RE: Taxonomies and multi-factor vulnerabilities

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

> Frank O'Dwyer asked:
>
> > Also what makes you think these things fit into a hierarchy at all,

I don't know what the right classification system is, or if there
is one, but the problem interests me. The fuzzy classifications I
use now sure help business and organizational owners I work with
make some sense out of this technical muck, so they have a purpose.

You are right about complexity and the need to view/order/sort
for different people/needs in different ways.

> From: Steven M. Christey [mailto:coley () mitre org] 
[...]
> I know that a lot of people on this list understand this, but this is
> one of the major challenges for building the "right" scheme to
> effectively capture these kinds of problems.  I wish I knew the answer
> but I'm only just starting to ask better questions.

I was happily using STRIDE as a threat model, for example, until
some folks that are smarter than I am pointed out that it's a mix
of Threats and Attacks and not a true Threat model.

After starting over clean I've come to realize this may be a
Rob Rosen style problem. It's hard to separate data from purpose
in modeling (particularly with software, where the two are the
same), and micro/macro classification systems are usually
fundamentally unequal in any science, but I'd rather have a
rough or unequal system than no system at all.


-ae









The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or 
privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information 
by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you 
received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network 
system.