Lead Image © Helder Almeida, 123RF.com
What's the Risk?
Welcome
As system administrators, we are continually challenged with balancing risk vs. benefit. In everything we do, touch, or alter, there is risk. Even something as benign as creating a new user account can have far-reaching potential risks and consequences. We must worry about external threats, insider threats, hardware failure, user error, software anomalies, patching, physical security, and our own fat-fingering. Every action we take can result in a very negative reaction. Managing risk is but one of our many jobs. Mitigating risk is our goal. To that end, I have devised a short list of five risk types for my fellow sys admin travelers.
- Known
- Acceptable
- Avoidable
- Unacceptable
- Unpredictable
Known risks are those that always hang over our heads. These are not risks that we have caused or that someone else caused; they are just risks that exist, and we know about them. For example, creating a user account has known risks. When you create a user account, that user might become an insider threat or elevate their privileges on your system. This is a known risk of creating any user account. Perhaps the user account that presents the greatest risk is that of a service account – especially those with (gasp) elevated privileges. We know this is a big risk, but we sometimes must accept certain risks to get a job done, which leads me to the next risk type.
Acceptable risks are those we know about but must accept as unavoidable. They are a level of risk that we must accept to productively get through the day. There is a risk in connecting your business or home to the Internet. We know that hackers are out there. We know that they want our money, our reputations, our available credit, or some other valuable information, but we also must work in these Internet-connected times. We stay connected 24/7/365, and the threats remain 24/7/365. We can protect ourselves, but there is always going to be some level
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Vulnerability assessment best practices for enterprises
A vulnerability assessment is an important step toward protecting an organization's critical IT assets. -
ASM tools and strategies for threat management
The tools used in attack surface management help identify attack surfaces more precisely and respond to changes in risk situations. -
Secure Active Directory with the rapid modernization plan
The rapid modernization plan by Microsoft is a practical guide to securing Active Directory, so criminals cannot gain access to privileged user accounts. -
Azure AD with Conditional Access
Trust is good, but controls are better. As more flexible working models become widespread, the boundaries of the classic perimeter are blurring and softening existing models of trust for adopting cloud software and data storage or running domain controllers or core applications in the cloud. -
Purdue Model for industrial networking
The Purdue Model maps the challenges of networking industrial systems to five levels, helping to target and mitigate risk and address vulnerabilities. We look at the Purdue Model in detail, investigate an implementation tool, and explain the role of zero trust.