risk

My good friend, Alex Hutton, has written an excellent post where he talks about the science of Risk Management.

I am not going to try and summarize what he says because he says it so well.

Do yourself a favor and go read it. Then go and look at some of the stuff he points to in the post. Then figure out how to apply it to your organization. Goodness will follow.

Risk Appetite: Counting Risk Calories is All You Can Do by Alex Hutton

-Kevin

Image courtesy of divaangelic2

{ 0 comments }

It is Thanksgiving Day week in the U.S. and that means a couple of days off. I decided to tack on an extra day and won't be working tomorrow either. Yay! Five days off in a row.

Anywho, I will also be taking those days off from the Interesting Bits posts so this one will have to tide you over until Monday :)

Here are today's Interesting Information Security Bits from around the web.

  1. 10 things to think about not doing when on Facebook. This list will keep you safer.
    Errata Security: 10 Facebook Don'ts
    Tags: ( facebook )
  2. Is your iPhone infected with the Duh worm? Paul tells us how to clean it up.
    How to clean up the Duh iPhone worm | Paul Ducklin's blog
    Tags: ( iphone worm )
  3. Russel is looking for some collaborators on an research project he is working on. It looks to be very interesting. From his post: "The topic is the arms race between attackers and defenders from the perspective of innovation rates and "evolutionary success" - the Red Queen problem (running just to stand still). Here's a sample research question: "can bureaucracies (defenders) keep up with a decentralized black market (attackers)?", and similar." Read the rest of the post and drop him a line if you are interested.
    Information Security as an Evolutionary Arms Race - Research Collaborators Wanted << The New School of Information Security
    Tags: ( research )
  4. Shrdlu once again has penned an article that you should go read. Metrics are great, but they have to mean something.
    The meaning of metrics
    Tags: ( metrics risk )
  5. There is 0-day out there for IE 6 and IE 7. Microsoft's recommendation in some cases is to upgrade to IE 8. Um, oops.
    Major IE8 flaw makes 'safe' sites unsafe
    Tags: ( ie vulnerabilities )
  6. An interesting post that explores a conundrum that some organizations face when trying to comply with PCI. What happens when some of what I do requires me to be out of compliance with PCI-DSS?
    Branden Williams's Security Convergence Blog >> Multi-Function Service Providers, What To Do?
    Tags: ( pci )
  7. From the post: "We have uploaded the audio recording of select talks from the Ohio Information Security Summit that took place October 29-30, 2009 in Cleveland, Ohio." Looks like some good stuff is available. Check out the post for the details.
    Security Justice >> Blog Archive >> Select Talks from ISS2009 Now Available for Download
    Tags: ( audo conferences talks )
  8. A new tool is available that shows some interesting things about the internet.
    Room362.com - Blog - SHODAN The Computer Search
    Tags: ( tools )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Check out this article for some hints and tips on stopping phishing.
    Stop Phishing: A simple guide - Michael M. Knight
    Tags: ( phishing )
  2. Chris offers some thoughts on working with external data sources in a narrowly scoped desire to build a "loss model." This series looks to be very interesting.
    Working With External Data (Part 1 of X) << Risktical Ramblings
    Tags: ( general )
  3. BSOFH! Enough said.
    BSOFH: Catering to a niche market.
    Tags: ( humor )
  4. Didier brings us another interesting utility that lets you start a process and select who its parent process is. This creates a problem. Read Didier's post to find out what that problem is.
    Quickpost: SelectMyParent or Playing With the Windows Process Tree << Didier Stevens
    Tags: ( windows )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Here is some interesting data. I haven't run through it completely yet, but it takes the results of a bunch of scans and then does some mapping against PCI DSS. Fun with numbers :)
    Web Application Security Consortium (WASC) 2008 Statistics Published | Darknet - The Darkside
    Tags: ( metrics webappsec )
  2. This article discusses the decision to ship Windows 7 with a default UAC setting of medium-high.
    Windows 7's security 'time bomb' | The Last Watchdog
    Tags: ( windows-7 uac )
  3. An interesting post by Chris on risk/threat vs risk issue. When does a risk or threat become a risk issue for your organization?
    Risk / Threat vs. Risk Issue << Risktical Ramblings
    Tags: ( risk )
  4. Paul offers a couple thoughts on social networking and data leakage.
    Social networking in the antipodean spotlight | Paul Ducklin's blog
    Tags: ( social-engineering data-leakage )
  5. SynJunkie has another story based post up. This time about the dangers of dual-homing, specifically with a wired connection and a wireless one.
    Syn: Bobs Double Penetration Adventure - Part 1
    Tags: ( pentest )
  6. The Whitehouse has moved their website from an internally developed CMS to Drupal. Rsnake offers up some thoughts on why this might be both good and bad.
    Whitehouse Drupal and The Open Source Security Model ha.ckers.org web application security lab
    Tags: ( drupal cms whitehouse )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! Sorry for missing both Friday's and yesterdays bits posts. My Friday was spent working with Habitat for Humanity on a new home for a deserving family. It was a great experience and I heartily recommend it as time well spent. Yesterday was just too busy :)

