Jump to content
  • entries
    44
  • comments
    59
  • views
    88,286

Assessing Threats, Vulnerabilities, and Risks to FileMaker Pro Databases

Steven H. Blackwell

2,227 views

Assessing Threats, Vulnerabilities, and Risks to

FileMaker® Pro Databases

Hosted FileMaker Pro databases are susceptible to unauthorized access, manipulation, destruction, and other forms of compromise. Developers and server administrators need to understand how to assess threats and the risks of those risk’s occurring as various threat agents seek to exploit vulnerabilities.

This process starts with an understanding of the environment where the databases operate. We have a variety of digital assets that we must seek to protect. Nowadays, for the most part, the assets we are most concerned about are the hosted databases and the information in them.. We need to be able to protect the Confidentiality, Integrity, and Availability (CIA) of those digital assets.

When a breach of CIA occurs there will be an impact on the digital asset. Understanding and predicting the level of that impact is an important aspect of the assessment we must make. We can generally classify the level of impact into one of four categories:

1. Limited Adverse Impact

2. Serious Adverse Impact

3. Severe Adverse Impact

4. Catastrophic Adverse Impact

The targets of that impact are the people, the assets, the operations, and the reputation of the organization that owns the asset whose CIA is breached. The same event, e.g. a breach of Confidentiality of the asset, may have very different levels of impact on each different target. Likewise, on the same target, a breach of Integrity may have a far more adverse impact than a breach of Confidentiality would.

As a result, FileMaker developers and server administrators must assess each attribute of CIA and the likely impact of its breach on each target: people, operations, assets, and reputation.

The Threat is that a Threat Agent will exploit a known or a heretofore unknown Vulnerability in a specific hosted FileMaker file resulting in a breach of CIA with an adverse impact of varying levels on the various targets as described previously.

Risk is the likelihood of some Threat Agent’s actually exploiting the Vulnerability. And Risk can be difficult to quantify or even to identify, especially if the Threat Agent is of a type not previously identified or even known to exist.

In FileMaker Security, indeed in most types of information security, we have three principal tasks:

Close Vulnerabilities

Block Threat Agents

Mitigate the Adverse Impact of Breaches

In terms of setting priorities to achieve this, since tasks seem always to exceed resources, we should focus on the higher Risk items that have greater levels of Adverse Impact. Or so it would seem. But the equation is not quite that simple. Closing known Vulnerabilities is a major factor in blocking the Threat Agent. We may therefore get an overall more beneficial result in terms of our goal of protecting our digital asset by having a more nuanced mixture and balance among these categories.

In summary then, when we undertake to assess the Threats, Vulnerabilities, and Risks to our hosted FileMaker Pro databases we have a number of items to consider:

• What
assets
are we trying to protect?

• What would be the level of Impact on
people, assets, operations,
or
reputation
if a CIA breach occurred?

• What
Vulnerabilities
could a
Threat Agent
exploit to cause a
Breach
?

• What are the
Threats
?

• Who are the
Threat Agents
?

• What is the
Risk
of the
Threat Agent’s
triggering the
Threat
to exploit the
Vulnerability
?

When we can answer these questions, we can begin to address the question of what type and amount of security we need for our hosted FileMaker Pro databases and for FileMaker Server.

Please see the graphic for a further depiction of this concept. As always, your comments or questions are welcomed.

Steven H. Blackwell

blogentry-57159-0-57839300-1370382108_th


×

Important Information

By using this site, you agree to our Terms of Use.