risk analysis

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. The Security Baselines for Windows 7 and IE 8 are now available.
    Now Available: Security Baselines for Windows 7 and Internet Explorer 8 - Springboard Series Blog - The Windows Blog
    Tags: ( windows-7 ie8 )
  2. The call for submissions for Peer2Peer sessions at RSA 2010 has opened. Have a topic you want to explore with others in your industry/field/profession? Go ahead and suggest it.
    Peer2Peer Sessions
    Tags: ( rsa-2010 cfp )
  3. Xavier's first day recap of Hack.lu is up.
    /dev/random >> hack.lu Day #1
    Tags: ( conferences hacklu )
  4. Jeremiah offers some interesting thoughts on black box vs white box software testing.
    Jeremiah Grossman: Black Box vs White Box. You are doing it wrong.
    Tags: ( webappsec )
  5. Another good article on methods and tools to monitor/gather intelligence about your company that might be mentioned on-line. This one focuses on blogs, message boards, and metadata.
    Enterprise Open Source Intelligence Gathering - Part 2 Blogs, Message Boards and Metadata -- spylogic.net
    Tags: ( monitoring )
  6. This is scary.
    hype-free: Why network neutrality is a big deal
    Tags: ( general )
  7. Anton's notes from the day he spent at NIST's SCAP conference.
    Anton Chuvakin Blog - "Security Warrior": Notes from NIST SCAP 5th Security Automation Conference
    Tags: ( conference nist-scap )
  8. Alex has posted a nice exploration of impact vs asset valuation. This is a very FAIResque treatment of the issue if you ask me, which is a good thing in my opinion.
    Verizon Business Security Blog >> Blog Archive >> The curious case of asset Valuation.
    Tags: ( risk-analysis asses-valuation )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

This is the presentation I gave at Secure360 2009 titled "Measuring and Communicating Risk using Factor Analysis of Information Risk (FAIR)."

As always, I am interested in your feedback.

-Kevin

{ 4 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Do you trust your web application firewall? If so, you might want to rethink that decision.
    Researchers Hack Web Application Firewalls - DarkReading
    Tags: ( waf )
  2. Alex has posted another good. It is very much worth reading and thinking about.
    Richard Bejtlich's Quantum State << The New School of Information Security
    Tags: ( risk-management risk-analysis )
  3. A nifty article on how to use hackvertor to de-obfuscate javascript.
    The Spanner - Hackvertor obfuscated code tutorial
    Tags: ( malware javascript )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

In the last post in our series on FAIR we took a look at the data flow diagram for the system that Oblivia wants us to assess. We also reviewed the definition of threat and quickly figured out we need a way to narrow down which threats we should be most concerned about.

FAIR uses the concepts of threat communities and threat characteristics to help us group together like threat agents and help us determine the probability of that threat affecting us. A threat agent being an individual person or instance in a threat population or set of threats.

Let's take a look at these two concepts and see how they can help us.

First, the definition of threat community. From the Introduction to FAIR: Risk Landscape Components:

Subsets of the overall threat agent population that share key characteristics

Basically, we are talking about those characteristics that would define a group of threat agents. The Introduction uses at set of characteristics that could be used to place a threat agent in a community call 'terrorist.' How about the following characteristics?

Motive: Money
Primary intent: Financial gain
Sponsorship: Unofficial
Preferred general target characteristics: Systems where small changes are difficult to find
Preferred specific target characteristics: High traffic/significant impact systems
Preferred targets: Systems and applications
Capability: Significant technology skills
Personal risk tolerance: Medium
Concern for collateral damage: High (need for changes to remain unnoticed)

What could we call the threat community whose agents have these characteristics? I'm going to hate myself for using the term, but cyber criminals seems to work. Individuals who make money by subverting computer systems. This gives us some information about what makes up the community. Now we need some information that can help us determine which communities are worthy of more inspection. That is where threat characteristics come in.

From the Introduction, paraphrased a bit:

There are four primary characteristics we are concerned with in our risk taxonomy:

  • The frequency with which threat agents come into contact with our organizations or assets
  • The probability that threat agents will act against our organizations or assets
  • The probability of threat agent actions being successful in overcoming protective controls
  • The probable nature (type and severity) of impact to our assets

What we are really concerned about from an agent characteristic perspective is, frequency of contact, the likelihood that the agent will act against us, the likelihood that the agent will succeed and the likely type and severity the result of that action to our assets.

A situation where the agent is rarely in contact, is unlikely to actually attack us and even more unlikely to succeed if they do and, finally, the impact if they are successful will be insignificant is much different that one where the agent is in constant contact, is very likely to act against us, is skillful enough to succeed and probably going to result in severe impacts to our assets.

Understanding the different communities and the significant characteristics mentioned above can help us a great deal in managing risk. They help us have a much more concrete estimate of the probability of something untoward happening to us as the result of a threat agent acting against us.

In our next installment we will take one more quick look at a few characteristics related to assets. We will then dive into risk factoring in the next few posts.

As always, I am really interested in your thoughts. I read and take to heart every comment that is left and email received, so please join the conversation!

-Kevin

{ 0 comments }