Penetration Testing mailing list archives
RE: Sample Risk Assessment Report
From: "Cure, Samuel J" <scure () kpmg com>
Date: Fri, 14 Jan 2005 13:38:25 -0500
Tyler, In the context of assets = devices on a network, the question I am raising here is what assets are you scanning? Some random IP range a customer provides? All IPs including print servers? My point is simply this; If you work from the technical systems (assets) and move up to the business level risks, you are potentially missing appropriate assets in the first place, and/or focusing on the wrong devices on the network. If you have preliminary definition or perform interviews and process analysis to understand the business and intellectual property as a first phase, this could eliminate the "back pedaling" needed to map asset vulnerabilities to business functions/IP/etc. As you mentioned, nothing is set in stone. :) Just wanted some thoughts.. . thanks for the feedback, -scure -----Original Message----- From: Tyler Markowsky [mailto:tyler.markowsky () seccuris com] Sent: Friday, January 14, 2005 1:29 PM To: 'Cure, Samuel J'; 'Mambo'; pen-test () securityfocus com Subject: RE: Sample Risk Assessment Report I am confused by your definition of assets scure. Can you please clarify? On assets: Are network devices not assets? Does it not follow that if you have scanned, identified and analyzed technical vulnerabilities, then you could have also identified a risk to an asset? (assuming your technical analysis phase involves some form of quantitative / qualitative classification) I agree that business risks differ from technical risks; however doesn't the failure of an asset (potentially) lead to the failure a business process(es), which can (potentially) upset a critical business function(s)? On methodology: I cannot discuss methodology in detail, but I can say that threat risk assessments are not set in stone. Each and every client has specific needs and concerns which require you to adapt your internal and external processes. This in turn affects your analysis and therefore your deliverables. (This is why scure and I have more questions than answers mambo) Having said this, you would not be able to identify those specific client needs without preliminary definition of need from a business threat-risk perspective. Best, Tyler Markowsky Information Risk Analyst Seccuris http://www.seccuris.com -----Original Message----- From: Cure, Samuel J [mailto:scure () kpmg com] Sent: Friday, January 14, 2005 11:38 AM To: 'Tyler Markowsky'; 'Mambo'; pen-test () securityfocus com Subject: RE: Sample Risk Assessment Report This raises a question. Is this a top down approach or bottom up approach based on the OSI model with business layer being on top? The challenge with mapping assets to vulnerabilities using a bottom up approach is the ability to identify business risk associated with findings. If a bottom up approach is being used, then the technical assessments are performed first. Therefore, trying to identify the assets or business risk after the technical assessment is performed increases the chance of missing something with business impact. As Tyler mentioned, target audience is key and I concur with the report content he listed. Others? Thoughts? -scure -----Original Message----- From: Tyler Markowsky [mailto:tyler.markowsky () seccuris com] Sent: Thursday, January 13, 2005 6:10 PM To: 'Mambo'; pen-test () securityfocus com Subject: RE: Sample Risk Assessment Report Hello Mambo- Who will be the audience of this report? Board-level? Executive management? IT Security professionals? Depending on who will be reading it, try to apply your knowledge of the organizations assets and critical business functions to the discovered vulnerabilities. This will provide value to not only those who are highly technical, but also those who are not. Best, Tyler Markowsky Information Risk Analyst Seccuris -----Original Message----- From: Mambo [mailto:mamboz () gmail com] Sent: Thursday, January 13, 2005 5:04 AM To: pen-test () securityfocus com Subject: Sample Risk Assessment Report Hi All, Any idea about any sample Risk Assessment Report's available on the net. Was searching but got very few which are not worth mentioning. Cheers Mambo """Security-- Someone gave birth...But i Own it..now...""" **************************************************************************** * The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. **************************************************************************** * ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. *****************************************************************************
Current thread:
- Sample Risk Assessment Report Mambo (Jan 13)
- RE: Sample Risk Assessment Report Tyler Markowsky (Jan 14)
- RE: Sample Risk Assessment Report James Williams (Jan 14)
- <Possible follow-ups>
- RE: Sample Risk Assessment Report Todd Towles (Jan 13)
- Re: Sample Risk Assessment Report infosecgod (Jan 14)
- RE: Sample Risk Assessment Report Cure, Samuel J (Jan 14)
- RE: Sample Risk Assessment Report Tyler Markowsky (Jan 14)
- RE: Sample Risk Assessment Report Cure, Samuel J (Jan 14)