RE: Risk Assessment/Management Software

["Mikhail A. Utin" <mutin () commonwealthcare org>]

Ryan,
You have a difficult task of teaching automated risk management. It is conceptually wrong, and unfortunately, nobody 
can introduce anything meaningful in near future.
It is based completely on statistics and knowing:
- At least 90% of existing threats; we even do not know at least a half of malware in wild, so other threats ...
- How often certain security infrastructures are affected by those threats
- Exposures - what happened with a business having certain security infrastructure, which has been affected by a threat?
Unfortunately, we, first of all, do not have such statistics. If we had, then development of a model would not be a 
problem.
And the last thing is accuracy of such model.  Not knowing what we have, we definitely cannot identify the accuracy. Is 
it 1%, 10%, 90%? Nobody will be able to answer.

So, you can teach, but do not trust numbers they produce.

You might get something meaningful in physical security, say 80%accuracy, but not in IT.

Good luck

Mikhail A. Utin, CISSP, Ph.D.
Information Security Analyst


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ryan Kovar
Sent: Wednesday, July 27, 2011 9:57 AM
To: security-basics () securityfocus com
Subject: Risk Assessment/Management Software

Has anyone used @RISK from Palisades for risk assessment/management for IT vulnerabilities?  Or have any other software 
they could recommend that specifically applies to IT Security? I am lookign to use an automated risk 
management/assessment tool for a class and was hoping to find some helpful tutorials other than RTFM'ing the entire 
Manual :-)

--
Cheers,
   Ryan Kovar

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and 
who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell 
if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your 
Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing 
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential 
and privileged information for the use of the designated recipients named above. If you are 
not the intended recipient, you are hereby notified that you have received this communication 
in error and that any review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited. If you have received this communication in error, please reply to the 
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication 
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, 
please visit our Internet web site at http://www.commonwealthcare.org.


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------