Security Basics mailing list archives
RE: Threat Classification (IT centric)
From: Luis Lopez Sanchez <luis.lopez () atosorigin com>
Date: Tue, 17 Apr 2007 12:07:24 +0200
Hi All, The Spanish Government (MAP[1], to be exact) has a own methodology called MAGERIT[2] for IT Risk Assesment. This methodology has an interesant approaching in its Book II "Catalogue of Elements"[3]. Please see link below: MAGERIT - version 2 Methodology for Information Systems Risk Analysis and Management Book II - Catalogue of Elements http://www.csi.map.es/csi/pdf/magerit_v2/magerit_catalogue_en_v11.pdf In this book you will can find a smart threats classification (high level classification): You can find this clasification at point #5 "Threats" from Book II. The threats classification has this structure: ----------------------------------------------------------- [code] short description of what may happen Types of assets: that may be affected by this threat Dimensions: 1. [of security] that may be damaged by this threat; sorted by relevance Description: longer presentation of what may happen ----------------------------------------------------------- References: [1] MAP http://www9.map.es/index.html [2] Methodology for Information Systems Risk Analysis and Management (MAGERIT version 2) http://www.csi.map.es/csi/pg5m20.htm [3] Book II - Catalogue of Elements http://www.csi.map.es/csi/pdf/magerit_v2/magerit_catalogue_en_v11.pdf Regards, -- Luislo pub 1024D/8A688104 1999/07/28 Luis Lopez luis.lopez () atosorigin com Key fingerprint = 550F 3545 C847 F61E 821C 3D8C 1A12 2C19 8A68 8104 "These are the thoughts and opinions of Luis Lopez, and does not represent Atos Origin company policy." "Estos son los pensamientos y las opiniones de Luis Lopez, y no representan la política de compañía de Atos Origin." -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Zhihao Sent: domingo, 15 de abril de 2007 9:06 To: 'offset'; security-basics () securityfocus com Subject: RE: Threat Classification (IT centric) U could probably check out waltz (1998) or denning's classification..google for it and you should find it -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of offset Sent: Wednesday, 11 April, 2007 10:30 PM To: security-basics () securityfocus com Subject: Threat Classification (IT centric) Greetings, I'm researching threat classifications as part of an overall risk management program and I need to classify threats as part of the foundation. Does anyone know of an overall threat classification map? Or a list of URLs/resources/papers that would discuss threat classification at a high level (ie. high level classification such as authentication). I envision something that would encompass all layers of IT risk (ie. items picked up via network scans, wireless, wardialing, host). The challenge is to take inputs from all types of vulnerability reports, normalize into a type of threat classification, then apply rules (risk calculations) to rollup to an enterprise risk management program. I understand for Web Applications there is the WASC (http://www.webappsec.org/projects/threat/), perhaps there are others for web applications? Do any other threat classification maps exist other than for Web Applications? Thanks in advance, -- offset - ubersecurity org ------------------------------------------------------------------ This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. Este mensaje y los ficheros adjuntos pueden contener informacion confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente. Pueden estar protegidos por secreto profesional Si usted recibe este correo electronico por error, gracias de informar inmediatamente al remitente y destruir el mensaje. Al no estar asegurada la integridad de este mensaje sobre la red, Atos Origin no se hace responsable por su contenido. Su contenido no constituye ningun compromiso para el grupo Atos Origin, salvo ratificacion escrita por ambas partes. Aunque se esfuerza al maximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no sera responsable de cualesquiera danos que puedan resultar de una transmision de virus ------------------------------------------------------------------
Current thread:
- Threat Classification (IT centric) offset (Apr 11)
- RE: Threat Classification (IT centric) Zhihao (Apr 16)
- <Possible follow-ups>
- RE: Threat Classification (IT centric) Luis Lopez Sanchez (Apr 17)
- RE: Threat Classification (IT centric) Luis Lopez Sanchez (Apr 17)