HostedDB - Dedicated UNIX Servers
fips191_31 FIPS PUB 191 The  degree  to  which  threats  are  considered  will  depend  on  the  defined  boundary  and  scope defined  for  the  risk  management  process.    A  high  level  analysis  may  point  to  threats  and vulnerabilities in general terms; a more focused analysis may tie a threat to a specific component or usage of the LAN.   For example a high level analysis may indicate that the consequence due to loss of data confidentiality through disclosure of information on the LAN is too great a risk. A  more  narrowly  focused  analysis  may  indicate  that  the  consequence  due  to  disclosure  of personnel data captured and read through LAN transmission is too great a risk.  More than likely, the  generality  of  the  threats  produced  in  the  high  level  analysis,  will,  in  the  end,  produce safeguard recommendations that will also be high level.  This is acceptable if the risk assessment was scoped at a high level.  The more narrowly focused assessment will produce a safeguard that can specifically reduce a given risk, such as the disclosure of personnel data. The threats and vulnerabilities discussed in Section 2 may be used as a starting point, with other sources included where appropriate.   New threats and vulnerabilities should be addressed when they are encountered.   Any asset of the LAN that was determined to be important enough (i.e., was not filtered through the screening process) should be examined to determine those threats that could potentially harm it. For more focused assessments, particular attention should be paid to detailing the ways that these threats could occur.   For example, methods of attack that result in unauthorized access may be from a login session playback, password cracking, the attachment of  unauthorized  equipment  to  the  LAN,  etc.    These  specifics  provide  more  information  in determining LAN vulnerabilities and will provide more information for proposing safeguards. This  process  may  uncover  some  vulnerabilities  that  can  be  corrected  by  improving  LAN management and operational controls immediately.  These improved controls will usually reduce the  risk  of  the  threat  by  some  degree,  until  such  time  that  more  thorough  improvements  are planned and implemented.  For example, increasing the length and composition of the password for authentication may be one way to reduce a vulnerability to guessing passwords.  Using more robust passwords is a measure that can be quickly implemented to increases the security of the LAN.     Concurrently,  the  planning  and  implementation  of  a  more  advanced  authentication mechanism can occur. Existing   LAN   security   controls   should   be Figure 3.4 Assigning Likelihood Measure The   likelihood of   the   threat   occurring   can   be normalized as a value that ranges from 1 to 3. A 1 will  indicate  a  low  likelihood,  a  2  will  indicate  a moderate  likelihood  and  a  3  will  indicate  a  high likelihood. analyzed  to  determine  if  they  are  currently providing adequate protection.  These controls may be technical, procedural, etc.  If a control is not providing adequate protection, it can be considered  a  vulnerability.    For  example,  a LAN  operating  system  may  provide  access control to the directory level, rather than the file   level. For   some   users,  the   threat   of compromise of information may be too great not to have file level protection.   In this example, the lack of granularity in the access control could be considered a vulnerability. 33