ Human error
  21. ▹ IDS/IPS
  22. ▹ Image rights
  23. ▹ Impact
  24. ▹ Integrity
  25. ▹ Internet and copyright
  26. ▹ Legal Aspects
  27. ▹ LuxTrust
  28. ▹ Malicious Codes
  29. ▹ Malicious websites
  30. ▹ Network segmentation
  31. ▹ Password
  32. ▹ Patches
  33. ▹ Phishing
  34. ▹ Physical faults
  35. ▹ Securing a fixed workstation
  36. ▹ Physical theft
  37. ▹ Recommendations for securing a file server
  38. ▹ Recommendations to secure a server connected to Internet
  39. ▹ Recommendations to secure a Web server
  40. ▹ Removable devices
  41. ▹ Risk processing
  42. ▹ Spam – unwanted emails
  43. ▹ SSL/TLS – encryption technologies on the web
  44. ▹ Update softwares with Secunia PSI
  45. ▹ Security Charter
  46. ▹ Social engineering
  47. ▹ Threat
  48. ▹ Virtual Private Networks (VPNs)
  49. ▹ Vulnerabilities
  50. ▹ Web of Trust - WOT
  51. ▹ Web filter – Proxy
  52. ▹ Why is it important to protect your computer?

Risk processing

In brief

A company that seeks to protect itself will try to deal with any risks (threatvulnerabilityimpact) confronting it. To do this, the company could work along fairly formal lines:

  • formal risk management process, catering for the important and vital assets of the company
  • the application of best practices for the various types of assets, without carrying out a formal risk analysis
  • analysis of the most widespread threats for certain types of assets and the application of appropriate measures
  • analysis of the most feared impacts and application of the measures necessary to prevent them
  • analysis of the most easily exploitable vulnerabilities and implementation of measures to reduce them

It is still recommended to use a formal risk management strategy. But given that this strategy is fairly complex, a company may well plan to proceed using a less formal method, mainly based on “quick wins” or experience and best practices.

For dealing with risk, a company will usually have the following options:

  • lowering risk by applying measures
  • avoiding risk by stopping the process in question
  • transfer of risk to another entity (outsourcing)
  • upholding risk (no treatment is economically desirable)

Risk management strategy

Risk management is the best way to deal with risks. Without the right tools, this strategy is unfortunately outside the scope of most organisations, for reasons of cost and complexity.

Before setting off on this road to excellence, a lot of companies prefer to opt for a more pragmatic strategy.

Best practices strategy

A company which has decided not to proceed with the risk management method can achieve a high level of security at any time if it adopts best practices relating to the various types of assets. This strategy, however, is not enough if the company has very specific needs in terms of security.

It could also prove disadvantageous in terms of costs for companies with low security requirements, as it proposes the introduction of best practices without taking into account the true needs of the company.

The adoption of best practices is recommended in the following fields:

The adoption of best practices in the following fields is also advisable:

Non-exhaustive strategies

To deal with risks, a company may therefore decide to implement a risk management process and implement best practices for the different types of assets.

Alongside these more or less exhaustive strategies, which all focus on the protection of different important and vital assets of the company, each company could start thinking about threats and vulnerabilities. This approach is not exhaustive and should not be deemed to be sufficient, as it does not focus on the important or vital assets of the company.

Threat analysis

A threat analysis can be treated as an optional approach enabling a more detailed study of certain threats, and ensures that no threat has been overlooked in the risk management strategy or the strategy based on best practices.

See: Check list of security measures for SMEs

The most widespread threats are:

Analysis of vulnerabilities

The analysis of vulnerabilities is nothing more than an optional process running alongside the treatment of risks through the implementation of a risk management process or the implementation of best practices.

Without going into too much detail, we can list four types of vulnerabilities that should be addressed. By implementing security measures, we aim to lower these vulnerabilities and therefore reduce risks.

  • Human vulnerabilities
    Fear, curiosity, libido, greed and pity are examples of human vulnerabilities. These vulnerabilities can be easily exploited on people who are ill-advised or unaware of the issues.

  • Organisational vulnerabilities
    Without decent organisation, security measures cannot be effective or efficient. A charter, or even a security policy should be introduced.

  • Technical vulnerabilities
    There are many technical vulnerabilities. Errors in the operating system, software, missing or erroneous firewall rules, etc. Security measures must be introduced in order to mitigate these technical vulnerabilities.

  • Physical vulnerabilities
    In terms of physical security, many companies have a lot of weaknesses that it is important to eliminate.

Table of Contents