Anyway, here are today's, and a few from this weekend, Interesting Information Security Bits from around the web.

  1. A new version of OffVis is available along with a training video.
    Security Research & Defense : OffVis updated, Office file format training video created
    Tags: ( tools microsoft office )
  2. Here is an interesting adaption of "The Joel Test."
    Matasano Security LLC - Chargen - The Joel Test: 12 Steps To Better IT Management
    Tags: ( general )
  3. A great article from Russel. This one contains some tips for building an Information Security Risk Scorecard.
    12 Tips for Designing an InfoSec Risk Scorecard (its harder than it looks) << The New School of Information Security
    Tags: ( scorecard risk )
  4. This is a very interesting article about backups and virtualization strategies. A very import part of your strategy needs to be, How are you going to deal with backups?
    The Side Effects of Backup on Server Virtualization - Backup & Beyond
    Tags: ( virtualization backup )
  5. The latest version of the SANS Top Cyber Security Risks report is out.
    SANS: The Top Cyber Security Risks
    Tags: ( risks )
  6. Here is a nice article with some questions to ask when considering the implementation of an identity management solutions. (Hat Tip: http://securityblog.typepad.com)
    12 questions to ask before implementing an identity management system -- Government Computer News
    Tags: ( identity-management )
  7. The Security Twits bus is off on another adventure as it gathers up a bunch to twits and heads to SecTor. Let Jack know if you want to be picked up :)
    Uncommon Sense Security: Security Twits Road Trip III, the SecTorBus
    Tags: ( conferences security-twits )
  8. Rsnake has a whole pile of HTTP headers for you to play with should you want to. I bet some interesting things can be found out.
    Half a Million HTTP Headers ha.ckers.org web application security lab
    Tags: ( data )
  9. An entirely virtual security conference is taking place on November 6th-8th. Very cool. What's even better is that all CFPs are being accepted.
    SecurityTubeCon - Democratizing Hacker Cons
    Tags: ( conference cfp securitytube )
  10. Want to setup some motion sensors to tweet activity? Ax0n shows us how.
    HiR Information Report: Gustav, the hackerspace twitter-bot
    Tags: ( hardware-hacking )
  11. SynJunkie took a short break from his CCNA studies (good posts in that series too) to give a post about using Fgdump, John the Ripper and Powershell together to do some nifty scripted password auditing.
    Syn: Password Auditing with Fgdump, John the Ripper & PowerShell
    Tags: ( passwords cracking )
  12. Russel has an interesting challenge for us. I know a few in academia that might enjoy this conversation.
    This Friday is "Take an Academic Friend to Work Day" << The New School of Information Security
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. A very well put together post. Check out the difference between Defensive Avoidance and Vigilance to Detail.
    Defensive Avoidance vs Vigilance to Detail << wirewatcher
    Tags: ( general )
  2. Hak5 is 4 years old. If you are not aware of this web video series, you should check it out.
    Hak5 - Technolust since 2005 >> Happy 4th Birthday Hak5
    Tags: ( general )
  3. Want to help out a student? Check out this post and take the survey.
    Help a Grad Student: Cloud Security Survey (The Falcon's View)
    Tags: ( survey )
  4. Something you should be aware of. The person carrying that iPod touch or iPhone into your environment may not be listening to music or talking to their buddy.
    Weaponizing Apple's iPod Touch - DarkReading
    Tags: ( ipod-touch pentest )
  5. Some thoughts on DirectAccess.
    Guest blog: Windows 7 Security - Microsoft DirectAccess | Graham Cluley's blog
    Tags: ( windows-7 direct-access )
  6. Part 2 of Chris's interview with Richard Levick is up.
    Reputation Risk Q&A - Richard Levick (2 of 2) << Risktical Ramblings
    Tags: ( reputation )
  7. A nice article by Andy on the topic of choice.
    My Risk, My Choice >> Andy ITGuy
    Tags: ( risk )
  8. An interesting tool has entered beta state.
    The Professional Security Testers Warehouse for the CEH GPEN QISP Q/ISP OPST CPTS - A Beta Version of NPing has been released
    Tags: ( tools )
  9. This page on the World Health Organization's website provides information you can use to track H1N1. We will be moving into flu season in North America soon, so keeping an eye on this is warranted.
    WHO | Disease Outbreak News
    Tags: ( h1n1 )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Well, there I go again, I keep saying I am going to get back to it and then leave you hanging. No real excuse this time other than being mondo busy.

