Ranking Threats by Decreasing Risk
For each asset in your Commerce Server installation, prioritize possible threats by determining the following:
- What is the chance of an attack occurring? That is, how much effort/cost/time would be required to mount the attack? 1 = high chance, 10 = low chance
- What is the cost or damage to your site if an attack occurs? 1 = little damage, 10 = massive damage
- Risk = Damage if an attack occurs / Chance of attack. 1 = little risk, 10 = massive risk
To reduce the risk to your Commerce Server installation, address the high-risk items first. When you do this, keep in mind the industry statistics in the following table. They show the current vulnerability distribution by cause of seven major threats.
| Vulnerability | Percentage of attacks |
|---|---|
| Restrictions that can be bypassed | 20 |
| Argument checking | 19 |
| Unchecked buffer | 18 |
| Incorrect control marking | 10 |
| Incorrect permissions | 9 |
| Architectural error | 6 |
| Other implementation error | 18 |
See Also
Identifying Techniques that Mitigate Threats
Copyright © 2005 Microsoft Corporation.
All rights reserved.