I am currently studying a mobile application security course with Southampton University via the Future Learn project. However, the principles to evaluate the risk to a business apply equally as well to a website.
- Unacceptable loss
An unacceptable loss are those assets that must never be compromised. Securing these assets should be your top priority. The risk assessment should identify security controls (we will define what these are shortly) to eliminate the risk to these assets.
- Residual risk
In real life scenarios security controls only mitigate and reduce the likelihood of an attack but do not entirely eliminate the risk. The risk that is still present even after applying the security control is known as the residual risk.
- Acceptable risk
Residual risk is not the same as acceptable risk, which is the risk to assets that are not worth the resources that would have to be spent to secure them.
- Is the residual risk an acceptable risk?
This is often the key judgement that must be made. Have we (through applying security controls) reduced the risk do to a level that we consider acceptable?
So, what data could be uncovered from your website?
- Is there are mailing list associated with the site?
- If a shopping site, is customer history, payment information available?
- Could emails be sent out from you, via the website, written by a hacker?
- What loss of confidence if the site content was hacked?
- Are your plugins and updates done? (number one vulnerability)
- Do you protect against login attacks (number two vulnerability)
- Have security plugins and controls been used?
- If your site scanned or checked for malicious code?
Have you ever considered doing a threat assessment of your website. – What cover/response/service level agreement do you have with your web host or service provider.