fair

Exploring FAIR – What’s an Asset?

by kriggins on January 30, 2009

in Risk Management

In this post we are going to start exploring the terminology of FAIR. It makes sense to me that we explore FAIR through the use of an example scenario, much like the FAIR Introduction (link to pdf) does.

We are going to use a web site for our scenario. We will develop the scenario more and more as we go along, but the following are the initial characteristics:

  • The web server is an up-to-date version of Apache.
  • The information stored on the server is public.
  • The web server is exposed to the internet.
  • The bandwidth available is significant.

We are going to take things in a little different order than presented in the Introduction to FAIR. The first thing we are going to look at is asset. From the introduction:

Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.

With this definition in mind, what asset or assets are present that we need to be worried about?

Is the information in this case an asset? No, because we've classified the information as public. Three things come to mind as assets with the information we have so far, the physical hardware Apache is running on, the Apache web server itself and the available bandwidth.

The hardware is an asset because someone might want to steal it or run their own software on it. The web server is an asset because someone might want to use it for their own purposes. The bandwidth is an asset because, again, someone may want to use that bandwidth, that we pay for, for their own purposes.

Pretty basic and straightforward. Next time we will look at "What's a threat?"

As always, the comments are open. Feel free to share your thoughts.

-Kevin

Image courtesy of tao_zyn.
Reblog this post [with Zemanta]

{ 6 comments }

Every business has information of one kind or another. That information is most often processed, transmitted and stored using information technology. While that information is being processed, transmitted and stored, it is exposed to a certain level of risk, even if it never leaves the confines of the business's building.

As information security professionals, we are tasked with ensuring that our business's information is protected. To do so, we need to implement processes, procedures, and controls that reduce risk to an acceptable level. Unfortunately, our companies do not have endless resources, either in terms of man power or money. That means we need a method of determining how much risk exists and what is an appropriate level of resources, if any,  to expend to address that risk.

Enter Factor Analysis of Information Risk (FAIR.) FAIR is the brain child of Jack J. Jones, CISSP, CISM, CISA of Risk Management Insight, LLC and has been released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.

So what is FAIR? From the Wiki:

Factor Analysis of Information Risk (FAIR) provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.

Together, over what will likely be a fairly long series of posts, we are going to explore FAIR. This will help me internalize the concepts and hopefully you will find it an interesting ride too.

I have already pointed to the Wiki above. There are also a few other sources of information and tools available if you want to read ahead.

The Basic Risk Assessment Guide lives here. Note: direct link to the pdf.

Alex Hutton frequently writes about FAIR on his blog.

Chris Hayes has done some great work on his blog about FAIR too.

Next we will start digging into the terminology used in FAIR. As always, comments are open. Feel free to let me know what you think.

-Kevin


{ 3 comments }

Sorry for the late post folks. Been a busy, busy day. Below you find a post by RSnake begging for discussion, EFF pushing for modification to DMCA, a method to secure BGP, how we communicate to our users is important, the final part of an risk assessment using FAIR, SQL firewalls, and the fact that BeanSec is next week. Have a great weekend.

  1. Crime and Punishment ha.ckers.org web application security lab
    Tags: ( general opinion )
  2. This would benefit everybody.
    EFF pushes for legal handset jail-breaks - vnunet.com
    Tags: ( cellphone drm )
  3. This will be a definite improvement. There have been several cases of BGP errors causing significant problems in the year or so.
    U.S. plots major upgrade to Internet router security - Network World
    Tags: ( bgp bgpsec )
  4. David reminds us that how a message is delivered just as important as why the message is delivered.
    The Power of Positive Rethinking : The Security Catalyst
    Tags: ( communication )
  5. Part 4 of Chris's latest FAIR assessment is posted.
    Risk Scenario - Hidden Field / Sensitive Information (Part 4 of 4) << Risktical Ramblings
    Tags: ( risk assessment fair )
  6. It was only a matter of time before we started seeing SQL firewalls. Not saying it's a bad thing.
    /dev/random >> Blog Archive >> Databases Protection with GreenSQL
    Tags: ( firewall sql )
  7. Beansec next week.
    Rational Survivability: BeanSec! Wednesday, January 21st, 2009 - 6PM to ?
    Tags: ( beansec meetings )
  8. Yes, indeed. I and others have said it more than once, compliance does not equal security.
    Network Security Blog >> "Security first" please!
    Tags: ( security pci )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Today's Bits consists of more risk assessment talk, biometrics and passports, secure code by demand, compliance vs security, builders and breakers in software security, DEFCON CTF, how SSL works, PCI and security, a good way to quantify risk and an argument that one pass data wipe is enough. Details below.

