Full Disclosure mailing list archives
Re: Risk measurements
From: Valdis.Kletnieks () vt edu
Date: Fri, 12 Feb 2010 21:32:32 -0500
On Fri, 12 Feb 2010 16:54:48 +0100, Christian Sciberras said:
And who do you know what the bugs are? Risk modeling cannot solve this kind of issue. Vulnerabilities aren't intentional. It isn't intentional that I could piggyback a particular process and get kernel access. Since vulnerabilities are based on exceptions, how do you know that this kind of exception occurs? Again, mathematics lose ground here.
Actually, it turns out that you can do most of this without having a *clue* what the bugs are. It's counter-intuitive, but true. Let's say we have a server that handles SSN data, and has a trust relationship with another server that handles Visa cards. Neither of those servers have any connection to the server in R&D that has product design data. Now we can say with a high degree of certainty that if that server gets whacked, we have a high probability of SSN exposure, potential exposure of Visa card numbers, and essentially zero R&D exposure. Dig a bit further - the server runs Apache, OpenSSH, and PHP. OpenSSH is firewalled to only a section of the corporate network. We have a pretty good handle on how often Apache, OpenSSH and PHP get whacked (advisories per year is a pretty good place to start). We can now model things like "how likely an Apache hole will end up with us leaking Visa cards", "how likely an OpenSSH 0-day will pwn our R&D", and so on. I don't need to be able to predict the next bug. I only need to be able to predict "*BSD and OpenSSH have a good track record, so they'll probably keep being reasonably trustable". I also don't need to be able to guess *what* the next bug in phpnuke will be - I feel pretty safe in predicting that if the bozos in Advertising insist on installing it on an outward-facing server, we'll have an incident within the year.
-"Unfortunately, you'll need to do some risk modeling to figure out what "reasonable bounds" is for each piece of information."Wait, so I need to do risk modeling to quantify the risks of information/results of a risk assesment on software? Sounds like beauroucracy to me (pun intended).
No, you made it too complicated. Lose the second "of a risk assessment". "You need to do risk modelling to quantify the risks of information/sofware."
I see the reason behind risk management, but I don't see it being usefull except in policy-making.
That's because most of its value *is* in policy-making and related decisions for implementing the policy. "We're in good shape on this system, Payroll needs some defense-in-depth, and we need to either buy bullets for those bozos in Advertising or KY". That's risk management in one sentence. ;)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Risk measurements, (continued)
- Re: Risk measurements Valdis . Kletnieks (Feb 12)
- Re: Risk measurements Christian Sciberras (Feb 12)
- Re: Risk measurements Valdis . Kletnieks (Feb 12)
- Re: Risk measurements Christian Sciberras (Feb 12)
- Re: Risk measurements Rosa Maria Gonzalez Pereira (Feb 12)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Luis Zaldivar (Feb 12)
- Message not available
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements John Lightfoot (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: Risk measurements Valdis . Kletnieks (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Craig S. Wright (Feb 13)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: SMS Banking Christian Sciberras (Feb 11)
- Re: SMS Banking Thor (Hammer of God) (Feb 09)
- Re: SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 09)