Assessing Security Risks

Estimate the risk of attacks on your network resources from both internal and external sources. The risk of attack and subsequent compromise of a system is affected primarily by the following factors:

• How secure your network is from external and internal attacks. If your networks are connected to the Internet, there is always some risk of external attack; if you lack adequate firewall and proxy services, the risk of external attack is very high. If workstations and servers are stored in secure locations, the risk of internal attack is usually relatively low. However, if unauthorized users have access to workstations or if network servers are not stored in secure data centers, the risk of internal attack is much higher.
• How valuable your network resources are to attackers. One network might be at high risk for attack because of the highly valuable financial information that is available on the network. Another network might be at low risk for attack because only public information is available. The value of an attack includes more than the monetary value of the resources on the network — an external attacker, for example, might place a high value on the prestige of breaking into your organization's networks.
• How high the cost of an attack is to the attackers. For example, the cost of launching an attack against a network that is secured by on-wire encrypted communication can be very high. However, the cost of launching an attack on a network where on-wire communication is in plaintext can be very low.

In general, only attackers that have cryptanalysis equipment and skills, a significant incentive to launch the attack, and considerable time to invest in the attack choose to pursue costly attacks on resources that are protected by strong cryptographic security technology.

To choose appropriate security solutions, you must weigh the risk of potential attacks and the potential damage of successful attacks against the costs and benefits of the security solutions you propose to deploy.

For more information about risk factors for cryptography-based security, see "Cryptography for Network and Information Security" in this book.

© 1985-2000 Microsoft Corporation. All rights reserved.