Re: mapping vulnerabilities into high medium low risk

From: George W. Capehart (gwc@capehassoc.com)
Date: Fri Sep 19 2003 - 09:53:56 EDT


On Wednesday 17 September 2003 10:22 pm, thomasng@bigfella.is-a-geek.net
wrote:
> Hi All,
> Thanks for all your help.
> From the responses, I guess there alot of overlap of pen-test and
> risk assessment than I thought. I agree that alot of times, you have
> to consider the cost of the compromised information to the customer.
> However, from a technical point of view of a PT, the risk is the same
> of a root exploit present in a system without production data compare
> to a system with production data.

Greetings,

Sorry I got into this thread late. There are a couple of other sources
that might be very helpful. NIST SP 800-12 has, IMHO, the best
introduction to risk assessment and assessment strategies I've seen
(Chapter 7, Computer Security Risk Management). Another great source
for when there's more time to read and digest is Thomas Peltier's
_Information_Security_Risk_Analysis_ ISBN 0-8493-0880-1. Finally,
Section 10 of ISO/IEC TR 13335-2 (Corporate Risk Analysis Strategy
Options) is also good. 800-12 and 13335 are quicker reading. I'd
recommend them first . . . I think they'd help you work through your
decision-making process with your team.

My $0.02.

Regards,

George Capehart

-- 
George W. Capehart
"With sufficient thrust, pigs fly just fine . . ."
 -- RFC 1925
---------------------------------------------------------------------------
FREE Trial!
New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
technology powered by the award-winning FoundScan engine. Try it free for  21 days at: http://www.securityfocus.com/sponsor/Foundstone_pen-test_030825
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:40 EDT