Re: mapping vulnerabilities into high medium low risk

From: George W. Capehart (
Date: 09/19/03

  • Next message: Jim Duggan: "Re: AirSnort and Kismet on Red Hat 9 with Orinoco Gold?"
    Date: Fri, 19 Sep 2003 09:53:56 -0400

    On Wednesday 17 September 2003 10:22 pm,
    > Hi All,
    > Thanks for all your help.
    > From the responses, I guess there alot of overlap of pen-test and
    > risk assessment than I thought. I agree that alot of times, you have
    > to consider the cost of the compromised information to the customer.
    > However, from a technical point of view of a PT, the risk is the same
    > of a root exploit present in a system without production data compare
    > to a system with production data.


    Sorry I got into this thread late. There are a couple of other sources
    that might be very helpful. NIST SP 800-12 has, IMHO, the best
    introduction to risk assessment and assessment strategies I've seen
    (Chapter 7, Computer Security Risk Management). Another great source
    for when there's more time to read and digest is Thomas Peltier's
    _Information_Security_Risk_Analysis_ ISBN 0-8493-0880-1. Finally,
    Section 10 of ISO/IEC TR 13335-2 (Corporate Risk Analysis Strategy
    Options) is also good. 800-12 and 13335 are quicker reading. I'd
    recommend them first . . . I think they'd help you work through your
    decision-making process with your team.

    My $0.02.


    George Capehart

    George W. Capehart
    "With sufficient thrust, pigs fly just fine . . ."
     -- RFC 1925
    FREE Trial!
    New for security consultants and in-house pros: FOUNDSTONE PROFESSIONAL 
    and PROFESSIONAL TL software. Fast, reliable vulnerability assessment 
    technology powered by the award-winning FoundScan engine. Try it free for  21 days at:

  • Next message: Jim Duggan: "Re: AirSnort and Kismet on Red Hat 9 with Orinoco Gold?"

    Relevant Pages

    • RE: Binary Analysis with Internal Solutions
      ... Many of the risk assessment methodologies are too ... an internet connected web portal has a far larger ... MU> do any risk assessment IF - see above about job security." ... Binary Analysis with Internal Solutions ...
    • Re: "Papers" for Camping? (was: Re: Increase in numbers in 2007)
      ... You can have a set RA for pitching a tent. ... My thinking on the matter would tend to be that generic risk ... In that case a quick mental risk assessment each ...
    • Re: which PC
      ... when User tries to perform the task that requires root authority, ... includes Risk Assessment and Risk Management, ... so that comparative assessments can be made. ... I doubt that you've ever conducted a formal Risk Assessment. ...
    • Re: SME risk assessment (Was: Bank Assessment)
      ... I work for a small business and couldn't disagree more. ... therefore our risk is relatively high. ... does not necessarily dictate the complexity of a risk assessment. ... Applying a methodology is extremely ...
    • Re: Element of Risk
      ... I wasn't expecting really high marks - but a 1.4!!! ... alot of that stuff was very difficult - I guess alot of jugglers think ... into element of risk. ...