Risk Management

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. SynJunkie reminds us that is best to not run as admin all the time and then offers some tips on how to elevate our privileges when we need to.
    Syn: Part-time Superman
    Tags: ( windows least-privilege )
  2. Mike Rothman has penned an article for fudsec that you owe it to yourself to go read. He calls out some fud and then gives us some actionable advice. Good stuff and, yes, I said "actionable." I'm sorry, it's the manager is me sneaking out 🙂
    Guerilla Security Leadership - fudsec.com
    Tags: ( general )
  3. The A6 (Automated Audit, Assertion, Assessment, and Assurance API) Working Group held their kick-off call recently. The recording is available.
    Recording & Playback of WebEx A6 Working Group Kick-Off Call from 1/8/2010 Available | Rational Survivability
    Tags: ( cloud a6 )
  4. Mark points out that bad things can happen if somebody who shouldn't be able too, has the ability to delete computers in an Active Directory domain. Good thing he shows us how to fix it too.
    Gone in 60 Seconds
    Tags: ( active-directory )
  5. Didier gives a video tutorial on using the Adobe Reader JavaScript Blacklist Framework. Pretty nifty stuff.
    Adobe Reader JavaScript Blacklist Framework << Didier Stevens
    Tags: ( )
  6. Anton points out that PCI has components that are not just point-in-time issues, i.e. there are ongoing compliance checks and requirements.
    Anton Chuvakin Blog - "Security Warrior": How to Stay Compliant? or Ongoing Tasks in PCI DSS
    Tags: ( pci )
  7. Securosis has started a new feature call FireStarter. They will be tossing ideas out for the community to chew on. First up - Risk Management. Go check it out and offer up some FIRE!
    Securosis Blog | FireStarter: The Grand Unified Theory of Risk Management
    Tags: ( risk-management )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Guest blog: Evil Maids on the rise | Graham Cluley's blog
    Tags: ( bitlocker tpm )
  2. Could a rubber duck steal your identity on Facebook? | Graham Cluley's blog
    Tags: ( facebook malware )
  3. AOL Ditches Security Tokens To Make Logging In Easier | Threat Level | Wired.com
    Tags: ( general )
  4. Can quantitative risk estimation serve as a guide for every-day policy decisions? << The New School of Information Security
    Tags: ( risk-management policy quantitative )
  5. Security Uncorked >> Four Options for Secure Wireless Authentication with 802.1X
    Tags: ( 80211x )
  6. Great InformationWeek/Dark Reading/Black Hat Cloud & Virtualization Security Virtual Panel on 12/9 | Rational Survivability
    Tags: ( webinar virtualization cloud )
  7. Digital Soapbox - The White Rabbit Commeth...: Exposing Malware - Part 2: Infestation
    Tags: ( malware )
  8. McAfee Gives Stats on the Riskiest Domains | CNET Security | danielmiessler.com
    Tags: ( general )
  9. Economic Recovery: Will Your IT Security Department Jump Ship? - CSO Online - Security and Risk
    Tags: ( career jobs )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Leave it to David to be able to use canning and mason jars as an analogy for security and secure coding. Very nice post. Go read it.
    Reusable Code: The Mason Jars of Security | threatpost
    Tags: ( programming general )
  2. Yes, we are the unsung heroes. BTW - you have to read this if for no other reason that the Y2K reference towards the end.
    Securosis Blog | Why Successful Risk Management is Still a Failure
    Tags: ( general risk-management )
  3. I love a good walk-through and Paul provides us one that shows a step-by-step how-to on reversing some Javascript shellcode. Good stuff!
    Paul Melson's Blog: Reversing JavaScript Shellcode: A Step By Step How-To
    Tags: ( reverse-engineering javascript shellcode )
  4. The Offensive Security Exploit archive is alive and kicking. It picks up where Milw0rm left off. Go check it out.
    Offensive Security Exploit Archive Goes live | Security Active Blog
    Tags: ( exploits milw0rm )
  5. This looks to be an interesting series. Adam will be exploring ways to help information security professionals build useful and productive relationships within their enterprises.
    Adam Cardinal: Building Relationships - Internal Audit Team - IANS Perspective
    Tags: ( general )
  6. Woot! Metasploit 3.3 is out. I am hearing good things about this. Go check it out.
    Metasploit: Metasploit Framework 3.3 Released!
    Tags: ( metasploit webappsec pentesting )
  7. Here is a quick how-to describing a method to decompile flash files.
    Carnal0wnage Blog: Decompiling Flash Files with SWFScan
    Tags: ( flash decompile webappsec )
  8. An interesting article that explores some real-life cross subdomain exploits.
    Real-Life Examples of Cross-Subdomain Issues | Social Hacking
    Tags: ( cross-subdomain webappsec )
  9. This is going to be a very cool project. Get involved.
    Securosis Blog | An Open Metrics Model for Database Security: Project Quant for Databases
    Tags: ( metrics databases )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Hi there folks. I know it's been awhile since we've had a bits post, but never fear. I did not just click 'mark all read' and am making my way through the back log. For the next few days you should see a bits post for that day and a catch-up post. This is the first catch-up post. I apologize, but the catch-up posts will probably be commentless like this one.

