vulnerability

As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

In the last post in this series, a very very long time ago, we took a look at Threat Event Frequency (TEF). In its most simple form TEF means how often does a threat event happen.

We are now going to take a look at the other component of Loss Frequency (LF), Vulnerability. However, this is not how we normally think of vulnerability.

From the  Introduction, Vulnerability is:

The probability that an asset will be unable to resist the actions of a threat agent.

This is quite different than how we normally define vulnerability as information security professionals. We usually view vulnerability as a specific weakness in a system or application. In FAIR, vulnerability is an inverse measure of the ability of an asset to protect itself against the efforts of a threat agent.

A high probability means that the asset will likely be compromised and a low probability means that the asset will be able to effectively resist. You have to let that one percolate for a bit.

Vulnerability is made up of two factors and here we diverge a bit from the Introduction. Both the introduction and the Open Group Risk Taxonomy use Control Strength and Threat Capability as factors of Vulnerability. Jack has since modified this slightly. Threat Capability (TCap) is still used, but Control Strength has been changed to Resistance Strength (RS.) Let's talk about both of these for a second.

Resistance Strength is the probability that an asset can resist a baseline measure of force . Let's say I have a gate that keeps people from coming into my property. Someone on a bicycle would be kept out, but someone in a Mini Cooper wouldn't. We would probably say that the Resistance Strength at that point is pretty low. Replace that flimsy gate with a door to rival those protecting the installation in Cheyenne Mountain and our Resistance Strength goes through the roof.

Threat Capability is just what it sounds like. How capable are the evil doers that are attempting to compromise my asset. Are they riding bicycles or driving Abrams tanks.

Putting the two together, Resistance Strength and Threat Capability, gives us Vulnerability. For instance,  we have that super strong door we were talking about. There is a very high probability that the door will be able to resist a baseline or average level of force.  How about the evil dude on the bicycle? His Threat Capability is very low. Combining the two gives us a very low probability that the asset will be unable to resist the threat agent, i.e. we're going to be just fine.

Next time we are going to take a quick look at how Threat Event Frequency and Vulnerability define Loss Frequency and then we will start of the Probably Loss side of the Risk equation.

As always, please leave a comment or send me a note at kriggins@infosecramblings.com with your thoughts.

-Kevin

Enhanced by Zemanta

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Just so you know.
    Vivek Kundra reinstated as federal CIO
    Tags: ( general )
  2. This reinforces the importance of physical access. If some has physical access to a device, you are going to be very hard pressed to prevent them from doing evil.
    Criminals sneak card-sniffing software on Diebold ATMs - Network World
    Tags: ( physical )
  3. Dave gives us a couple more tips of pulling binaries out of pcap file or from live network traffic, but more importantly does something that impresses me more. Addresses a miss-communication in a previous post.
    NetworkMiner follow up << SANS Computer Forensics, Investigation, and Response
    Tags: ( forensics network captures )
  4. A nice post cooked up in the Security Kitchen that provides us with two things. 1) A way to restrict browsing by location/machine and 2) a reminder that sometimes things are much simpler and easier than they appear. 🙂
    The Security Kitchen >> location-based browsing restrictions.
    Tags: ( controls tips )
  5. This has the potential to be very important. We will have to wait and see what come out tomorrow.
    Uh Oh, rootkit code to exploit major Intel chip flaw to be posted 3/19/09 | NetworkWorld.com Community
    Tags: ( vulnerability intel )
  6. Chris's slide deck from his talk at SOURCEBoston is available for download. Interesting stuff in there, even if you don't get the benefit of his patter to go along with the deck. 🙂
    Rational Survivability >> The Frogs Who Desired a King: A Virtualization & Cloud Computing Fable [Slides]
    Tags: ( cloud virtualization )
  7. Julie takes us to task for the the way we talk about our user populations and rightfully so. As she says, the way we talk in private can leak into our public discourse, often when we don't intend it to, leading to those whoops moments we all wish we could take back.
    Lazy. Apathetic. Careless. Stupid. : The Security Catalyst
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 1 comment }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. This is interesting. I would say some of the guidance appears a bit more tactical that I would expect for a CSO, but still worth a gander.
    ASIS releases standards detailing CSO role @ The Latest for Security Executives SecurityInfoWatch.com
    Tags: ( cso )
  2. This is a good article to put in front of anybody that thinks that cross-site scripting vulnerabilities are minor and don't really need to be worried about.
    SecuriTeam Blogs >> Cross Site Scripting can cause your stock to tank
    Tags: ( xss )
  3. A very nice article about the recent patching of a flaw in the SimpleDB api.
    What's New in the Amazon Cloud?: Security Vulnerability in Amazon EC2 and SimpleDB Fixed (7.5 Months After Notification) | Cloud Security
    Tags: ( vulnerability patches amazon simpledb )
  4. Martin has a post asking us what we are doing to keep our skills current. Several, including me, have offered some input. There is some good stuff there. Go check it out and add your own ideas.
    Network Security Blog >> Investing in my career
    Tags: ( career education )
  5. Nifty tip on how to mount a filesystem using the alternate superblock when it won't mount normally. Of course, this is from a forensic perspective, but useful from a general perspective also.
    Mounting Images Using Alternate Superblocks << SANS Computer Forensics, Investigation, and Response
    Tags: ( forensics mount superblock )
  6. The bad guys are not in this for fun and games. There is value in the data they are taking from you.
    Hundreds of Stolen Data Dumps Found - Security Fix
    Tags: ( data breach )
  7. Looks like there might be some clarification coming regarding PCI and virtualization in 2009. Keep you eyes open.
    http://www.networkworld.com/news/2008/121808-crystal-ball-pci.html
    Tags: ( pci virtualization )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

Reblog this post [with Zemanta]

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. This is nice to see.
    Yahoo to anonymize user data after 90 days | Security - CNET News
    Tags: ( privacy )
  2. Time to update Flash Player on Linux.
    Critical Flaw in Flash Player...For Linux! - Security Watch
    Tags: ( flash linux )
  3. Part 3 of SynJunkies' tale is ready for your perusal.
    Syn: The Story of an Insider - Part 3. Playing at CSI
    Tags: ( incident-response stories )
  4. New version. Haven't played with this one yet. Going to have to check it out.
    /dev/random >> Blog Archive >> OpenVAS 2.0.0. is out
    Tags: ( vulnerability openvas )
  5. Mike is getting involved it what appears to be a great new effort in training for penetration testers.
    Getting Information Security Training Right | Episteme
    Tags: ( training pentesting )
  6. Nifty new features.
    New Zenmap adds feature that does topology mapping | SecViz
    Tags: ( nmap zenmap )
  7. Done't forget folks. Firefox 2 is at end-of-life with 2.0.19 and you lost your safe-browsing capabilities too.
    Firefox 2 Users Will Get No More Security Updates - Security Fix
    Tags: ( firefox patches )
  8. I just like this post and Kees's approach.
    Making the world a little better - Kees Leune Information Security Blog
    Tags: ( awareness education )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. Lavasoft has jumped into the anti-virus market. We'll have to keep an eye on this one.
    Ad-Aware gets an antivirus cousin | The Download Blog - Download.com
    Tags: ( free anti-virus )
  2. Some interesting situation that lead to a need for data recovery. Hat tip to Xavier at /dev/random (blog.rotshell.be)
    Kroll Ontrack Top Ten Data Mishaps and Recoveries - Press Release
    Tags: ( amusing general )
  3. The workarounds section for the recent 0-day for IE has been updated. This blog post goes into some further detail about the workarounds.
    Security Vulnerability Research & Defense : Clarification on the various workarounds from the recent IE advisory
    Tags: ( exploit vulnerability microsoft ie workarounds )
  4. Part 2 of SynJunky's fictional story about detection of and incident response to an insider attack.
    Syn: The Story of an Insider - Part 2. The Sys Admins Story
    Tags: ( insider )
  5. This is a nifty way to get the job done.
    Writing a web services fuzzer in 5 minutes to SQL injection | tssci security
    Tags: ( webappsec injection sql )
  6. Woot! Version 1.2 of Burp Suite has been released.
    PortSwigger.net - web application security: Burp Suite v1.2 released
    Tags: ( webappsec burp )
  7. Just go read it. You won't regret it.
    Rational Survivability: GigaOm's Alistair Croll on Cloud Security: The Sky Is Falling!...and So Is My Tolerance For Absurdity
    Tags: ( cloud )
  8. Rory is writing a series of posts on penetration testing. The first is up.
    Rory.Blog: What is Penetration Testing?
    Tags: ( pentest )
  9. Here is a very cool idea for a low/no cost way to implement DLP.
    /dev/random >> Blog Archive >> Simple DLP with Ngrep
    Tags: ( dlp ngrep )
  10. Looks like nifty tool to add to the arsenal.
    Jeremy's Computer Security Blog: JPEG Fuzzer has ARRIVED
    Tags: ( fuzzer jpeg )
  11. Watch out folks, SkyNet is just around the corner.
    Schneier on Security: Killing Robot Being Tested by Lockheed Martin
    Tags: ( skynet )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. I mentioned this white paper when I did my RSA Europe recap back in October. It is worth a read. * the link goes directly to the PDF
    Web 2.0 Security and Privacy
    Tags: ( privacy enisa )
  2. Here are some things you can do to protect yourself against the 0-day exploit that works against IE7.
    Microsoft talks up countermeasures to fend off new IE attacks
    Tags: ( vulnerability microsoft ie7 )
  3. Adding to the growing pile of recent 0-day exploits for Microsoft products, there appears to be one for SQL Server.
    Security pros groan as zero-day hits Microsoft's SQL Server * The Register
    Tags: ( exploit vulnerability 0day sqlserver micrsoft )
  4. Some good general guidance for how to react in the event you have a data breach. I would offer that it is good advice for everybody involved and not just the CIO.
    How a CIO should deal with aftermath of a data breach
    Tags: ( data breach )
  5. looks like Cisco is in for a legal fight.
    Cisco sued by Free Software Foundation for copyright infringement - Network World
    Tags: ( general )
  6. Innismir weighs in on the recent meme of penetration testing being dead. He, like most of us involved in the discussion, doesn't think its dead either.
    innismir.net -- Pentration Testing - Not Quite Dead Yet
    Tags: ( pentest )
  7. Rich brings up some good points. Worth reading and thinking about.
    How The Cloud Destroys Everything I Love (About Web App Security) | securosis.com
    Tags: ( cloud webappsec )
  8. WhiteHat Security's quarterly report on website security statistics is available for download. This is the sixth one they have put out. Good stuff in there.
    Jeremiah Grossman: Sixth Quarterly Website Security Statistics Report
    Tags: ( general reports )
  9. Jeremiah offers some really good guidance for justifying your budget for web application security spending.
    Jeremiah Grossman: Budgeting for Web Application Security
    Tags: ( webappsec )
  10. Here's a framework for SAP pen testing.
    sapyto v0.98 Released - SAP Penetration Testing Framework Tool | Darknet - The Darkside
    Tags: ( pentest sap )
  11. You can't make this stuff up. Remember folks, you have to make sure that all data is removed form devices before you get rid of them.
    Liquidmatrix Security Digest >> McCain Campaign Sells Off... Data?
    Tags: ( data leakage )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 2 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. If any of these apply to your organization you have some work to do.
    http://www.networkworld.com/news/2008/121008-the-seven-deadly-sins-of.html
    Tags: ( program )
  2. Looks like there is another 0-day out.
    Microsoft looking into WordPad zero-day flaw | Security - CNET News
    Tags: ( vulnerability microsoft wordpad )
  3. Shrdlu offers some good suggestions on preparing for next year.
    Layer 8: Out with the old, in with the new.
    Tags: ( general )
  4. Nifty. Five security related distributions in one.
    Ask and you shall receive - SumoLinux - Room362.com
    Tags: ( tools linux distro )
  5. Rich puts to paper (work with me) the same thoughts I had when I read about the direction China is thinking of taking in regards to technical information of products entering China.
    A Good (Potential) Risk Management IQ Test For Management | securosis.com
    Tags: ( general )
  6. Google gives a nifty resource.
    Google's Browser Security Handbook | Security4all - Dedicated to digital security, enterprise 2.0 and presentation skills
    Tags: ( security browser google books )
  7. Part 5 of this great series is now available. If you haven't read the previous parts, they are linked in the first paragraph.
    Building a Web Application Security Program, Part 5: Secure Development | securosis.com
    Tags: ( webappsec program )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good day all. Got a pretty good bunch o bits to take a look at today. So, without further ado, here we go!

From the Blogosphere.

The Sunbelt blog warns us about some CareerBuilder jobs being emailed out which are scams. Be careful out there. They will get you any way they can.

Finjin came across over half a gigabyte of stolen US Healthcare and airline data. Ouch.

Adam writes that Identity Theft is more than Fraud By Impersonation. He points out than in many cases, the real pain of identity theft is not monetary, but dealing with the tarnishing of you good name as you try to clean things up. He has a good suggestion for trying to help with this issue. Go read about it.

Security4all points us to a couple of white papers that are worth giving a gander. The Extended HTML Form Attack Revisited by Sandro and Enablesecurity and Defeating the Network Security Infrastructure by Philippe at Radarhack.com. They are both on my reading list now.

Irongeek has released a little tool called DecaffeinatID that

"DecaffeinatID is a simple little app that acts as an Intrusion Detection System (more of a log watcher really) to notify the user whenever fellow users at their local WiFi hotspot/ LAN are up to the kind of "reindeer games"

Looks pretty nifty.

Rich has another missive that deserves to be read more than once. He talks about Database connections and Trust. I am not going to attempt to summarize what he puts forth. Go read it.

You may have already heard about this, but a vulnerability exploit has been found in FF 3.0. It was reported to Tipping Point and passed on to Mozilla. They are working on a fix.

Amrit and Hoff both are talking about wheither virtualization security is a technical problem or an operational problem. Both are good reads. I won't spoil it for you by giving away their conclusions.

F-Secure has released version 3.0 of their Rescue CD. Could come in handy.

From the Newsosphere.

Via cjonline.com, some Kansas state equipment that was to be sold to the public contained confidential information. People, please make sure you have data retention, handling and destruction policies and procedures and that they are adhered to.

From Dark Reading, ICSA Labs Forum has advanced a security standard for IPv6.

Pointed to by Hack in the box and reported by Computer World UK, two laptops without encryption have been lost. This time by the HNS trust in the U.K.

Again via Hack in the box and reported by Wired, it looks like Citibank had an intrusion that allowed a couple of men to grab at least $750,000 from atm machines in New York City. Oops.

That's it for today. Have a good one.

Kevin

Technorati Tags: , , , , , , , ,

{ 0 comments }