An asset is said to be at risk when a threat (hacker, disgruntled employee, system user, natural event, structural failure, etc.) has the ability to exploit an asset's vulnerability (weakness, lack of a safe guard). It is widely recognized that attempting to completely remove a threat or vulnerability is impossible for many risk scenarios. Therefore, a good security practice is to have a risk assessment undertaken to help characterize and priorities risks within an environment.

EWA’s Asset, Threat and Risk Management module can delivery various assessments services to help a company in migrating their risks. These services can be provided through:

Module 2.1 Network Vulnerability Assessment (NVA) and Penetration Testing
Module 2.2 Application Testing
Module 2.3 Asset Id, Class and Valuation
Module 2.4 Risk Assessment and FRAP Analysis –(Facilitated Risk Analysis  Process)
Module 2.5 Threat Assessment
 

Module 2.1: Network Vulnerability Assessment (NVA) and Penetration Testing

Organisations, who have implemented effective network security solutions, may still have holes within their network. Consider that new vulnerabilities, in operating systems and applications, are regularly identified and reported with the explicit details on how to exploit these vulnerabilities.

One important part of a sound security program is to stay a step ahead from the treat from malicious attackers, who know of existing vulnerabilities and will exploit them to threaten your network, steal data, and harm database integrity and availability. Only if you are aware of these threats and vulnerabilities - and assign actions to solve these issues - can you mitigate the serious threats. That's where a network vulnerability assessment (NVA) service is essential.

EWA's network vulnerability assessment can show your network's security posture with respect to specific threats and vulnerabilities. EWA's network vulnerability assessment closely examines your network, interprets and compares results against the your various business processes to determine whether the perceived vulnerability is indeed valid, is a false positive or whether other security controls address the perceived vulnerability.

EWA provides a preventative approach to securing your computer networks. EWA vulnerability assessment can be used to establish a security baseline for you. EWA's final report will highlight vulnerabilities and threats that can be addressed. scans your systems and finds security weaknesses (Vulneribilties) and the treats. EWA's final report inculdes prioritized critical vulnerabilities of the finings and provides recommends safeguards.

The network vulnerability assessment methodology developed by EWA, is effective on both commercial and government network environments and has exposed serious vulnerabilities on systems previously accredited for operational use

Since all assessments will contain information that is sensitive, EWA ensures it is shared only with those individuals you identify and is kept highly confidential. The phases of EWA's NVA are:

  • Inition of the project
  • Meet with the stakeholders to signoff for the NVA's Rules of Engagement (ROE)
  • Implement the NVA's ROE
  • Present the NVA findings

Download a description about this service

Module 2.2: Application Testing

Our assessments aim to assist our clients in achieving improvements across their information security management system. These assessments aim to achieve:

  • Continuity: knowledge acquired in previous efforts is used in future efforts.
  • Repeatability: a way to ensure that projects can repeat a successful effort.
  • Efficiency: a way to help both manager, developers, operators and evaluators work more efficiently.
  • Assurance: confidence that security needs are being addressed.

Download a description about this service

Module 2.3: Asset Id, Class and Valuation

An organisation is the sum of its assets, be they its people, infrastructure, intellectual property, or information systems. To adequately assess the threats and level of risk your organisation is exposed to, you must firstly know what it is within your organisation you are protecting - your Information Assets – and the degree to which those assets should be protected.

EWA-Australia can assist your organisation in identifying the assets that need protection, classifying their importance to the organisation and placing a value on them. From there, a simple Risk Analysis may be applied to discover the degree of protection required to provide an adequate level of protection.

Asset identification, classification and valuation is but one of many steps in the Information Security services offered by EWA-Australia.

Module 2.4: Risk Assessment and FRAP Analysis – Facilitated Risk Analysis Process

EWA’s Risk Management Services have been developed to assist our clients establish a risk management framework that is comprehensive whilst providing a format that integrates with exiting risk management activities, is simple to implement and that all stakeholders can comprehend and use.

