Security Basics mailing list archives
Re: Re: Risk Analysis and Common Criteria
From: "security_ness" <security_ness () tiscali it>
Date: Tue, 22 Apr 2003 21:01:20 +0200
Thanks for your's response. Now, I try to be more precise. I must do a complete job for an organization (this is for my degree's thesis). I have the specific of the organization's network, and a list of things that iI can do like these: the limit of my dubget, the type of services that I must to guarantee, the type of Operation System that must to run on the host, etc... Now that I have these specifics, what is the most frequently and/or recommended method to make a good and secure network using the "Common Criteria", the "BS 17799" standards and to make a Risk Analysis??? I must to make a complete project using this standards: documentation, penetration test, log analysis, etc.. What do you suggest to me??? ----- Original Message ----- From: "yannick san" <yannicksan () free fr> To: "jkv" <ipwitch () unixcluster dk>; <security_ness () tiscali it> Cc: <security-basics () securityfocus com> Sent: Monday, April 21, 2003 11:27 PM Subject: Re: Risk Analysis and Common Criteria
Risk Analysis is a complete process and I tell you about what to read or
do
later in this mail. Understanding the Common Criteria will help you to acquire a better view
in
how you could proceed to create, manage the security in your enterprise..
as
I'm concerned I've not really worked with the Common Criteria but I've
spend
a long time on the Raimbow Series. The Raimbow Series could be understand has a US "way of thinking" while the Common Criteria is the European
way...
Even if it seems not to be followed today, reading the Raimbow Series is a good step to improve your security "way of thinking"... but it's another problem. Making a protection profile is another thing... Before thinking about this problem I have to ask you this question : Did you write a security policy
?
because the protection profile will be a document written in accordance to it. Well, in fact, you will refer to that document in your security policy... Choising a security target... for your entire network ? only a server ?
...
have you think about having different ladders for that ? by using ladders,
I
mean, security targets... a security target is not only a fixed value... have you think about a plan ? for exemple a security target for the next 3 months, then some tests, then a report, then maybe a higher security
target
? ... Choising a security target is, I think one of the most difficult
thing
to do with a risk analysis... the main idea about all the questions you
have
to ask you must be done in accordance to a life-cycle view of the
security,
I mean whatever you do, you will have to look at it again and that must be planed and written somewhere. Some of you are talking about Intrusion Detection... but this will be a complete project... cause as much as you will define the security policy, the security rules and process, you will see that you will need Intrusion Detection for improving your view on the network. But Intrusion Detection will be not only plugging NIDS or having HIDS daemons on machines. It will be more complicated if you thin about that questions : what will you do
with
the logs ? who will analyse theim ? when ? when will you say that you are
in
a crisis situation ? ... how about logs from routers ? switchs ? (logs
with
not only security incidents but also management incidents...) ... will you need a console for helping you in that task ? :) Well, to know more about Risk Analysis, I can recommand you to googled for that : - Aggregated Countermeasure Effectiveness (ACE) Model - Risk Assessment Tool - Information Security Risk Assessment Model (ISRAM) - Dolla-based OPSEC Risk Analysis (DORA) - Analysis of Networked Systems Security Risks (ANSSR) You could look for that tools... it may also help you in your task : - LAVA, Los Alamos Vunlerability and Risk Assessment Tool - RiskPAC - RISKWATCH As I'm concerned, I use French tools... Hope I could helped you. Yannick'san ----- Original Message ----- From: "Mike Heitz" <mikeheitz () upshotmail com> To: "jkv" <ipwitch () unixcluster dk>; <security_ness () tiscali it> Cc: <security-basics () securityfocus com> Sent: Friday, April 18, 2003 8:40 PM Subject: RE: Risk Analysis and Common Criteria Here's a second vote for that book. There are some sections on making a business case for intrusion detection and developing a risk analysis policy. mike heitz ** sr it manager ** UPSHOT 312-943-0900 x5190 -----Original Message----- From: jkv [mailto:ipwitch () unixcluster dk] Sent: Thursday, April 17, 2003 3:18 PM To: security_ness () tiscali it Cc: security-basics () securityfocus com Subject: Re: Risk Analysis and Common Criteria On Thu, 17 Apr 2003 security_ness () tiscali it wrote:-what is the common process to make a Risk Analysis? -what I must do to make a Protection Profile for my network? and aSecuityTarghet?A good indept book security analysis book, which also covers those two questions question very well is "Network Intrusion Detection, An Analyst's Handbook"(2nd ed) by Stephen Northcutt and Judy Novak, released by New Riders for sans giac... -- ipwitch publickey: http://unixcluster.dk/public.asc ------------------------------------------------------------------------ --- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics --------------------------------------------------------------------------
--
--------------------------------------------------------------------------
-
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today
to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics --------------------------------------------------------------------------
--
--------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- Risk Analysis and Common Criteria security_ness (Apr 17)
- Re: Risk Analysis and Common Criteria jkv (Apr 17)
- RE: Risk Analysis and Common Criteria dave (Apr 21)
- <Possible follow-ups>
- RE: Risk Analysis and Common Criteria Mike Heitz (Apr 21)
- Re: Risk Analysis and Common Criteria yannick san (Apr 22)
- Re: Re: Risk Analysis and Common Criteria security_ness (Apr 23)
- Re: Re: Risk Analysis and Common Criteria yannick san (Apr 23)
- Re: Re: Risk Analysis and Common Criteria Anders Reed Mohn (Apr 24)
- Re: Re: Risk Analysis and Common Criteria yannick san (Apr 24)
- Re: Risk Analysis and Common Criteria yannick san (Apr 22)