Top 10 Blog Posts
January 13, 2009
I no longer post regularly as I find the time is better spent on my own security research and with my family and friends. The existing content will remain available and to focus on this I have provided a list of the Top 10 Blog Posts.
Enjoy.
Brake Theory and Jet Theory
October 1, 2009
Explaining security to those in the security industry can be hard enough at the best of times without having to try and convince a board to spend on security during harder times. Traditional Brake Theory is sometimes deployed by security managers at this point but I’m going to introduce a new and improved theory that might help you sometime, and I call that theory Jet Theory…
Calculating Overall Risk
June 2, 2009
An Overall risk exposure value should be calculated for each server or each application to provide a means for comparison with other servers or applications. Enough polarisation should exist that the management of servers and applications — i.e. prioritising of changes or compliance efforts — may be controlled more granularly based on both technical and business risk.
Assessing Business Risk
June 2, 2009
Business risk for the purposes of A Simple Security Risk Assessment is the input provided by Business Unit which incorporates the value and criticality of the Information Assets to business operations. A Business risk value is usually assigned to each application and not to each server or configuration item (unlike Technical risk which is assigned to each configuration item).
Assessing Technical Risk
June 2, 2009
Technical risk for the purposes of A Simple Security Risk Assessment refers to the probability that an attacker will exploit a vulnerability in the software related to a specific configuration item, or that a misconfiguration of the configuration item will result in the same or a similar level of Impact. Let’s see how we can go about rating it.
Information Asset Attributes
June 2, 2009
As discussed in the previous post, it is a common approach for Industry Standard Risk Methodologies to categorise the threat type prior to assigning a value. The threat type provides a level of context around the value that will be assigned to it and is far easier than exhaustively evaluating every possible threat (although this may be required for some).
The categories used by A Simple Security Risk Assessment are the attributes of Information Assets[1] that are affected by a successful exploitation of a vulnerability in the related code by an attacker, or alternatively, the Information Asset attributes that are affected by an accidental misconfiguration of the setting.
Industry Standard Risk Methodologies
June 2, 2009
Risk methodologies of various levels of complexity already exist for different purposes. Whilst it is prudent to evaluate industry standard security risk methodologies, stringently following an industry standard may not result in a suitable outcome for your organisation. The objective of this post is to provide an introduction to the general concepts of risk assessment and is not to provide a comprehensive review.