  1. The Ethical Hacker Network - SSHliders
    Tags: ( challenge )
  2. Nikto 2.10 released << Ramblings of the anal security guy
    Tags: ( nikto tools webappsec )
  3. Twitter Risks | The Infosec Cynic
    Tags: ( twitter humor )
  4. Syn: Abusing VLANs With BackTrack
    Tags: ( vlans backtrack )
  5. Carnal0wnage Blog: Oracle Hacker's Handbook Book Review
    Tags: ( book review oracle )
  6. Securosis Blog | IDM: Reality Sets In
    Tags: ( idm )
  7. Do the Evolution... - fudsec.com
    Tags: ( profession )
  8. Are Security "Best Practices" Unethical? << The New School of Information Security
    Tags: ( best-practices risk-management )
  9. Information Escapology << wirewatcher
    Tags: ( passwords logging )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 1 comment }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Exception, variance, these words are the bane of the information security professional. We all have to deal with them. Jarrod offers some thoughts on the topic. You will benefit from reading them.
    /dev/null - ramblings of an infosec professional: Security Exemptions
    Tags: ( policy )
  2. Ben shares his method for writing along with some thoughts on writing in general. It's a good read and I bet you can find some things in there that can be applied to your own writing.
    The Writing Funnel (The Falcon's View)
    Tags: ( general writing )
  3. A bit ago, a forensic contest was opened with the winner getting a free SANS course. That contest is now over. Here is the cool part, they took the finalist's answers and made a website out of them for the rest of us to learn from. Check it out.
    Network Forensics Puzzle Contest
    Tags: ( forensics contest answer )
  4. This boggles the mind. A judge has ordered that Google deactivate an account because the account holder received an email not intended for them. I seriously hope this gets challenged. Otherwise, we are in for a very rocky time.
    Judge Orders Gmail Account Deactivated After Bank Screws Up | Threat Level | Wired.com
    Tags: ( cloud privacy )
  5. Hoff has penned a post that, along with the attending comments, is something that you should read. Seriously, go read it.
    Incomplete Thought: Virtual Machines Are the Problem, Not the Solution... | Rational Survivability
    Tags: ( virtualization )
  6. Shrdlu offers some guidance on how to implement new policies. I have used this same method in the past.
    The policy bootstrapping problem.
    Tags: ( policy )
  7. Next month is Cyber Security Awareness month. The Internet Storm Center handler's diary will again be making deep dives into various security issues during the month. If you aren't a subscriber now, I suggest you rectify that lapse.
    Cyber Security Awareness Month
    Tags: ( awareness )
  8. Wade talks about the difference between Management Science methods of making decisions and engineering methods. He then ask the question "..how does your company make 'Should we do X, Y, or Z?' decisions?" (slightly paraphrased) He offers a few he has seen. Stop by and offer your input.
    Verizon Business Security Blog >> Blog Archive >> Security Decisions - How do you make them?
    Tags: ( risk-management )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Well, there I go again, I keep saying I am going to get back to it and then leave you hanging. No real excuse this time other than being mondo busy.

As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

Anyway, last time we started talking about the taxonomy and the definition of risk from FAIR's perspective. As mentioned, we are going to leave those alone for a bit. We are going to build the taxonomy from the ground up. So, without further ado, here is where we are starting.

Threat Event Frequency

We start with the first component of Loss Frequency which is threat event frequency (TEF.) From the introduction, threat event frequency is:

The probable frequency, within a given timeframe, that a threat agent will act against an asset.

In other words, how many times within some amount of time will the bad guy try to do something evil to our treasured asset. This is important to know in determining how often we might actually suffer a loss.

So, to figure out the how many in how much part of the equation, we need to look at a couple things, contact and action. However, we are not talking about binary definitions here such as 'was there contact or not'.

First let's talk contact. From the introduction, contact is:

The probable frequency, within a given timeframe, that a threat agent will come into contact with an asset.

There are three things we want to consider. We are interested in whether the bad guy has regular or random contact with our treasure. Is contact the result of just random chance or is there some regularity to the contact? We are also really interested in whether the contact is intentional or not. Is the bad guy looking specifically for the types of treasure you have or are we target of opportunity.

