From: "P.J. Ponder" <ponder@wane-leon-mail.scri.fsu.edu>
Date: Mon, 16 Oct 95 18:19:07 PDT
To: williams@va.arca.com
Subject: Security Spectra
Message-ID: <Pine.3.89.9510162030.C20974-0100000@wane3.scri.fsu.edu>
MIME-Version: 1.0
Content-Type: text/plain


In your recent post to the cypherpunks mailing list you proposed a 
taxonomy of security weaknesses and vulnerabilities, adding that these 
may be perhaps categorized and ranked.  Standard practice in the computer 
and communications security business has for many years been based on the 
idea of risk analysis.  More or less systemmatic approaches to risk 
analysis have been put forward over the years.  One example is FIPS Pub 
65 which attempted to systematize risk analysis and ideally lead one to a 
quantified level of risk at the end.  The method was too burdensome to be 
effective, and most people today use a more qualitative approach.

The whole idea of categorizing or ranking holes and vulnerabilities ab 
intitio, outside of their contextual application to a real system is not 
very helpful.  Systems vary so widely in their criticalities, 
sensitivities, costs, etc., that each of your pre-defined categorized 
weaknesses would have to be rejudged - in the context of the system being 
analyzed - to determine how, and to what extent it could effect the system.

For example, a system with a weakness in logging events would be a disaster 
in a busy commercial transactional system that may need logs to recover 
from errors or to trace mischievious actions.  Another system, however, 
may find the lack of effective logging an inconvenience at worst (maybe 
even a plus, if the Pennsylvania cops are at the door).  The standard 
approach as I understand it is to analyze the system against all the 
known vulnerabilities and attempt to measure (maybe only qualitatively) 
the risks associated with the vulnerabilities.  I think analyzing holes 
by themselves, outside of any context, is a good academic exercise, and 
may lead to useful knowledge that people analyzing real systems can use, 
but it is not an advantage to attempt to grade them in the abstract.

--
PJ

you'll probably get lots more useful advice from others more articulate 
than I, but I hadn't posted to the list in awhile and am curious about 
how all these bounce messages everyone is talking about. Are there lots 
others besides the guy with 1000 messages in his mailbox?  I guesss I'll 
see.....