Re: Re: Risk Analysis and Common Criteria

["yannick san" <yannicksan () free fr>]

ahahaha... so you do a thesis :)
I finished mine in Information Security 2 months ago !
I did a Master In Information Security at the E.N.S.I.B.
If you want we can discuss more about that in private...
Anyway, first of all, how many months do you have for your task ?
How big is your organization ? if it's a national organization, well,...,
think about one part of it unless you have a year.
How is seen the Security in the whole organization ? this is the most
important thing in security because the more the directors will be
implicated in security the more you task will be a good task, in case all
you could write or say will directly go to ... /dev/null :) sorry for my
english sometimes.

> ... I have the specific of the organization's network, and a list of
things
> that iI can do like these:
> the limit of my dubget, the type of services that I must to guarantee,
> the type of Operation System that must to run on the host, etc...
Well, I really need to know how big your companie is... NOT THE NAME !! I
don't care at all... well, in any case, did you make some interviews, some
papers, where engineers (in charge of the network) could express there
feeling about the actual level of security ? ... Sorry if my speech but I'm
thinking about so many things at the same time in front of a subject like
the one you have that sometimes you could not see the sens of my
questions... well, before starting an Risk Analysis, whatever the method you
use, you have to interviews everybody in charge of what you will study
later... Who could better now how systems are installed in an enterprise
than the systems engineers ? ... you have to ask theim the good questions
(hummm.... around 20-30 questions is good). You can do that by mails. The
second effect of asking theim to answer to all the questions you need is
that later, when your report will be published in the entreprise, they will
have been implicated. Do you see ?

> ... what is the most frequently and/or recommended method
> to make a good and secure network using the "Common Criteria", the "BS
> 17799" standards and to make a Risk Analysis???

BS7799 seems to be the futur standard used. The common Criteria will take
you a long time to read and maybe you will have to read it a lot of time
before writting your own method... Just by experience, I've readen the
Raimbow Series about 3-4 times before beeing able to write my own way of
using it.

> I must to make a complete project using this standards: documentation,
> penetration test, log analysis, etc..

well well well, it's so hard to explain all... I should write a course for
that...
But, ok, just for starting. Did you do a "little" Risk Analysis on one
System in the enterprise ? If no, you could try to do one just like an
accademic work, it could take you 2 weeks (because of the lot of papers you
will have to write)... by doing that kind of work on each computers you will
have a lot of "little" Risk Analysis... and later, because the security of
an entire Information System depends on the security on each parts of it...
do you see what I mean ? :) If you need help for asking you the right
questions, don't hesitate to ask me.
Ooh one last thing for tonight... it's funny to think about that when you do
a risk analysis : a system is in computer, a computer is in room, a room is
in building :) ... (and we're not talking about human or networks)... the
more the Risk Analysis will be good, the more you will have think about all
the parameters but the task grow as russian dolls.

good night,

Yannick
Information Security Engineer


----- Original Message -----
From: "security_ness" <security_ness () tiscali it>
To: "yannick san" <yannicksan () free fr>
Cc: <security-basics () securityfocus com>
Sent: Tuesday, April 22, 2003 9:01 PM
Subject: Re: Re: Risk Analysis and Common Criteria


