Re: [scap_interest] Gaps in Risk Management
Karen Scarfone <karen@scarfonecybersecurity.com> Tue, 14 February 2012 20:57 UTC
Return-Path: <karen@scarfonecybersecurity.com>
X-Original-To: scap_interest@ietfa.amsl.com
Delivered-To: scap_interest@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10DCE21E8112 for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 12:57:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.976
X-Spam-Level:
X-Spam-Status: No, score=-5.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UFhHCdYUJU-3 for <scap_interest@ietfa.amsl.com>; Tue, 14 Feb 2012 12:57:20 -0800 (PST)
Received: from na3sys010aog113.obsmtp.com (na3sys010aog113.obsmtp.com [74.125.245.94]) by ietfa.amsl.com (Postfix) with SMTP id 8EB9521E8103 for <scap_interest@ietf.org>; Tue, 14 Feb 2012 12:57:19 -0800 (PST)
Received: from mail-lpp01m010-f51.google.com ([209.85.215.51]) (using TLSv1) by na3sys010aob113.postini.com ([74.125.244.12]) with SMTP ID DSNKTzrKrpis07l0AgMFxJKTefWXHwq89PIw@postini.com; Tue, 14 Feb 2012 12:57:19 PST
Received: by mail-lpp01m010-f51.google.com with SMTP id s15so385517lag.10 for <scap_interest@ietf.org>; Tue, 14 Feb 2012 12:57:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.152.147.137 with SMTP id tk9mr15755313lab.8.1329253038672; Tue, 14 Feb 2012 12:57:18 -0800 (PST)
Received: by 10.112.129.167 with HTTP; Tue, 14 Feb 2012 12:57:18 -0800 (PST)
In-Reply-To: <CB600937.91DB%amontville@tripwire.com>
References: <CB600937.91DB%amontville@tripwire.com>
Date: Tue, 14 Feb 2012 15:57:18 -0500
Message-ID: <CAAfuYh-LaYmcWy9k0U=aCrfWET2BEp3aEuohp_he1emDZEKKXA@mail.gmail.com>
From: Karen Scarfone <karen@scarfonecybersecurity.com>
To: Adam Montville <amontville@tripwire.com>
Content-Type: multipart/alternative; boundary="e89a8f2348ab2fcbf804b8f2d76d"
X-Gm-Message-State: ALoCoQn6hKzSxacu0orTzEjXsFCVhQaHrlhtJFWOWaZ9KkViPOrltCktf1QvbzRFh/LqAwJICDLA
Cc: "scap_interest@ietf.org" <scap_interest@ietf.org>
Subject: Re: [scap_interest] Gaps in Risk Management
X-BeenThere: scap_interest@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion List for IETFers interested in the Security Content Automation Protocol \(SCAP\)." <scap_interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/scap_interest>
List-Post: <mailto:scap_interest@ietf.org>
List-Help: <mailto:scap_interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scap_interest>, <mailto:scap_interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2012 20:57:21 -0000
A few quick thoughts on this: * We can't aggregate all these vulnerabilities unless we can model their relationships. For example, a particular configuration setting might nullify the applicability of a particular software flaw, and configuration settings certainly affect each other. * There's a whole other class of vulnerabilities besides software flaws and configurations. Basically, any other vulnerability can be considered a trust misuse/abuse vulnerability: social engineering and insider attacks, for example. A risk management methodology that addresses software flaws and misconfigurations is inadequate if it doesn't capture the other vulnerabilities as well. We do have a spec, CMSS, designed to provide scoring for these vulnerabilities just like CVSS does for software flaws and CCSS does for misconfigurations. What we don't yet have is a (heaven help me) dictionary or taxonomy of CMSS vulnerabilities. (Fortunately, I'd expect this to be pretty small and straightforward to create, compared to CVE and CCE). Karen On Tue, Feb 14, 2012 at 3:51 PM, Adam Montville <amontville@tripwire.com>wrote: > All, > > Security automation seeks to automate what we can ultimately within the > framework of risk management. Scoring is not enough to measure risk. What > appears to be needed is a method by which we can automate risk measurement. > It would be interesting to discuss various ways in which such automation > might be achieved along both qualitative and quantitative lines. > > The scoring methods we have in place today for vulnerabilities and > configurations (CVSS and CCSS respectively) can measure risk of a > particular instance of a class of concepts in our domain. What I don't see > being possible at this point is a way to measure the aggregate instances of > vulnerabilities and misconfigurations for some set of assets (whether that > be a single asset or a composite asset representing an entire network). > > Risk management methodologies are not scarce – NIST, ISO, CobiT, OCTAVE > and others all present some method of managing risk, and they are similar. > How can we apply automation in support of these various risk management > methods while providing both qualitative and quantitative risk assessment > under the hood? > > Regards, > > Adam W. Montville | Security and Compliance Architect > > Direct: 503 276-7661 > Mobile: 360 471-7815 > > TRIPWIRE | Take CONTROL > http://www.tripwire.com > > _______________________________________________ > scap_interest mailing list > scap_interest@ietf.org > https://www.ietf.org/mailman/listinfo/scap_interest > -- Karen Scarfone, Principal Consultant, Scarfone Cybersecurity karen@scarfonecybersecurity.com (703)401-1018
- [scap_interest] Gaps in Risk Management Adam Montville
- Re: [scap_interest] Gaps in Risk Management Karen Scarfone
- Re: [scap_interest] Gaps in Risk Management Adam Montville
- Re: [scap_interest] Gaps in Risk Management Jerome Athias
- Re: [scap_interest] Gaps in Risk Management kathleen.moriarty
- Re: [scap_interest] Gaps in Risk Management Luis Nunez
- Re: [scap_interest] Gaps in Risk Management Adam Montville
- Re: [scap_interest] Gaps in Risk Management Lloyd, Mike