ID |
Description |
Risk Analysis |
|
|
Likelyhood |
Impact |
Computed Risk |
|
|
Avg |
Stdev |
Avg |
Stdev |
Security Issues - Intentional or malicious attacks |
|
|
|
|
|
|
|
Misuse of LCG resources - CPU, storage, network etc |
M1 |
Resources used to launch
online attacks on other sites via DOS, Virus, Worms, SPAM etc |
3.0 |
0.0 |
3.0 |
0.0 |
9.0 |
M2 |
Resources used for offline
attacks on other sites, e.g. to crack passwords or pass phrases |
2.0 |
0.0 |
2.0 |
0.0 |
4.0 |
M3 |
Resources used to
distribute or share non-LCG data, e.g. copyrighted, illegal,or inappropriate
material |
3.0 |
0.0 |
3.0 |
0.0 |
9.0 |
M4 |
Resources misused by
inappropriate setting of access control or priority |
3.0 |
0.0 |
1.0 |
0.0 |
3.0 |
M5 |
Use of LCG resources by
unauthorized parties |
3.0 |
0.0 |
1.0 |
0.0 |
3.0 |
M6 |
Use of LCG resources for
unauthorized purposes, e.g. financial gain |
2.0 |
0.0 |
2.8 |
0.5 |
5.5 |
Confidentiality and Data integrity issues |
C1 |
Theft of credentials, e.g.
private keys |
3.0 |
0.0 |
2.0 |
0.0 |
6.0 |
C2 |
Data or passwords/pass
phrases exposed, e.g. in unprotected files or on the network |
3.0 |
0.0 |
2.0 |
0.0 |
6.0 |
C3 |
Falsification of scientific
data, analysis and/or results |
1.8 |
0.5 |
3.0 |
0.0 |
5.3 |
C4 |
Unauthorized monitoring of
network communications |
2.0 |
0.0 |
2.0 |
0.0 |
4.0 |
C5 |
Unauthorized access to data |
3.0 |
0.0 |
1.0 |
0.0 |
3.0 |
C6 |
Unauthorized distribution
or exposure of data |
2.8 |
0.5 |
2.0 |
0.0 |
5.5 |
C8 |
Identity or usage
information is harvested by unauthorized persons |
2.0 |
0.0 |
1.0 |
0.0 |
2.0 |
Disruption of LCG infrastructure for political or other
reasons |
D1 |
Disruption via exploitation
of security holes |
3.0 |
0.0 |
3.0 |
0.0 |
9.0 |
D2 |
Corruption of or damage to
data |
1.0 |
0.0 |
2.8 |
0.5 |
2.8 |
D3 |
DOS attacks towards LCG to
prevent normal working of network or services |
1.8 |
0.5 |
3.0 |
0.0 |
5.3 |
D5 |
"Poisoned"
resources are deployed on LCG to confuse operations, debugging or results |
1.0 |
0.0 |
2.8 |
0.5 |
2.8 |
D6 |
Attack by disgruntled
users, employees or ex-employees |
1.0 |
0.0 |
3.0 |
0.0 |
3.0 |
D7 |
Use of "social
engineering" methods to attack LCG resources |
3.0 |
0.0 |
2.0 |
0.0 |
6.0 |
D8 |
Damage caused by viruses,
worms, trojans or back-doors |
3.0 |
0.0 |
3.0 |
0.0 |
9.0 |
D9 |
Misleading trouble reports
to the GOC or incident response mechanisms, to disrupt operations or damage
reputation |
1.0 |
0.0 |
2.0 |
0.0 |
2.0 |
D10 |
Modification or defacement
of User Interfaces, documentation, monitoring etc, for disruption or
advertising |
2.0 |
0.0 |
2.0 |
0.0 |
4.0 |
Other attacks |
O1 |
Theft of systems |
1.8 |
0.5 |
1.3 |
0.5 |
2.2 |
O2 |
Theft of software |
1.0 |
0.0 |
1.0 |
0.0 |
1.0 |
O3 |
Physical sabotage of
systems |
1.0 |
0.0 |
1.3 |
0.5 |
1.3 |
O4 |
Theft of primary or backup
data media |
1.0 |
0.0 |
2.8 |
0.5 |
2.8 |
Security Issues - Non-intentional or accidental |
A1 |
Unauthorized use resulting
from insecure middleware or bad security design/implementation |
2.0 |
1.0 |
2.7 |
0.6 |
5.3 |
A2 |
Development process results
in insecure middleware |
2.7 |
0.6 |
2.3 |
0.6 |
6.2 |
A3 |
Deployment process results
in insecure middleware |
1.7 |
0.6 |
2.3 |
0.6 |
3.9 |
A4 |
Development process results
in poor fault tolerance and effective loss of service (snowballing failure) |
2.0 |
1.0 |
2.3 |
0.6 |
4.7 |
A5 |
Deployment process results
in poor fault tolerance and effective loss of service (snowballing failure) |
1.3 |
0.6 |
2.3 |
0.6 |
3.1 |
A6 |
Failure to perform security
audit of new software |
2.7 |
0.6 |
1.7 |
0.6 |
4.4 |
A7 |
Lack of timely patching of
systems and middleware for security holes |
2.0 |
1.0 |
2.7 |
0.6 |
5.3 |
A8 |
The need to incorporate
legacy resources/applications prevents addressing security holes |
1.7 |
0.6 |
2.7 |
0.6 |
4.4 |
A9 |
Problems from misleading or
missing documentation |
1.3 |
0.6 |
1.7 |
0.6 |
2.2 |
A10 |
Lack of critical security
services, e.g. CRL's at CA's |
1.7 |
0.6 |
2.0 |
1.0 |
3.3 |
A11 |
Hardware faults |
1.0 |
0.0 |
1.3 |
0.6 |
1.3 |
A12 |
Disasters, e.g. fire or
flood |
1.0 |
0.0 |
2.0 |
1.0 |
2.0 |
A13 |
Accidental corruption of or
damage to data |
1.3 |
0.6 |
2.0 |
0.0 |
2.7 |
A14 |
Lack of knowledge and/or
insufficient training of management, operations and support staff |
2.0 |
0.0 |
1.7 |
0.6 |
3.3 |
A15 |
Security Infrastructure is
not well matched to user requirements or expectations, and therefore too
restrictive or too open |
2.0 |
0.0 |
1.7 |
0.6 |
3.3 |
A16 |
LCG Authorization controls
are insufficient to allow effective management by VO's, groups or users |
1.7 |
0.6 |
2.3 |
0.6 |
3.9 |
|
|
|
|
|
|
|