By following this methodology EWA is able to assist our clients achieve effective organisation wide decision making through the management, identification and analysis of risks and their likely impact.

EWA has utilised Australian and International best practice, eg. AS/NZ 4360, to ensure that our clients Risk Management Frameworks continues to support the organisation whilst the external and internal environments change, eg. technology or political changes. In line with AS/NZ 4360 our Risk Management Framework ensures that critical business risks are identified, analysed, monitored, reported and managed.

Our staff have developed risk management frameworks and constructed for the following environments:

  • Strategic;
  • Program;
  • Operational; and
  • Project.

EWA assists our clients in implementing Risk Management frameworks in line with national and international standards through the following activities:

  • Interviews
  • Audits
  • Simulation exercises
  • Project Team workshops
  • Provision of Risk Management training and facilitation services.

Conduct of risk assessments.

EWA’s has provided risk assessment services to our customers in line with both industry standards and specific organisational policies and procedures. EWA has the capability to provide assessments relating to physical, personnel, technology, environmental, perceptual and infrastructure risks. Our risk assessments are also closely related to our other assessment services, particularly Network Vulnerability Analysis and Threat Analysis services.

Module 2.5: Threat Assessment

Our aim is to assist clients in assessing both threat agents and threat events that may affect the organisation as well as identify possible causes and scenarios for each event.

Step 1 – Identify Threat Agents

The following formula can be used as a method to identify the level of threat for each threat agent. Threat Agent = Capabilities + Intentions + Past Activities

  • Capability assessment is based upon the Threat Agent’s Resources and Knowledge.
  • Intentions assessment is based upon the Threat Agent’s Motivation and Incentive.
  • Past Activities assessment is based upon historical data relevant to the Threat Agent.

Step 2 - Identify Threat Events

The second step in our Threat Assessment process is to identify relevant threat events. A threat event is the scenario in which a threat agent exploits an existing vulnerability to attack an asset. A threat event can include, but is not limited to:

  • Damage/disruption to communications paths
  • Theft or damage to equipment
  • Software/hardware failure
  • Natural or environmental disaster
  • Denial of service attack
  • Malicious code infection
  • Abuse of privilege by staff

Step 3 - Identify Threat Classes

The RCMP Guide provides a useful approach in that it provides five main classes of threats:

  • Disclosure - assets that have a high confidentiality requirement are sensitive to disclosure. This class of threats compromises sensitive assets through unauthorised disclosure of the sensitive information.

  • Interruption - relates primarily to service assets. Interruption impacts the availability of the asset or service. A power outage is an example of a threat that falls into the interruption class.

  • Modification – the primary impact of this class of threats is on the integrity requirement. Recall that integrity, as defined in the GSP, includes both accuracy and completeness of the information. A hacker attempt would fall into this class of threat if changes were made.

  • Destruction - a threat which destroys the asset falls into the destruction class. Assets that have a high availability requirement are particularly sensitive to destruction. Threats such as earthquake, flood, fire and vandalism are within the destruction class.

  • Removal or Loss - when an asset is subject to theft or has been misplaced or lost, the impact is primarily on the confidentiality and availability of the asset. Portable computers or laptops are particularly vulnerable to the threat of removal or loss.

Tools and Techniques

There are a variety of methods available for identifying threat agents, events and classes, examples include:

  • Checklists
  • Previous experience and reports
  • Flowcharts
  • Brainstorming
  • Systems and scenario analysis
  • Systems engineering techniques

Our Information Security specialists have both military information operations and commercial information security experience. EWA-Australia offers completely hardware and software vendor-independent Information Security expertise. We are committed to offering objective, comprehensive, pragmatic solutions for today's information security and privacy protection challenges.

For more information contact infosec@ewa-australia.com


© 2002 EWA-Australia Contact | Privacy | Site Map