RE: Sample Risk Assessment Report
From: Cure, Samuel J (scure_at_kpmg.com)
Date: 01/14/05
- Previous message: seditiosus: "Re: DoS/DDoS Attack"
- Maybe in reply to: Mambo: "Sample Risk Assessment Report"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Tyler Markowsky'" <tyler.markowsky@seccuris.com>, "Cure, Samuel J" <scure@kpmg.com>, "'Mambo'" <mamboz@gmail.com>, pen-test@securityfocus.com Date: Fri, 14 Jan 2005 13:38:25 -0500
Tyler, In the context of assets = devices on a network, the question I am
raising here is what assets are you scanning? Some random IP range a
customer provides? All IPs including print servers? My point is simply this;
If you work from the technical systems (assets) and move up to the business
level risks, you are potentially missing appropriate assets in the first
place, and/or focusing on the wrong devices on the network. If you have
preliminary definition or perform interviews and process analysis to
understand the business and intellectual property as a first phase, this
could eliminate the "back pedaling" needed to map asset vulnerabilities to
business functions/IP/etc. As you mentioned, nothing is set in stone. :)
Just wanted some thoughts.. . thanks for the feedback,
-scure
-----Original Message-----
From: Tyler Markowsky [mailto:tyler.markowsky@seccuris.com]
Sent: Friday, January 14, 2005 1:29 PM
To: 'Cure, Samuel J'; 'Mambo'; pen-test@securityfocus.com
Subject: RE: Sample Risk Assessment Report
I am confused by your definition of assets scure. Can you please clarify?
On assets:
Are network devices not assets? Does it not follow that if you have
scanned, identified and analyzed technical vulnerabilities, then you could
have also identified a risk to an asset? (assuming your technical analysis
phase involves some form of quantitative / qualitative classification)
I agree that business risks differ from technical risks; however doesn't the
failure of an asset (potentially) lead to the failure a business
process(es), which can (potentially) upset a critical business function(s)?
On methodology:
I cannot discuss methodology in detail, but I can say that threat risk
assessments are not set in stone. Each and every client has specific needs
and concerns which require you to adapt your internal and external
processes. This in turn affects your analysis and therefore your
deliverables. (This is why scure and I have more questions than answers
mambo) Having said this, you would not be able to identify those specific
client needs without preliminary definition of need from a business
threat-risk perspective.
Best,
Tyler Markowsky
Information Risk Analyst
Seccuris
-----Original Message-----
From: Cure, Samuel J [mailto:scure@kpmg.com]
Sent: Friday, January 14, 2005 11:38 AM
To: 'Tyler Markowsky'; 'Mambo'; pen-test@securityfocus.com
Subject: RE: Sample Risk Assessment Report
This raises a question. Is this a top down approach or bottom up approach
based on the OSI model with business layer being on top? The challenge with
mapping assets to vulnerabilities using a bottom up approach is the ability
to identify business risk associated with findings. If a bottom up approach
is being used, then the technical assessments are performed first.
Therefore, trying to identify the assets or business risk after the
technical assessment is performed increases the chance of missing something
with business impact.
As Tyler mentioned, target audience is key and I concur with the report
content he listed.
Others? Thoughts?
-scure
-----Original Message-----
From: Tyler Markowsky [mailto:tyler.markowsky@seccuris.com]
Sent: Thursday, January 13, 2005 6:10 PM
To: 'Mambo'; pen-test@securityfocus.com
Subject: RE: Sample Risk Assessment Report
Hello Mambo-
Who will be the audience of this report? Board-level? Executive management?
IT Security professionals?
Depending on who will be reading it, try to apply your knowledge of the
organizations assets and critical business functions to the discovered
vulnerabilities. This will provide value to not only those who are highly
technical, but also those who are not.
Best,
Tyler Markowsky
Information Risk Analyst
Seccuris
-----Original Message-----
From: Mambo [mailto:mamboz@gmail.com]
Sent: Thursday, January 13, 2005 5:04 AM
To: pen-test@securityfocus.com
Subject: Sample Risk Assessment Report
Hi All,
Any idea about any sample Risk Assessment Report's available
on the net. Was searching but got very few which are not worth
mentioning.
Cheers
Mambo
"""Security-- Someone gave birth...But i Own it..now..."""
****************************************************************************
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
****************************************************************************
*
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
- Previous message: seditiosus: "Re: DoS/DDoS Attack"
- Maybe in reply to: Mambo: "Sample Risk Assessment Report"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
