Re: Re: Risk Analysis and Common Criteria

["security_ness" <security_ness () tiscali it>]

Thanks for your's response.
Now, I try to be more precise.
I must do a complete job for an organization (this is for my degree's
thesis).

I have the specific of the organization's network, and a list of  things
that iI can do like these:
the limit of my dubget, the type of services that I must to guarantee,
the type of Operation System that must to run on the host, etc...

Now that I have these specifics, what is the most frequently and/or
recommended method
to make a good and secure network using the "Common Criteria", the "BS
17799" standards and
to make a Risk Analysis???

I must to make a complete project using this standards: documentation,
penetration test, log analysis, etc..

What do you suggest to me???






----- Original Message -----
From: "yannick san" <yannicksan () free fr>
To: "jkv" <ipwitch () unixcluster dk>; <security_ness () tiscali it>
Cc: <security-basics () securityfocus com>
Sent: Monday, April 21, 2003 11:27 PM
Subject: Re: Risk Analysis and Common Criteria


> Risk Analysis is a complete process and I tell you about what to read or
do
> later in this mail.
>
> Understanding the Common Criteria will help you to acquire a better view
in
> how you could proceed to create, manage the security in your enterprise..
as
> I'm concerned I've not really worked with the Common Criteria but I've
spend
> a long time on the Raimbow Series. The Raimbow Series could be understand
> has a US "way of thinking" while the Common Criteria is the European
way...
> Even if it seems not to be followed today, reading the Raimbow Series is a
> good step to improve your security "way of thinking"... but it's another
> problem.
>
> Making a protection profile is another thing... Before thinking about this
> problem I have to ask you this question : Did you write a security policy
?
> because the protection profile will be a document written in accordance to
> it. Well, in fact, you will refer to that document in your security
> policy...
>
> Choising a security target... for your entire network ? only a server ?
...
> have you think about having different ladders for that ? by using ladders,
I
> mean, security targets... a security target is not only a fixed value...
> have you think about a plan ? for exemple a security target for the next 3
> months, then some tests, then a report, then maybe a higher security
target
> ? ... Choising a security target is, I think one of the most difficult
thing
> to do with a risk analysis... the main idea about all the questions you
have
> to ask you must be done in accordance to a life-cycle view of the
security,
> I mean whatever you do, you will have to look at it again and that must be
> planed and written somewhere.
>
> Some of you are talking about Intrusion Detection... but this will be a
> complete project... cause as much as you will define the security policy,
> the security rules and process, you will see that you will need Intrusion
> Detection for improving your view on the network. But Intrusion Detection
> will be not only plugging NIDS or having HIDS daemons on machines. It will
> be more complicated if you thin about that questions : what will you do
with
> the logs ? who will analyse theim ? when ? when will you say that you are
in
> a crisis situation ? ... how about logs from routers ? switchs ? (logs
with
> not only security incidents but also management incidents...) ... will you
> need a console for helping you in that task ? :)
>
> Well, to know more about Risk Analysis, I can recommand you to googled for
> that :
> - Aggregated Countermeasure Effectiveness (ACE) Model
> - Risk Assessment Tool
> - Information Security Risk Assessment Model (ISRAM)
> - Dolla-based OPSEC Risk Analysis (DORA)
> - Analysis of Networked Systems Security Risks (ANSSR)
>
> You could look for that tools... it may also help you in your task :
> - LAVA, Los Alamos Vunlerability and Risk Assessment Tool
> - RiskPAC
> - RISKWATCH
>
> As I'm concerned, I use French tools...
> Hope I could helped you.
>
> Yannick'san
>
> ----- Original Message -----
> From: "Mike Heitz" <mikeheitz () upshotmail com>
> To: "jkv" <ipwitch () unixcluster dk>; <security_ness () tiscali it>
> Cc: <security-basics () securityfocus com>
> Sent: Friday, April 18, 2003 8:40 PM
> Subject: RE: Risk Analysis and Common Criteria
>
>
> Here's a second vote for that book. There are some sections on making a
> business case for intrusion detection and developing a risk analysis
> policy.
>
> mike heitz ** sr it manager ** UPSHOT
> 312-943-0900 x5190
>
> -----Original Message-----
> From: jkv [mailto:ipwitch () unixcluster dk]
> Sent: Thursday, April 17, 2003 3:18 PM
> To: security_ness () tiscali it
> Cc: security-basics () securityfocus com
> Subject: Re: Risk Analysis and Common Criteria
>
> On Thu, 17 Apr 2003 security_ness () tiscali it wrote:
>
> > -what is the common process to make a Risk Analysis?
> > -what I must do to make a Protection Profile for my network? and a
> Secuity
> > Targhet?
>
> A good indept book security analysis book, which also covers those two
> questions question very well is "Network Intrusion Detection, An
> Analyst's
> Handbook"(2nd ed) by Stephen Northcutt and Judy Novak, released by New
> Riders for sans giac...
>
> --
> ipwitch
> publickey: http://unixcluster.dk/public.asc
>
> ------------------------------------------------------------------------
> ---
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
> the
> world's premier event for IT and network security experts.  The two-day
> Training features 6 hand-on courses on May 12-13 taught by
> professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no
> vendor
> sales pitches.  Deadline for the best rates is April 25.  Register today
> to
> ensure your place.
> http://www.securityfocus.com/BlackHat-security-basics
> ------------------------------------------------------------------------
> ----
>
>
> --------------------------------------------------------------------------
-
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
> world's premier event for IT and network security experts.  The two-day
> Training features 6 hand-on courses on May 12-13 taught by professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no vendor
> sales pitches.  Deadline for the best rates is April 25.  Register today
to
> ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
> --------------------------------------------------------------------------
--
> --------------------------------------------------------------------------
-
> Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
> world's premier event for IT and network security experts.  The two-day
> Training features 6 hand-on courses on May 12-13 taught by professionals.
> The two-day Briefings on May 14-15 features 24 top speakers with no vendor
> sales pitches.  Deadline for the best rates is April 25.  Register today
to
> ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
> --------------------------------------------------------------------------
--
>



---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------