Full Disclosure mailing list archives
Re: Risk measurements
From: "John Lightfoot" <jlightfoot () gmail com>
Date: Fri, 12 Feb 2010 15:34:50 -0500
I think she wants to unsubscribe and doesnt understand why shes getting so much email from you. Rosa, if youre trying to unsubscribe from this mailing list, go to https://lists.grok.org.uk/mailman/listinfo/full-disclosure, enter your email address at the bottom and click on the button that says Unsubscribe or edit options. Rosa, si usted está tratando de anular su suscripción de esta lista de correo, vaya a https://lists.grok.org.uk/mailman/listinfo/full-disclosure, introduzca su dirección de correo electrónico en la parte inferior y haga clic en el botón que dice: "Darse de baja o editar las opciones." From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Thor (Hammer of God) Sent: Friday, February 12, 2010 2:53 PM To: Rosa Maria Gonzalez Pereira; uuf6429 () gmail com; valdis.kletnieks () vt edu Cc: eddie.mcghee () ncr com; craig.wright () information-defense com; full-disclosure () lists grok org uk; security-basics () securityfocus com Subject: Re: [Full-disclosure] Risk measurements Another Thing, your emails are arriving very followed to my buzon... Because? I dont mean to be rude, but I just dont think this is going to work. If the most my translation engine gives me is something about coconuts, a ladron being put in my house, and emails following your buzon (whatever that is) I think its time for me to bow out. t From: Rosa Maria Gonzalez Pereira [mailto:analuis13 () hotmail com] Sent: Friday, February 12, 2010 11:46 AM To: Thor (Hammer of God); uuf6429 () gmail com; valdis.kletnieks () vt edu Cc: eddie.mcghee () ncr com; craig.wright () information-defense com; full-disclosure () lists grok org uk; security-basics () securityfocus com Subject: RE: [Full-disclosure] Risk measurements Yo tampoco hablo ingles, no importa, en verdad hablo tonterias, tengo tannnntos pero tannnntos problemas que me meto en tus emails para olvidar un poco mis penas. Otra Cosa, tus emails estan llegando muy seguido a mi buzon... ¿por que? _____ From: Thor () hammerofgod com To: analuis13 () hotmail com; uuf6429 () gmail com; valdis.kletnieks () vt edu CC: eddie.mcghee () ncr com; craig.wright () information-defense com; full-disclosure () lists grok org uk; security-basics () securityfocus com Subject: RE: [Full-disclosure] Risk measurements Date: Fri, 12 Feb 2010 17:43:19 +0000 Throw a coconut? Craig, did you throw a coconut at me? Or did Val throw a coconut at me? I feel a Monty Python joke coming on. Rosa, I dont speak Spanish, so I dont know what that really means. t From: Rosa Maria Gonzalez Pereira [mailto:analuis13 () hotmail com] Sent: Friday, February 12, 2010 8:03 AM To: uuf6429 () gmail com; valdis.kletnieks () vt edu Cc: eddie.mcghee () ncr com; craig.wright () information-defense com; full-disclosure () lists grok org uk; security-basics () securityfocus com; Thor (Hammer of God) Subject: RE: [Full-disclosure] Risk measurements Saben, en verdad no se mucho de computacion, redes, prgramas y que se yo, pero por lo poco que he visto para una persona que le heche "coco" a esto pienso que si puede, despues de estudiarlo muy bien, meterse en lo que quiera, deberian de inventar algo o crear un sistema donde el "ladron" no se pueda meter a tu casa. Perdon que me meta, es que ya les he dicho recibo tanto estos emails, que ya no se que hacer, sera comentar al respecto, claro está, no estoy segura de lo que hablan. Saluditossss ________________________________________________________________
Date: Fri, 12 Feb 2010 16:54:48 +0100 From: uuf6429 () gmail com To: Valdis.Kletnieks () vt edu CC: Eddie.McGhee () ncr com; craig.wright () information-defense com;
full-disclosure () lists grok org uk; security-basics () securityfocus com; Thor () hammerofgod com
Subject: Re: [Full-disclosure] Risk measurements -"The problem is that you can't *guarantee* correct function. You *know*
the
damn thing will escape with bugs, no matter how hard you try. The question is how damaging the bugs are, and how much you want to spend preventing the bugs *through the entire life cycle - design, development, and
deployed*."
And who do you know what the bugs are? Risk modeling cannot solve this kind of issue. Vulnerabilities aren't intentional. It isn't intentional that I could piggyback a particular process and get kernel access. Since vulnerabilities are based on exceptions, how do you know that this kind of exception occurs? Again, mathematics lose ground here. -"It's like buying insurance (in fact, it's *exactly* like buying
insurance)."