As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

Anyway, last time we started talking about the taxonomy and the definition of risk from FAIR's perspective. As mentioned, we are going to leave those alone for a bit. We are going to build the taxonomy from the ground up. So, without further ado, here is where we are starting.

Threat Event Frequency

We start with the first component of Loss Frequency which is threat event frequency (TEF.) From the introduction, threat event frequency is:

The probable frequency, within a given timeframe, that a threat agent will act against an asset.

In other words, how many times within some amount of time will the bad guy try to do something evil to our treasured asset. This is important to know in determining how often we might actually suffer a loss.

So, to figure out the how many in how much part of the equation, we need to look at a couple things, contact and action. However, we are not talking about binary definitions here such as 'was there contact or not'.

First let's talk contact. From the introduction, contact is:

The probable frequency, within a given timeframe, that a threat agent will come into contact with an asset.

There are three things we want to consider. We are interested in whether the bad guy has regular or random contact with our treasure. Is contact the result of just random chance or is there some regularity to the contact? We are also really interested in whether the contact is intentional or not. Is the bad guy looking specifically for the types of treasure you have or are we target of opportunity.

Now action. From the introduction, action is:

The probability that a threat agent will act against an asset once contact occurs.

Again, we want to look at three things, asset value, vulnerability, and risk. Is it worth it to the bad guy to try something, i.e. is the value of the asset high enough. How vulnerable does the bad guy perceive the treasure to be. Our treasure is much less vulnerable sitting in a bank vault than it is sitting unwatched on a table in a crowded room. Finally, what is the risk to the bad guy. How likely is he to get caught if he tries to make contact.

All these factors must be taken into consideration when we we are thinking about threat event frequency.

Next we will explore the other half of loss frequency, vulnerability. I'll tell you right now that it is not what you think it is, unless, of course, you are already familiar with the FAIR Taxonomy. :)

As usual, drop me a note or leave me a comment with your thoughts.

