LESSON 27

RISK ASSESSMENT [1]

Task 1. Read and translate the text:

Задание 1. Прочитайте и переведите текст:

I. Risk assessment should be among the first steps in your design process, and will help you frame your further efforts to design a... (систему безопасности). Making risk assessment a priority will also help you... (убедить) your executive officers to be both informed about and integral to the beginnings of your securely designed project. During the risk assessment phase of design, you may find important supporters and champions among the executive officers: you should actively recruit their participation if they're not... (еще не вовлечены).

II. Business majors and MBAs already know about the managerial aspects of risk assessment. This methodology is heavily used in most... (офис), especially with respect to business planning. Risk assessment is no less important in secure,... (хорошо разработанном программном обеспечении) or applications development projects. Take advantage of the fact that your managers and executives are probably already familiar with... (методикой оценки рисков). Armed with a common language and methodology, you can inform your managers of the relative risks to which the application exposes you or your customers, and you can additionally leverage their and buy-in. This will help you in the end: if there should ever be an attack on your application, you will already have a champion to go to bat for the... (целостность) of your application and the care with which it was designed.

III. The basic steps of risk assessment are as follows:

1. Identify protected resources

2. Assign relative value

3. Identify possible attackers

4. Estimate relative frequency of each kind of attacker

5. Carry out attack tree analysis (Identify possible attack routes)

6. Protect all possible attack routes (Protect attack routes)

IV. Protected resources include things like your customer database, customer credit card information, or personal information. If you thought about the policies regarding the privacy, disposition and handling of customer information and other social and legal issues you would understand that your risk assessment process... (зависит в большей степени) on such things. Your executive managers must be involved in deciding these policies.

V. For each resource, assign it a relative value (i.e. your customer credit card database will probably be more valuable than your vendor contact list). Next,... (определите) possible attackers. Frequent examples are the bored teenager, the disgruntled ex-employee, the corporate spy, or the government intelligence agent.

VI. Estimation of the skill, frequency and methods of the attacker all belong to a related process to risk assessment which Bruce Schneier calls 'attack tree analysis'. This process helps to formalize what's otherwise a significantly subjective process of analysis and assessment, and can help to prioritize your project's security goals. If you saw chapter 21 of Bruce Schneier's book: Secrets and Lies: Digital Security in a Networked World you could know more about attack trees. A... (очень рекомендуемый) resource on all of digital security.)

VII. Once you knew what routes or attack you should be... (защищать) (from your attack tree analysis), you would already organize information about the... (вид безопасности) you need to implement in your design. You may also find that this information will be helpful in writing security and privacy policies to accompany your application design efforts.

VIII. Please be very careful... (выполняя) your own research about risk assessment. It is very easy to confuse this process with another process, usually called 'security assessment'. A risk assessment is a process that people undertake (sometimes aided by organization-enhancing software) to determine risks surrounding their specific efforts. On the other hand, there are many software tools available for... (оценки безопасности) that will analyze your network and servers for known vulnerabilities.

IX. Three tips for using these kinds of software tools: 1) if you research the producing company carefully you will be sure you can trust them with the necessary access privileges before (установки программного обеспечения) up mi your network, 2) test the tool in an isolated testing environment... (до его применения), and 3) strongly consider petitioning your internal Information Technology department or Help Desk for permission to run this kind of tool on your company's internal networks. Security assessment tools can he useful, but cannot be 100% effective, and though they may help you do risk assessment for extant problems with existing software, they will not be able to... (работать вместо вас) in regard to designing and developing new software and applications.

Task 2. Find the Russian equivalents:

Задание 2. Дайте определения следующим терминам по-русски:

risk, assessment, attack tree analysis, customer database, security assessment, relative value, access privileges.

Task 3. Are the statements given below true or false?:

Задание 3. Определите истинность или ложность следующих предложений:

1. During the risk assessment phase of design, you may not find important supporters and champions among the executive officers.

2. Risk assessment is less important in secure, well designed software or applications development projects.

3. If there should ever be an attack on your application, you will already have a chance to go to bat for the integrity of your application and the care with which it was designed.

4. Protected resources include things like your customer database, customer credit card information, or personal information.

5. Your vendor contact list will probably be more valuable than your customer credit card database.

Task 4. Complete the sentences:

Задание 4. Закончите предложения:

1. Making risk assessment a priority will also help you....

2. If there should ever be an attack on your application,....

3. Protected resources include things like....

4..... which Bruce Schneier calls 'attack tree analysis'.

5..... you would already organize information about the kind of security you need to implement in your design.

6. It is very easy to confuse....

7. A risk assessment is a process....

Task 5. Translate the sentences given below into English:

Задание 5. Переведите с русского на английский:

1. Оценка риска — это процесс, который люди затевают (иногда с помощью особого программного обеспечения) с целью определения возможных рисков для их профессиональной деятельности.

2. Существуют также специальные компьютерные программы, способные оценить безопасность, проверяя сеть и серверы на возможные поражения.