> Thanks for your's response.
> Now, I try to be more precise.
> I must do a complete job for an organization (this is for my degree's
> thesis).
>
> I have the specific of the organization's network, and a list of  things
> that iI can do like these:
> the limit of my dubget, the type of services that I must to guarantee,
> the type of Operation System that must to run on the host, etc...
>
> Now that I have these specifics, what is the most frequently and/or
> recommended method
> to make a good and secure network using the "Common Criteria", the "BS
> 17799" standards and
> to make a Risk Analysis???
>
> I must to make a complete project using this standards: documentation,
> penetration test, log analysis, etc..
>
> What do you suggest to me???
>
>
>
>
>
>
> ----- Original Message -----
> From: "yannick san" <yannicksan () free fr>
> To: "jkv" <ipwitch () unixcluster dk>; <security_ness () tiscali it>
> Cc: <security-basics () securityfocus com>
> Sent: Monday, April 21, 2003 11:27 PM
> Subject: Re: Risk Analysis and Common Criteria
>
>
> > Risk Analysis is a complete process and I tell you about what to read or
> do
> > later in this mail.
> >
> > Understanding the Common Criteria will help you to acquire a better view
> in
> > how you could proceed to create, manage the security in your
enterprise..
> as
> > I'm concerned I've not really worked with the Common Criteria but I've
> spend
> > a long time on the Raimbow Series. The Raimbow Series could be
understand
> > has a US "way of thinking" while the Common Criteria is the European
> way...
> > Even if it seems not to be followed today, reading the Raimbow Series is
a
> > good step to improve your security "way of thinking"... but it's another
> > problem.
> >
> > Making a protection profile is another thing... Before thinking about
this
> > problem I have to ask you this question : Did you write a security
policy
> ?
> > because the protection profile will be a document written in accordance
to
> > it. Well, in fact, you will refer to that document in your security
> > policy...
> >
> > Choising a security target... for your entire network ? only a server ?
> ...
> > have you think about having different ladders for that ? by using
ladders,
> I
> > mean, security targets... a security target is not only a fixed value...
> > have you think about a plan ? for exemple a security target for the next
3
> > months, then some tests, then a report, then maybe a higher security
> target
> > ? ... Choising a security target is, I think one of the most difficult
> thing
> > to do with a risk analysis... the main idea about all the questions you
> have
> > to ask you must be done in accordance to a life-cycle view of the
> security,
> > I mean whatever you do, you will have to look at it again and that must
be
> > planed and written somewhere.
> >
> > Some of you are talking about Intrusion Detection... but this will be a
> > complete project... cause as much as you will define the security
policy,
> > the security rules and process, you will see that you will need
Intrusion
> > Detection for improving your view on the network. But Intrusion
Detection
> > will be not only plugging NIDS or having HIDS daemons on machines. It
will
> > be more complicated if you thin about that questions : what will you do
> with
> > the logs ? who will analyse theim ? when ? when will you say that you
are
> in
> > a crisis situation ? ... how about logs from routers ? switchs ? (logs
> with
> > not only security incidents but also management incidents...) ... will
you
> > need a console for helping you in that task ? :)
> >
> > Well, to know more about Risk Analysis, I can recommand you to googled
for
> > that :
> > - Aggregated Countermeasure Effectiveness (ACE) Model
> > - Risk Assessment Tool
> > - Information Security Risk Assessment Model (ISRAM)
> > - Dolla-based OPSEC Risk Analysis (DORA)
> > - Analysis of Networked Systems Security Risks (ANSSR)
> >
> > You could look for that tools... it may also help you in your task :
> > - LAVA, Los Alamos Vunlerability and Risk Assessment Tool
> > - RiskPAC
> > - RISKWATCH
> >
> > As I'm concerned, I use French tools...
> > Hope I could helped you.
> >
> > Yannick'san
> >
> > ----- Original Message -----
> > From: "Mike Heitz" <mikeheitz () upshotmail com>
> > To: "jkv" <ipwitch () unixcluster dk>; <security_ness () tiscali it>
> > Cc: <security-basics () securityfocus com>
> > Sent: Friday, April 18, 2003 8:40 PM
> > Subject: RE: Risk Analysis and Common Criteria
> >
> >
> > Here's a second vote for that book. There are some sections on making a
> > business case for intrusion detection and developing a risk analysis
> > policy.
> >
> > mike heitz ** sr it manager ** UPSHOT
> > 312-943-0900 x5190
> >
> > -----Original Message-----
> > From: jkv [mailto:ipwitch () unixcluster dk]
> > Sent: Thursday, April 17, 2003 3:18 PM
> > To: security_ness () tiscali it
> > Cc: security-basics () securityfocus com
> > Subject: Re: Risk Analysis and Common Criteria
> >
> > On Thu, 17 Apr 2003 security_ness () tiscali it wrote:
> >
> > > -what is the common process to make a Risk Analysis?
> > > -what I must do to make a Protection Profile for my network? and a
> > Secuity
> > > Targhet?
> >
> > A good indept book security analysis book, which also covers those two
> > questions question very well is "Network Intrusion Detection, An
> > Analyst's
> > Handbook"(2nd ed) by Stephen Northcutt and Judy Novak, released by New
> > Riders for sans giac...
> >
> > --
> > ipwitch
> > publickey: http://unixcluster.dk/public.asc
> >
> > ------------------------------------------------------------------------
> > ---
> > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
> > the
> > world's premier event for IT and network security experts.  The two-day
> > Training features 6 hand-on courses on May 12-13 taught by
> > professionals.
> > The two-day Briefings on May 14-15 features 24 top speakers with no
> > vendor
> > sales pitches.  Deadline for the best rates is April 25.  Register today
> > to
> > ensure your place.
> > http://www.securityfocus.com/BlackHat-security-basics
> > ------------------------------------------------------------------------

> > ----
>
> --------------------------------------------------------------------------
> -
> > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the
> > world's premier event for IT and network security experts.  The two-day
> > Training features 6 hand-on courses on May 12-13 taught by
professionals.
> > The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
> > sales pitches.  Deadline for the best rates is April 25.  Register today
> to
> > ensure your place.
http://www.securityfocus.com/BlackHat-security-basics
> --------------------------------------------------------------------------
> --
> >
>
> --------------------------------------------------------------------------
> -
> > Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the
> > world's premier event for IT and network security experts.  The two-day
> > Training features 6 hand-on courses on May 12-13 taught by
professionals.
> > The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
> > sales pitches.  Deadline for the best rates is April 25.  Register today
> to
> > ensure your place.
http://www.securityfocus.com/BlackHat-security-basics
> --------------------------------------------------------------------------
> --
> >


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------