Методики анализа и оценки рисков информационной безопасности
This papers provides insight into CRAMM, FRAP, RiskWatch, Microsoft Security Assessment Tool (MSAT), GRIF (ГРИФ), and CORAS tools used in cybersecurity risk assessment. Advisory for users is based on comparative critical analysis of these tools.
Implementation of IT and program projects seems to be very complicated and taught process, associated with many uncertainties and risks. Sure, this does not mean the rejection of such projects, supposed the more responsibility for the decision making process of new information technologies implementation. To manage various problems which face project managers, it makes sense to use special risk management software. The functionality of modern risk management systems allows identifying risk occurrence, conducting scenario modeling, take the more appropriate managing decisions based on scenario analysis and mathematical calculations. All these functionality will support project manager to optimize his business activities in accordance to risk management practices and ensure better coordination and balance inside the project team. Currently there available a wide range of project management software, but it is reasonable to conduct some analysis in terms of applicability to specific IT projects. The author will review the most appropriate software solutions for the risk management in IT area, conduct competitive analysis and provide some recommendations on software selection.
Software development process nowadays faces many challenges and risks. In order to manage risks we need to understand the scope and objectives of the software developments and use the appropriate automated risk management tool. The study addresses software risk management in software development area and an approach to analysis, structuring, and evaluating risk with the help of specialized automated tools. The author provides recommendations on how to define a set of selection criteria for automated tools and analyses the growing demand for service hosting solutions and web-applications, stressing that almost any software including risk management tools can be successfully run using this method.
This paperwork overviews core technologies implemented by comparably new products at information security market - web application firewalls. Web applications are a very wide-used and convenient way of presenting remote users with access to corporate information resources. It can however become single point of failure rendering all the information infrastructure unreachable for legitimate clients. To prevent malicious access attempts to endpoint information resources and, intermediately, to web server, a new class of information security solutions has been created. Web application firewalls function at the highest, seventh layer of ISO/OSI model and serves as a controlling tunnel for all the traffic heading to and from company’s web application server(s). To ensure decent levels of traffic monitoring and intrusion prevention web application firewalls are equipped with various mechanisms of data exchange session “normalness” control. These mechanisms include protocol check routines, machine learning techniques, traffic signature analysis and more dedicated means like denial of service, XSS injection and CRRF attack prevention. Ability to research and add user rules to be processed along with vendor-provided ones is important since every company has its own security policy and, therefore the web application firewall should provide security engineers with ways to tweak its rules to reflect the security policy more precisely. This research is based on wide practice experience integrating web application firewalls into security landscape of various organizations, their administration and customization. We illustrate our research of available filtering mechanisms and their implementations with example product features by market leaders, schemes and screenshots from real web application firewall systems.
Ключевые слова: портфельный подход, концепция VaR, хеджирование рисков, хедж-премия, стоимость компании