Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- 3 × 3 risk matrix example
- 5 × 5 risk matrix example
| Risk Matrices Comparison Risk matrices area great way to add a visual element to a report to provide additional context and understanding. This matrix is commonly used to estimate the degree of severity and the probability or level of some impact to a specific discrete vulnerability or finding 3 × 3 risk matrix example The x risk matrix is arguably the most common insecurity reports. It is relatively simple and provides nine possible levels to assign risk. This type of rating is highly subjective. It is challenging fora security tester (vulnerability, penetration, or red team) to accurately rate impact or probability in terms of risk to operations. This leads to ratings focused at the technical level. While this is useful, it doesn't always provide leadership the view needed to make an informed decision on applying mitigations using their limited resources. Likelihood: The probability that an event will occur: ● Low – Not likely to occur ● Medium – May occur ● High – Probably will occur Impact: The expected result of an event (degree of injury, property damage, or other mission- impairing factors) measured as: Low – Limited impact on operations ● Medium – Noticeable impact on operations ● High – Significant impact on operations 5 × 5 risk matrix example The x risk matrix is an extended version of the x. The usage is the same but provides a bit more granularity. This can help fine-tune the rating but suffers from similar limitations. It does offer a method to view risk in terms of operations instead of discrete vulnerabilities. The version presented has been adopted and modified from the US. Army [21] and NIST [22] to focus on operation impact instead of mission impact. Probability: The likeliness that an event will occur: ● Frequent – Occurs often ● Likely – Occurs several times in x period ● Occasional – Occurs sporadically ● Seldom – Unlikely but could occur ● Unlikely – Probably will not occur Severity: The expected result of an event (degree of injury, property damage, or other mission- impairing factors) measure as: ● Catastrophic – Direct impact, usually of long duration if not permanent Critical – Significant impact stops or halts operation ● Moderate – Noticeable loss reduces/slows operation/production ● Marginal – Limited loss noticed but does not halt operation ● Negligible – Some loss unnoticed if not monitored closely The key in these matrices construct is vulnerability. As stated several times throughout this book, Red Teaming is not vulnerability focused. Given that thought process, a Red Team’s engagement should be constructed as a narrative of threat actions. Below area few questions that can help determine the impact and shape Red Team’s goals. Refer to the Red Team Goals section of this book for more details. These questions should directly reflect the goals created during engagement planning. Questions to consider when developing red team goals: ● What ability does an adversary have to access common areas? ● What ability does an adversary have to access restricted areas? ● Can an adversary use gained access to enable electronic capabilities? ● What impacts can an adversary have with gained access? ● Can an adversary access key/critical systems? ● What impacts can an adversary have on a key/critical system? ● What ability does an adversary have to move through a network freely? ● How long can an adversary live on target without discovery? ● What actions are required to trigger a detection/response? These questions shift focus on measuring or understanding the ability a threat has to perform some action or the ability the defense has on impacting the threat. This leads to the need of an alternate means of providing risk metrics. Download 4.62 Mb. Share with your friends:
|