Very true, *buying* insurance. However, it doesn't come with insurance... The probability in risk management is mostly impossible since because of the human factor, the least probability possible (fatal bugs) tend to surface pretty fast. -"Unfortunately, you'll need to do some risk modeling to figure out what "reasonable bounds" is for each piece of information." Wait, so I need to do risk modeling to quantify the risks of information/results of a risk assesment on software? Sounds like beauroucracy to me (pun intended). I see the reason behind risk management, but I don't see it being usefull except in policy-making. On Fri, Feb 12, 2010 at 4:30 PM, <Valdis.Kletnieks () vt edu> wrote:On Fri, 12 Feb 2010 14:37:25 +0100, Christian Sciberras said:Let's presume 100k was spent on risk modeling, which actually is way less then the norm, where was the gain again?Citation for "less than the norm", please? I've participated in lots of
risk
modeling sessions that cost *way* less than $100K - often, all that's
needed is
get the right 5-6 people in a conference room for an hour or two with a whiteboard, discuss "what's our exposure here?" and "What can we do
about it?".
If you're spending $100K on *modelling* it, then it's probably a bigger
ticket
issue. So let's pull some *more* "obviously arbitrary numbers out of
the air
to illustrate the point". So make it $7.5M to fix, and $5M if you get
hacked.
Better?Why exactly does the flaws have to be fixed economically instead of designing the system correctly in the first place?Quite often, those risk and threat assessments *are* part of designing
it
correctly in the first place. Does the design need to include $5M in
the
budget to roll out crypto hardware? If your analysis shows that your
average
loss due to just using OpenSSL for free will only be $100K, that $5M is wasteful bloat. If it's a TJX-scale exposure, $5M is probably a
bargain.
And on this same argument, why spend a huge amount of time (money and resources) *guessing flaws* rather then correct system function?The problem is that you can't *guarantee* correct function. You *know*
the
damn thing will escape with bugs, no matter how hard you try. The
question
is how damaging the bugs are, and how much you want to spend preventing the bugs *through the entire life cycle - design, development, and
deployed*.
"why are you spending $250,000 extra to fix the flaw?" Because the estimate is abviously wrong. You cannot predict the full outcome which brings the sum from the least possible number up to infinitum.Well, yeah. I suppose it's *possible* that your system's weak password
system
will allow a hacker to get in, and from your system hack into the LHC
and
control it to spawn a black hole that eats the Earth. And even that is still a finite, not "infinitum". It's also pretty fucking unlikely. Most of the time, the analysis
sticks to
reasonably predictable outcomes - the cost of a critical server being
down for
X number of days, the cost of penalties/fines/lawsuits if there's an
exposure,
the cost of bad PR, etc. At some point, you have to forget about the movie-plot scenarios and restrict yourself to the shit that actually
happens in
real life. If a given result hasn't been reported in the trade press in
the
last 5 years, you can probably not worry about it.For instance, let's imagine a flaw in your favourite OS happens to allow any hacker backdoor access to it, there's the possibility of it being covered up neatly, with just paying your developers OR getting a nice load of media hype and pay dearly with losing your customers.It's like buying insurance (in fact, it's *exactly* like buying
insurance).
You can usually buy different levels of coverage, for different premium payments. Do you just buy the legal minimum you need for car insurance? Or do you spend another $10/month for an additional $1M of liability insurance? Or $20/mo for $2M? Same for your home/renter insurance. If you have a mortgage, you may be required to buy a certain amount. If you want more coverage, you have to decide how much to spend, to cover what threats. If you live in a flood plain, you might want to pay extra for flood insurance. You live someplace that has no history of flooding and not much chance of it changing, maybe save the money. Why do people understand how buying insurance works, but have trouble understanding that security is the same sort of trade-offs? In both cases, it's the same sort of risk modeling and analysis.Personally, I'd rather not do risk modeling at all, or at least, keep the information within reasonable bounds rather then let it reign my (hypotethical) company.Unfortunately, you'll need to do some risk modeling to figure out what "reasonable bounds" is for each piece of information. Some is OK to go on your public webpages, some goes on protected webpages only, some is only allowed on employee's workstations, some is only allowed in certain departments - and maybe you have some data that should stay on
stand-alone
machines in highly secured areas, with armed guards searching for USB
keys
and the like. But you'll need to do some risk analysis and modeling to decide which data is in which category._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_____ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! Try it! <http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx &mkt=en-us> _____ Get news, entertainment and everything you care about at Live.com. Check it out! <http://www.live.com/getstarted.aspx%20>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Risk measurements, (continued)
- Risk measurements Craig S. Wright (Feb 12)
- Message not available
- Re: Risk measurements Christian Sciberras (Feb 12)
- Re: Risk measurements Valdis . Kletnieks (Feb 12)
- Re: Risk measurements Christian Sciberras (Feb 12)
- Re: Risk measurements Valdis . Kletnieks (Feb 12)
- Re: Risk measurements Christian Sciberras (Feb 12)
- Re: Risk measurements Rosa Maria Gonzalez Pereira (Feb 12)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Luis Zaldivar (Feb 12)
- Message not available
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements John Lightfoot (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: Risk measurements Valdis . Kletnieks (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Craig S. Wright (Feb 13)
- Re: Risk measurements Thor (Hammer of God) (Feb 12)
- Re: Risk measurements Craig S Wright (Feb 13)
- Re: SMS Banking Christian Sciberras (Feb 11)
- Re: SMS Banking Thor (Hammer of God) (Feb 09)