Now action. From the introduction, action is:

The probability that a threat agent will act against an asset once contact occurs.

Again, we want to look at three things, asset value, vulnerability, and risk. Is it worth it to the bad guy to try something, i.e. is the value of the asset high enough. How vulnerable does the bad guy perceive the treasure to be. Our treasure is much less vulnerable sitting in a bank vault than it is sitting unwatched on a table in a crowded room. Finally, what is the risk to the bad guy. How likely is he to get caught if he tries to make contact.

All these factors must be taken into consideration when we we are thinking about threat event frequency.

Next we will explore the other half of loss frequency, vulnerability. I'll tell you right now that it is not what you think it is, unless, of course, you are already familiar with the FAIR Taxonomy. 🙂

As usual, drop me a note or leave me a comment with your thoughts.

-Kevin

{ 3 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. I find this a little alarming. Particularly with the number of recent Facebook worms that have cropped up.
    Army Orders Bases to Stop Blocking Twitter, Facebook, Flickr | Danger Room | Wired.com
    Tags: ( social-media army )
  2. More on database encryption. Good stuff.
    Securosis Blog | Database Encryption, Part 2: Selection Process Overview
    Tags: ( database encryption )
  3. Good stuff, but remember making the boss look stupid is a career limiting move 😉
    A chat with the boss | The Infosec Cynic
    Tags: ( general )
  4. Here is an output of Project Quant. The first phase of the patch management cycle. Rich is looking for feedback.
    Details: Monitor for Advisories
    Tags: ( patch-management )
  5. Like a pet rock, a pet risk doesn't really help you much. Check out Ron's suggestions below.
    Pet Risks - A New View of Risk Management : The Security Catalyst
    Tags: ( risk-management )
  6. Chris was looking for some incident response templates and hit the motherlode of suggestions. He put them all together in a blog post. A very good reference page.
    Dr. InfoSec: Incident Response Templates, Cheat Sheets, and more
    Tags: ( incident-response )
  7. A couple days ago I pointed to the crossword puzzle challenge/contest being put on by Sophos. Well, it's all done and there is a winner. The link below contains the answer sheet if you are interested.
    Solution to computer security cryptic crossword | Graham Cluley's blog
    Tags: ( challenge )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 1 comment }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Some interesting documents have been published recently. This article points out a couple of them. Both have been added to my reading pile.
    Techworld.com - Risk assessment guides launched
    Tags: ( risk-management metrics )
  2. Jack offers some alternatives to saying "No." Very good ideas and we (not the royal we) should use them.
    Uncommon Sense Security: Don't say "No"
    Tags: ( communication )
  3. Want to know more about Johnny Long. Here you go.
    Sunbelt Blog: Johnny Long's story
    Tags: ( hackersforcharity )
  4. Chris works through an interesting exercise in quantifying loss. He then offers some thoughts on communicating loss. I need to read it again, but it strikes me as very useful. For those FAIR fans out there, it is very applicable to using FAIR.
    The Risk Is Right. << Risktical Ramblings
    Tags: ( risk-management )
  5. Lori has once again nailed it.
    The IT Security Flowchart
    Tags: ( general )
  6. This breaks things down very succinctly. As Rich says, that doesn't mean it's easy.
    Securosis Blog | The Pragmatic Data (Information-Centric) Security Cycle
    Tags: ( security-lifecycle )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Just go look.
    Klingon Anti-Virus
    Tags: ( humor )
  2. Here's an interesting one-stop-shop for NIST documents related to their Risk Management Framework. It includes FIPS docs, NIST publications, FAQs, and other docs in a neat lifecycle like representation.
    NIST.gov - Computer Security Division - Computer Security Resource Center
    Tags: ( risk-management )
  3. Time to patch ssh. Don't want anybody seeing your secret bits 🙂
    OpenSSH chink bares encrypted data packets * The Register
    Tags: ( openssh vulnerability patches )
  4. Check out Andrew's answer to the question he poses. I agree with him.
    Andrew Hay >> Blog Archive >> Should the Helpdesk be a Mandatory Start for an IT Career?
    Tags: ( general )
  5. Things people say when faced with a web app vulnerability. I've heard most if not all of these at one time or another.
    But That's Impossible!
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Do you trust your web application firewall? If so, you might want to rethink that decision.
    Researchers Hack Web Application Firewalls - DarkReading
    Tags: ( waf )
  2. Alex has posted another good. It is very much worth reading and thinking about.
    Richard Bejtlich's Quantum State << The New School of Information Security
    Tags: ( risk-management risk-analysis )
  3. A nifty article on how to use hackvertor to de-obfuscate javascript.
    The Spanner - Hackvertor obfuscated code tutorial
    Tags: ( malware javascript )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }