Security Basics mailing list archives
Re: Re: Risk Analysis and Common Criteria
From: "yannick san" <yannicksan () free fr>
Date: Wed, 23 Apr 2003 00:17:08 +0200
ahahaha... so you do a thesis :) I finished mine in Information Security 2 months ago ! I did a Master In Information Security at the E.N.S.I.B. If you want we can discuss more about that in private... Anyway, first of all, how many months do you have for your task ? How big is your organization ? if it's a national organization, well,..., think about one part of it unless you have a year. How is seen the Security in the whole organization ? this is the most important thing in security because the more the directors will be implicated in security the more you task will be a good task, in case all you could write or say will directly go to ... /dev/null :) sorry for my english sometimes.
... I have the specific of the organization's network, and a list of
things
that iI can do like these: the limit of my dubget, the type of services that I must to guarantee, the type of Operation System that must to run on the host, etc...
Well, I really need to know how big your companie is... NOT THE NAME !! I don't care at all... well, in any case, did you make some interviews, some papers, where engineers (in charge of the network) could express there feeling about the actual level of security ? ... Sorry if my speech but I'm thinking about so many things at the same time in front of a subject like the one you have that sometimes you could not see the sens of my questions... well, before starting an Risk Analysis, whatever the method you use, you have to interviews everybody in charge of what you will study later... Who could better now how systems are installed in an enterprise than the systems engineers ? ... you have to ask theim the good questions (hummm.... around 20-30 questions is good). You can do that by mails. The second effect of asking theim to answer to all the questions you need is that later, when your report will be published in the entreprise, they will have been implicated. Do you see ?
... what is the most frequently and/or recommended method to make a good and secure network using the "Common Criteria", the "BS 17799" standards and to make a Risk Analysis???
BS7799 seems to be the futur standard used. The common Criteria will take you a long time to read and maybe you will have to read it a lot of time before writting your own method... Just by experience, I've readen the Raimbow Series about 3-4 times before beeing able to write my own way of using it.
I must to make a complete project using this standards: documentation, penetration test, log analysis, etc..
well well well, it's so hard to explain all... I should write a course for that... But, ok, just for starting. Did you do a "little" Risk Analysis on one System in the enterprise ? If no, you could try to do one just like an accademic work, it could take you 2 weeks (because of the lot of papers you will have to write)... by doing that kind of work on each computers you will have a lot of "little" Risk Analysis... and later, because the security of an entire Information System depends on the security on each parts of it... do you see what I mean ? :) If you need help for asking you the right questions, don't hesitate to ask me. Ooh one last thing for tonight... it's funny to think about that when you do a risk analysis : a system is in computer, a computer is in room, a room is in building :) ... (and we're not talking about human or networks)... the more the Risk Analysis will be good, the more you will have think about all the parameters but the task grow as russian dolls. good night, Yannick Information Security Engineer ----- Original Message ----- From: "security_ness" <security_ness () tiscali it> To: "yannick san" <yannicksan () free fr> Cc: <security-basics () securityfocus com> Sent: Tuesday, April 22, 2003 9:01 PM Subject: Re: Re: Risk Analysis and Common Criteria
Thanks for your's response. Now, I try to be more precise. I must do a complete job for an organization (this is for my degree's thesis). I have the specific of the organization's network, and a list of things that iI can do like these: the limit of my dubget, the type of services that I must to guarantee, the type of Operation System that must to run on the host, etc... Now that I have these specifics, what is the most frequently and/or recommended method to make a good and secure network using the "Common Criteria", the "BS 17799" standards and to make a Risk Analysis??? I must to make a complete project using this standards: documentation, penetration test, log analysis, etc.. What do you suggest to me??? ----- Original Message ----- From: "yannick san" <yannicksan () free fr> To: "jkv" <ipwitch () unixcluster dk>; <security_ness () tiscali it> Cc: <security-basics () securityfocus com> Sent: Monday, April 21, 2003 11:27 PM Subject: Re: Risk Analysis and Common CriteriaRisk Analysis is a complete process and I tell you about what to read ordolater in this mail. Understanding the Common Criteria will help you to acquire a better viewinhow you could proceed to create, manage the security in your
enterprise..
asI'm concerned I've not really worked with the Common Criteria but I'vespenda long time on the Raimbow Series. The Raimbow Series could be
understand
has a US "way of thinking" while the Common Criteria is the Europeanway...Even if it seems not to be followed today, reading the Raimbow Series is
a
good step to improve your security "way of thinking"... but it's another problem. Making a protection profile is another thing... Before thinking about
this
problem I have to ask you this question : Did you write a security
policy
?because the protection profile will be a document written in accordance
to
it. Well, in fact, you will refer to that document in your security policy... Choising a security target... for your entire network ? only a server ?...have you think about having different ladders for that ? by using
ladders,
Imean, security targets... a security target is not only a fixed value... have you think about a plan ? for exemple a security target for the next
3
months, then some tests, then a report, then maybe a higher securitytarget? ... Choising a security target is, I think one of the most difficultthingto do with a risk analysis... the main idea about all the questions youhaveto ask you must be done in accordance to a life-cycle view of thesecurity,I mean whatever you do, you will have to look at it again and that must
be
planed and written somewhere. Some of you are talking about Intrusion Detection... but this will be a complete project... cause as much as you will define the security
policy,
the security rules and process, you will see that you will need
Intrusion
Detection for improving your view on the network. But Intrusion
Detection
will be not only plugging NIDS or having HIDS daemons on machines. It
will
be more complicated if you thin about that questions : what will you dowiththe logs ? who will analyse theim ? when ? when will you say that you
are
ina crisis situation ? ... how about logs from routers ? switchs ? (logswithnot only security incidents but also management incidents...) ... will
you
need a console for helping you in that task ? :) Well, to know more about Risk Analysis, I can recommand you to googled
for
that : - Aggregated Countermeasure Effectiveness (ACE) Model - Risk Assessment Tool - Information Security Risk Assessment Model (ISRAM) - Dolla-based OPSEC Risk Analysis (DORA) - Analysis of Networked Systems Security Risks (ANSSR) You could look for that tools... it may also help you in your task : - LAVA, Los Alamos Vunlerability and Risk Assessment Tool - RiskPAC - RISKWATCH As I'm concerned, I use French tools... Hope I could helped you. Yannick'san ----- Original Message ----- From: "Mike Heitz" <mikeheitz () upshotmail com> To: "jkv" <ipwitch () unixcluster dk>; <security_ness () tiscali it> Cc: <security-basics () securityfocus com> Sent: Friday, April 18, 2003 8:40 PM Subject: RE: Risk Analysis and Common Criteria Here's a second vote for that book. There are some sections on making a business case for intrusion detection and developing a risk analysis policy. mike heitz ** sr it manager ** UPSHOT 312-943-0900 x5190 -----Original Message----- From: jkv [mailto:ipwitch () unixcluster dk] Sent: Thursday, April 17, 2003 3:18 PM To: security_ness () tiscali it Cc: security-basics () securityfocus com Subject: Re: Risk Analysis and Common Criteria On Thu, 17 Apr 2003 security_ness () tiscali it wrote:-what is the common process to make a Risk Analysis? -what I must do to make a Protection Profile for my network? and aSecuityTarghet?A good indept book security analysis book, which also covers those two questions question very well is "Network Intrusion Detection, An Analyst's Handbook"(2nd ed) by Stephen Northcutt and Judy Novak, released by New Riders for sans giac... -- ipwitch publickey: http://unixcluster.dk/public.asc ------------------------------------------------------------------------ --- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ------------------------------------------------------------------------
------------------------------------------------------------------------------ -Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the
world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by
professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
sales pitches. Deadline for the best rates is April 25. Register todaytoensure your place.
http://www.securityfocus.com/BlackHat-security-basics
-------------------------------------------------------------------------- ---------------------------------------------------------------------------- -Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the
world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by
professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
sales pitches. Deadline for the best rates is April 25. Register todaytoensure your place.
http://www.securityfocus.com/BlackHat-security-basics
-------------------------------------------------------------------------- --
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Risk Analysis and Common Criteria security_ness (Apr 17)
- Re: Risk Analysis and Common Criteria jkv (Apr 17)
- RE: Risk Analysis and Common Criteria dave (Apr 21)
- <Possible follow-ups>
- RE: Risk Analysis and Common Criteria Mike Heitz (Apr 21)
- Re: Risk Analysis and Common Criteria yannick san (Apr 22)
- Re: Re: Risk Analysis and Common Criteria security_ness (Apr 23)
- Re: Re: Risk Analysis and Common Criteria yannick san (Apr 23)
- Re: Re: Risk Analysis and Common Criteria Anders Reed Mohn (Apr 24)
- Re: Re: Risk Analysis and Common Criteria yannick san (Apr 24)
- Re: Risk Analysis and Common Criteria yannick san (Apr 22)