Risk Assessment in IT Infrastructure

*Bata Krishna Tripathy*

## **Abstract**

Due to large-scale digitization of data and information in various application domains, the evolution of ubiquitous computing platforms and the growth and usage of the Internet, industries are moving towards a new era of technology. With this revolution, the IT infrastructure of industries is rapidly undergoing a continuous change. However, the insecure communication channel; intelligent adversaries in and out of the scene; and loopholes in the software and system development add complexity in deployment of the IT infrastructure in place. In addition, the heterogeneous service level requirements from the customers, service providers, users, along with implementation policies in industries add complexity to this problem. Hence, it is necessary to assess the risk associated with the deployment of the IT infrastructure in industries to ensure the security of the assets involved. In this chapter, we present an efficient risk assessment mechanism in IT infrastructure deployment in industries, which ensures a strong security perimeter over the underlying organizational resources.

**Keywords:** IT infrastructure, loopholes, service level requirements, common vulnerability scoring system (CVSS), vulnerability, exposure, threat, risk

### **1. Introduction**

In today's world, every industry has their own business goals and functions. In this digital era, industries completely rely on automated information technology (IT) systems to process and manage their typical information to achieve their business objectives. The large-scale digitization of data and information across the various domain, the evolution of ubiquitous computing platforms and growth and usage of the Internet have steered the deployment of information technology systems in industries. IT infrastructure enables efficient service provisioning to end users from various enterprise applications based on Service Level Agreements (SLAs) and dynamic requirements in terms of policies by maintaining the global view of the system. Hence, information technology has become the economic backbone of any industry and offers significant advantages in global markets.

Information technology in an organization includes heterogeneous entities such as general-purpose computing systems, specialized control systems, communication network entities, database management systems, and various software control modules. The integration of these diverse entities helps in the growth and development of an organization by providing reliability, efficiency and robustness of typical information systems as well as business process flow. Despite the advantages provided by the implementation of IT in organizations, open access-control by different levels of users, ubiquitous execution of software modules and control management introduce various security threats. These threats open the door for potential vulnerabilities, environmental interruptions, and inevitable errors leading to different cyber attacks. These attacks can extend to Denial of Service (DoS), code injection, and hidden tunnel, etc. As a result of various attacks, the confidentiality, integrity, availability (CIA) of the critical information is severely compromised. This, in turn, may have a huge impact on organizational assets, business operations, individuals, other stakeholders, and above all the Nation's assets.

The work [4] presents a quantitative risk assessment method that determines the threat value from the number of attacks in a specific time interval. Munir et al. [8] proposed another quantitative risk assessment method using the vulnerability scanning tool (Nexpose) to determine the vulnerability values in each node in the network. This method uses the CVSS and the probabilistic approach to determine an overall risk measure of the enterprise network. In another work [9] the risk of the network is analyzed by determining the impact and likelihood of vulnerabilities.

On the other hand, Guohua [10] presented a risk assessment technique based on AHP (Analytic Hierarchy Process) which quantitatively determines the confidentiality, integrity, and availability of the assets with respect to the individual asset classes. In another work, Munir et al. [11] proposed a risk assessment mechanism based on the classification of different attacks as per their characteristics. This work also implements a method using a rule in Snort NIDPS signature database and OWASP risk rating approach to determine the overall risk of an enterprise network. In a recent work, Lamichhane et al. [12] presented a quantitative risk assessment approach which computes risk as a function of overall vulnerabilities exploitation along a path and impact of the exploitation. This work implements Topological Vulnerability Analysis (TVA) for modeling and analysis of attack paths using attack graph. Chalvatzis et al. [13] proposed a virtual machine based testing framework for the performance of vulnerability scanners of the enterprise networks. The literature presented a comparative statistics of the vulnerability scanning solutions such as Nessus, OpenVAS, Nmap Scripting Engine with respect to their automation risk

However, the state of art works do not accurately determine the risk of the enterprise network considering the risk associated with individual assets, the impact, and criticality of the information flow. In this chapter, we present an efficient risk assessment mechanism in IT infrastructure deployment in industries which addresses the limitations of the existing risk assessment techniques. Our proposed solution ensures a strong security perimeter over the underlying organizational resources by considering the level of vulnerability, threat, and impact at individual assets as well as the criticality of the information flow in the

The managers and stakeholders of organizations must understand and identify the different parameters necessary for assessing the risk of IT infrastructure. These

It is defined as a software and hardware level weakness in the entities of IT systems, which may allow an attacker to reduce the information assurance of the entities and the underlying network [14]. In other words, it is the source of a known problem that opens the door for a potential attack on the IT infrastructure system. For example, if the managers of an organization mistakenly do not disable the access to resources and processes such as logins to internal systems for an exemployee, then this leads to both unexpected threats to the IT infrastructure. In most cases, the vulnerabilities are exploited intentionally or unintentionally by inside or outside users of the IT systems and have a severe impact on the organizational assets. Hence, identifying weak points in the entities of IT systems is the first

It uses WPA2 as the basic cryptographic algorithm.

*Risk Assessment in IT Infrastructure*

*DOI: http://dx.doi.org/10.5772/intechopen.90907*

assessment process.

organization.

**3. Background**

**3.1 Vulnerability**

**95**

parameters are defined as follows.

Researchers have witnessed that as compared to outside threats there are preeminent threats from inside users and entities in organizations [1]. The organizations must understand the importance and responsibilities for protecting critical organizational information, assets, and processes from intelligent attackers. It has become an imperative duty of the organization for assessing the risk associated with the operation and use of different entities in information technology systems. Risk assessment is a key discipline for making effective business decisions by identifying potential managerial and technical problems in IT infrastructure. Then, necessary remediation can be taken by the managers of the organization to minimize or eliminate the probability and impact of these problems.

This chapter presents an efficient risk assessment mechanism that proactively analyzes the risks of IT infrastructure creating strong isolation between different entities. The proposed risk assessment solution determines the threat associated with different entities by analyzing vulnerability and exposure with respect to the Common Vulnerability Scoring System (CVSS) [2]. The overall risk of the IT systems is calculated as the cumulative threat values of different entities. These risk measures, in turn, drive the remediation process for appropriate risk mitigation in the organization strengthening the security perimeter of the organizational resources.

The rest of the chapter is organized as follows. Section 2 presents the related works in risk assessment in IT infrastructure. Section 3 presents the background of the risk assessment of IT infrastructure in organizations. The steps of risk assessment are discussed in Section 4. Section 5 presents our proposed IT risk assessment framework in detail. Section 6 summarizes the chapter.
