Comments on: Exploring F.A.I.R. – Threats – Part 1 http://www.infosecramblings.com/2009/03/09/exploring-fair-threats-part-1/ ramblings on various information security topics Tue, 07 Feb 2012 23:34:55 +0000 hourly 1 By: kriggins http://www.infosecramblings.com/2009/03/09/exploring-fair-threats-part-1/#comment-1920 kriggins Thu, 28 May 2009 02:16:31 +0000 http://www.infosecramblings.com/?p=776#comment-1920 Thanks for the input and thoughts on the DFD's. My intent was to use the DFD to show simple intended application use cases at this point. I could extend that, but probably won't at this point. The series will continue. I gave a talk on FAIR at Secure360 this month and that sucked up all the free time I had in preparation :) Of course, I will be able to use some of that info as we go forward with this series. I hope to get back to it in the next couple weeks as some other obligations settle down. Thanks for reading! -Kevin Thanks for the input and thoughts on the DFD's. My intent was to use the DFD to show simple intended application use cases at this point. I could extend that, but probably won't at this point.

The series will continue. I gave a talk on FAIR at Secure360 this month and that sucked up all the free time I had in preparation :) Of course, I will be able to use some of that info as we go forward with this series.

I hope to get back to it in the next couple weeks as some other obligations settle down.

Thanks for reading!

-Kevin

]]> By: Bonvillain http://www.infosecramblings.com/2009/03/09/exploring-fair-threats-part-1/#comment-1919 Bonvillain Thu, 28 May 2009 02:04:21 +0000 http://www.infosecramblings.com/?p=776#comment-1919 I actually haven't created tons of DFD's myself, but there were other use-cases at play in that architecture diagram that seem to be applicable if relating them to a risk analysis such as FAIR and ultimately to the threat analysis that it looks like you are about to perform. Maybe Phil can advise if you would want to document such things, or if the DFD is just intended to be applicable to intended web app functionality, vs. comprehensively diagram all possible use-cases. Regardless, as related by the swiss-cheese firewall policy, those remote users are just using Telnet, FTP and getting direct access to the database to perform their remote management in the absence of a dedicated solution. Seems like you may want to include those components in the DFD as well as they are certainly applicable to the threat analysis and ultimate loss event frequency right? Hope you are continuing this series. I am just starting to do some research on FAIR and am enjoying the posts. I actually haven't created tons of DFD's myself, but there were other use-cases at play in that architecture diagram that seem to be applicable if relating them to a risk analysis such as FAIR and ultimately to the threat analysis that it looks like you are about to perform.
Maybe Phil can advise if you would want to document such things, or if the DFD is just intended to be applicable to intended web app functionality, vs. comprehensively diagram all possible use-cases. Regardless, as related by the swiss-cheese firewall policy, those remote users are just using Telnet, FTP and getting direct access to the database to perform their remote management in the absence of a dedicated solution. Seems like you may want to include those components in the DFD as well as they are certainly applicable to the threat analysis and ultimate loss event frequency right?

Hope you are continuing this series. I am just starting to do some research on FAIR and am enjoying the posts.

]]>