  1. Part 3 is up of Chris's assessment.
    Risk Scenario - Hidden Field / Sensitive Information (Part 3 of 4) << Risktical Ramblings
    Tags: ( risk assessment fair )
  2. Get ready to get your fingers inked when you apply for a passport in the E.U. (Okay, there are inkless methods bow. Not near as much fun to write scanned though.)
    Biometric passports agreed to in EU - Network World
    Tags: ( privacy )
  3. Folks, it just isn't this easy. Unlike Picard, we can't just "make it so."
    New York drafts language demanding secure code
    Tags: ( general )
  4. Compliance does not equal security. Never has and never will. Good thought in here.
    Using The Compliance Stick Actually Weakens You | RiskAnalys.is
    Tags: ( risk compliance )
  5. An interesting argument, which I happen to agree with, by Jeremiah about the need to both builders and breakers when it comes to software security.
    Jeremiah Grossman: Builders, Breakers, and Malicious Hackers
    Tags: ( general opinion )
  6. Ever wanted to run a CTF? Defcon needs to talk to you. Be warned, we are talking about a granddaddy of a CTF.
    DEFCON 17 CTF Call for new Organizers! - Defcon Forums
    Tags: ( defcon ctf )
  7. A real nice basic introduction to how SSL works.
    Security Workshop: How HTTPS/SSL works Part 1 - Basics
    Tags: ( ssl )
  8. A nice post by Anton that I found via Alex over at riskanal.is. Repeat "Security First."
    Anton Chuvakin Blog - "Security Warrior": Tales From the "Compliance First!" World
    Tags: ( pci compliance )
  9. Adam has a great post up on the Security Catalyst blog. The KISS principle in action.
    The Breach-Stamp Metric : The Security Catalyst
    Tags: ( risk communication )
  10. A nice article with some hard data on the effective of data retrieval off of a drive which has been effectively wiped. Effectively here meaning with only one pass.
    Overwriting Hard Drive Data << SANS Computer Forensics, Investigation, and Response
    Tags: ( data disposal )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

In today's crop of Bits we have more FAIR analysis, a couple articles about surveillance in the US, a patch for Win 7 Beta and other Microsoft products, a great visualization of application security relationships, virtualization security info and some helpful data recovery advice.

  1. Part 2 is up. The more I read about and see FAIR (Factor Analysis of Information Risk) in action, the more I like it.
    Risk Scenario - Hidden Field / Sensitive Information (Part 2 of 4) << Risktical Ramblings
    Tags: ( risk assessment fair )
  2. A new project over at Electronic Freedom Foundation. Very interesting information.
    The SSD Project | EFF Surveillance Self-Defense Project
    Tags: ( privacy surveillance eff )
  3. This article contains links to some really interesting information. If you are concerned or curious about surveillance in the U.S., you should give it a gander.
    Report: U.S. Surveillance Society Running Rampant | Threat Level from Wired.com
    Tags: ( surveillance )
  4. The first patch is out of Windows 7 Beta. Be warned that it does not address the SMB issue which does exist for Windows 7 Beta. Read the article for the details.
    Microsoft issues first Windows 7 beta patch
    Tags: ( vulnerability microsoft patches )
  5. Some good information about Microsoft's January patches.
    Inside the MSRC: Microsoft describes Server Message Block update
    Tags: ( vulnerability microsoft patches )
  6. I'm going to print this out and hand it on my wall. Great visualization of application security and how the different pieces relate and interact.
    Jeremiah Grossman: The World of Web Security
    Tags: ( appsec webappsec taxonomy )
  7. Continuing a series on virtualization security, Ryan points out some of the risks inherent in server virtualization.
    Virtualization Security Part 2 - PandaLabs
    Tags: ( virtualization )
  8. A nice post with some really good advice on being prepared for hard drives which are having problems.
    Data Recovery from Dead Drives | Forensics, Security, Auditing | Enclave Forensics
    Tags: ( data recovery )
  9. Another tool that builds a focused word list for brute force password attacks.
    The Associative Word List Generator (AWLG) - Create Related Wordlists for Password Cracking | Darknet - The Darkside
    Tags: ( password wordlists )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Hello again everybody and welcome to Monday. Below we have tidbits on Orcacle patches, common coding errors, steganography, Security Catalyst, risk assessments using FAIR, financial impact of cloud computing, a little humor about cloud computing, and a tool to help you with your regex adventures.

Have a great day do good!

  1. 41 patches coming from Oracle. Get the patch hammer ready.
    Oracle to issue 41 security patches - Network World
    Tags: ( vulnerability patches oracle )
  2. Top 25 coding errors report supposed to be released today.
    Group to detail 25 most dangerous coding errors hackers exploit
    Tags: ( secure programming coding errors )
  3. Here is free tool if you would like to play around with steganography. Steganography is defined as hiding data by embedding it in other data in such a way as to leave the original innocuous data intact.
    SourceForge.net: OpenStego
    Tags: ( tools java steganography )
  4. The 2009 contributors for the Security Catalyst site have been announced. It's a good mix. I look forward to seeing what they produce this year.
    The Security Catalyst >> Introducing the Security Catalyst Contributors for 2009
    Tags: ( general )
  5. Chris has setup a new scenario for trying your hand at a risk assessment using the FAIR (Factor Analysis of Information Risk) methodology. Take a stab at it. He will be posting the rest of the series this week.
    Risk Scenario - Hidden Field / Sensitive Information (Part 1 of 4) - The Scenario << Risktical Ramblings
    Tags: ( risk assessment fair )
  6. A nice post pointing out some financial dangers that need to be considered when using cloud based infrastructure.
    When the Cloud Bursts - Someone Gets Wet... | CloudAve
    Tags: ( cloud )
  7. Christofer has something you really must read. Classic.
    Rational Survivability: Introducing the Next Generation of Cloud Computing...
    Tags: ( cloud humor )
  8. A nifty tool to help you with your regex adventures.
    Hat tip: @mfratto
    The Regex Coach - interactive regular expressions
    Tags: ( tools regex )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin Riggins

Reblog this post [with Zemanta]

{ 2 comments }