-Kevin

{ 3 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Via @alexhutton, this article is very interesting. Those who are interested in measuring and communicating risk should read it.
    2845 ways to spin the Risk | Understanding Uncertainty
    Tags: ( risk management )
  2. Rob (@mubix) posted a nifty how-to the other day and was taken to task for it. He responds publicly. His response and the comments are worthy of a read.
    The Ethics of Teaching Hacking | Room362.com
    Tags: ( ethics )
  3. Yup, time to make sure your patching is working on your Windows 7 Beta installs.
    Windows 7 beta gets its first security update - Ars Technica
    Tags: ( infsec microsoft patches windows-7 )
  4. This is quite cool. Requires authenticated scans, but does give the opportunity to see who is using USB drives on your systems.
    Tenable Network Security: USB Device History Auditing with Nessus
    Tags: ( nessus )
  5. Here's a script to help you lock down your IIS 6 installations. Careful though. It's brand new and has not been tested extensively.
    Script to lock down IIS paths - Nazim's IIS Security Blog : The Official Microsoft IIS Site
    Tags: ( iis scripts securing )
  6. Part 2 is up on not being nice to your Citrix installation :)
    Syn: Abusing Citrix - Part 2
    Tags: ( hacking citrix )
  7. In my opinion, yes, the BBC broke the law.
    Did BBC break the law by using a botnet to send spam? | Graham Cluley's blog
    Tags: ( botnet )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Looks like the Downadup worm may be setting up to cause some mischief.
    Downadup worm may hammer Southwest Airlines URL March 13 - Network World
    Tags: ( malware botnet )
  2. This is just down right scary.
    Survey: Most Oracle Shops Don't Mandate Security Patches - Network World
    Tags: ( patches oracle )
  3. This could definitely create some onerous logging and reporting requirements for those who choose to provide public internet access in their places of business.
    Bill takes aim at anonymous hot spots, like coffee shops - Network World
    Tags: ( privacy )
  4. A report by the Brown-Wilson Group is out ranking outsourcing locations on security. By security, they don't just mean information security either.
    The IT Security Guy: The Dangerous Back Alleys of Outsourcing
    Tags: ( risk outsourcing )
  5. Irongeek has updated his list of deliberately vulnerable applications on which you can practice your web application security testing skills.
    Deliberately Insecure Web Applications For Learning Web App Security (WebGoat, BadStore, Hacme, SecuriBench, WebMaven)
    Tags: ( webappsec hackme )
  6. A nifty tool that gives you the ability to view log files in some interesting and different ways.
    Highlighter
    Tags: ( tools logfile )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Some interesting stats, however, the title is a bit misleading, the percentages for 20's, 30's and 40's are 25%, 23% and 20% respectively. Not exactly what I would call significant regarding 20's.
    ID theft up, and 20somethings suffer most | Security - CNET News
    Tags: ( theft identity )
  2. A very nice diagram depicting risk. Hat tip: Gunnar Peterson
    Telic Thoughts: Threats, vulnerabilities and risk
    Tags: ( risk )
  3. Time to update your PHP installations.
    PHP plugs security holes | Zero Day | ZDNet.com
    Tags: ( vulnerability patches php )
  4. Christofer waxes poetic on cloud computing.
    Rational Survivability: Ron Popeil and Cloud Computing In Poetic Review...
    Tags: ( cloud )
  5. A nice post that shows you how to build a u3 USB keyfob that will gather information from a windows system using nothing but built in tools.
    Syn: USB Enumerator vs USB Hacksaw
    Tags: ( tools usb u3 information-gathering )
  6. A nifty little how-to on using self-signed certs with Burp.
    un-excogitate.org >> Blog Archiv >> Self-signed Certificates in Burp
    Tags: ( pentest burp )
  7. Woot! L0phtCrack is alive again. I'm jealous of those who will get to see the launch live at Source Boston.
    L0phtCrack 6
    Tags: ( cracking password windows )
  8. Irongeek has written a set of PHP scripts that demonstrate all 10 of the vulnerabilities described by the OWASP Top 10. Very cool stuff.
    Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10
    Tags: ( tools )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 1 comment }