Educause Security Discussion mailing list archives
Re: Risks and standards development in networking and Blackberrys/Mobility
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Tue, 18 Oct 2005 23:32:55 -0400
On Tue, 18 Oct 2005 18:19:08 EDT, James H Moore said:
Our first task is to do risk mapping, identifying risks and then prioritizing them. We have to identify all risks, including risks of lost productivity if certain features are not present.
What's the risk value of failing to identify a risk? Karger and Schell identified a specific risk in their 1974 pen-test paper on Multics. Ken Thompson then improved on it, and gave his Turing Award lecture 'On Trusting Trust' on it. http://www.acm.org/classics/sep95/ Is that on your list? Should it be? How about "trusted sysadmin goes around the bend and does <insert worst case scenario here> to systems before he's tracked down, but the SWAT team nails him before you get a list of what he did" (keeping in mind that there may not be a trustable backup to restore from, if he went around the bend a while ago)? How about "Board of Trustees passes resolution banning the University from doing business with convicted monopolists"? I could list some *really* off-the-wall risks, but everybody knows I'm a raving member of the Tinfoil Helmet Brigade and never takes me seriously.. ;) Bottom line: you can't identify *all* the risks. The best you can do is identify as many as you can within the time and budget available....
Attachment:
_bin
Description:
Current thread:
- Re: Risks and standards development in networking and Blackberrys/Mobility Valdis Kletnieks (Oct 18)