Re: Risk Analysis and Common Criteria

• Previous message: Chris travers: "Re: Cable Vs. DSL"
• In reply to: Mike Heitz: "RE: Risk Analysis and Common Criteria"
• Next in thread: security_ness: "Re: Re: Risk Analysis and Common Criteria"
• Reply: security_ness: "Re: Re: Risk Analysis and Common Criteria"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "yannick san" <yannicksan@free.fr>
To: "jkv" <ipwitch@unixcluster.dk>, <security_ness@tiscali.it>
Date: Mon, 21 Apr 2003 23:27:49 +0200

Risk Analysis is a complete process and I tell you about what to read or do
later in this mail.

Understanding the Common Criteria will help you to acquire a better view in
how you could proceed to create, manage the security in your enterprise.. as
I'm concerned I've not really worked with the Common Criteria but I've spend
a long time on the Raimbow Series. The Raimbow Series could be understand
has a US "way of thinking" while the Common Criteria is the European way...
Even if it seems not to be followed today, reading the Raimbow Series is a
good step to improve your security "way of thinking"... but it's another
problem.

Making a protection profile is another thing... Before thinking about this
problem I have to ask you this question : Did you write a security policy ?
because the protection profile will be a document written in accordance to
it. Well, in fact, you will refer to that document in your security
policy...

Choising a security target... for your entire network ? only a server ? ...
have you think about having different ladders for that ? by using ladders, I
mean, security targets... a security target is not only a fixed value...
have you think about a plan ? for exemple a security target for the next 3
months, then some tests, then a report, then maybe a higher security target
? ... Choising a security target is, I think one of the most difficult thing
to do with a risk analysis... the main idea about all the questions you have
to ask you must be done in accordance to a life-cycle view of the security,
I mean whatever you do, you will have to look at it again and that must be
planed and written somewhere.

Some of you are talking about Intrusion Detection... but this will be a
complete project... cause as much as you will define the security policy,
the security rules and process, you will see that you will need Intrusion
Detection for improving your view on the network. But Intrusion Detection
will be not only plugging NIDS or having HIDS daemons on machines. It will
be more complicated if you thin about that questions : what will you do with
the logs ? who will analyse theim ? when ? when will you say that you are in
a crisis situation ? ... how about logs from routers ? switchs ? (logs with
not only security incidents but also management incidents...) ... will you
need a console for helping you in that task ? :)

Well, to know more about Risk Analysis, I can recommand you to googled for
that :
- Aggregated Countermeasure Effectiveness (ACE) Model
- Risk Assessment Tool
- Information Security Risk Assessment Model (ISRAM)
- Dolla-based OPSEC Risk Analysis (DORA)
- Analysis of Networked Systems Security Risks (ANSSR)

You could look for that tools... it may also help you in your task :
- LAVA, Los Alamos Vunlerability and Risk Assessment Tool
- RiskPAC
- RISKWATCH

As I'm concerned, I use French tools...
Hope I could helped you.

Yannick'san

----- Original Message -----
From: "Mike Heitz" <mikeheitz@upshotmail.com>
To: "jkv" <ipwitch@unixcluster.dk>; <security_ness@tiscali.it>
Cc: <security-basics@securityfocus.com>
Sent: Friday, April 18, 2003 8:40 PM
Subject: RE: Risk Analysis and Common Criteria

Here's a second vote for that book. There are some sections on making a
business case for intrusion detection and developing a risk analysis
policy.

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: jkv [mailto:ipwitch@unixcluster.dk]
Sent: Thursday, April 17, 2003 3:18 PM
To: security_ness@tiscali.it
Cc: security-basics@securityfocus.com
Subject: Re: Risk Analysis and Common Criteria

On Thu, 17 Apr 2003 security_ness@tiscali.it wrote:

> -what is the common process to make a Risk Analysis?
> -what I must do to make a Protection Profile for my network? and a
Secuity
> Targhet?

A good indept book security analysis book, which also covers those two
questions question very well is "Network Intrusion Detection, An
Analyst's
Handbook"(2nd ed) by Stephen Northcutt and Judy Novak, released by New
Riders for sans giac...

--
ipwitch
publickey: http://unixcluster.dk/public.asc
------------------------------------------------------------------------
---
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam,
the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by
professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no
vendor
sales pitches.  Deadline for the best rates is April 25.  Register today
to
ensure your place.
http://www.securityfocus.com/BlackHat-security-basics
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts.  The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches.  Deadline for the best rates is April 25.  Register today to
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------

• Previous message: Chris travers: "Re: Cable Vs. DSL"
• In reply to: Mike Heitz: "RE: Risk Analysis and Common Criteria"
• Next in thread: security_ness: "Re: Re: Risk Analysis and Common Criteria"
• Reply: security_ness: "Re: Re: Risk Analysis and Common Criteria"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]