From: “P.J. Ponder” <ponder@wane-leon-mail.scri.fsu.edu>
To: williams@va.arca.com
Message Hash: 5305a2cd9d740fde4a9a4311aee87235a959e1a4ae3fd508b0c62fea1a439d15
Message ID: <Pine.3.89.9510162030.C20974-0100000@wane3.scri.fsu.edu>
Reply To: N/A
UTC Datetime: 1995-10-17 01:19:07 UTC
Raw Date: Mon, 16 Oct 95 18:19:07 PDT
From: "P.J. Ponder" <ponder@wane-leon-mail.scri.fsu.edu>
Date: Mon, 16 Oct 95 18:19:07 PDT
To: williams@va.arca.com
Subject: Security Spectra
Message-ID: <Pine.3.89.9510162030.C20974-0100000@wane3.scri.fsu.edu>
MIME-Version: 1.0
Content-Type: text/plain
In your recent post to the cypherpunks mailing list you proposed a
taxonomy of security weaknesses and vulnerabilities, adding that these
may be perhaps categorized and ranked. Standard practice in the computer
and communications security business has for many years been based on the
idea of risk analysis. More or less systemmatic approaches to risk
analysis have been put forward over the years. One example is FIPS Pub
65 which attempted to systematize risk analysis and ideally lead one to a
quantified level of risk at the end. The method was too burdensome to be
effective, and most people today use a more qualitative approach.
The whole idea of categorizing or ranking holes and vulnerabilities ab
intitio, outside of their contextual application to a real system is not
very helpful. Systems vary so widely in their criticalities,
sensitivities, costs, etc., that each of your pre-defined categorized
weaknesses would have to be rejudged - in the context of the system being
analyzed - to determine how, and to what extent it could effect the system.
For example, a system with a weakness in logging events would be a disaster
in a busy commercial transactional system that may need logs to recover
from errors or to trace mischievious actions. Another system, however,
may find the lack of effective logging an inconvenience at worst (maybe
even a plus, if the Pennsylvania cops are at the door). The standard
approach as I understand it is to analyze the system against all the
known vulnerabilities and attempt to measure (maybe only qualitatively)
the risks associated with the vulnerabilities. I think analyzing holes
by themselves, outside of any context, is a good academic exercise, and
may lead to useful knowledge that people analyzing real systems can use,
but it is not an advantage to attempt to grade them in the abstract.
--
PJ
you'll probably get lots more useful advice from others more articulate
than I, but I hadn't posted to the list in awhile and am curious about
how all these bounce messages everyone is talking about. Are there lots
others besides the guy with 1000 messages in his mailbox? I guesss I'll
see.....
Return to October 1995
Return to ““P.J. Ponder” <ponder@wane-leon-mail.scri.fsu.edu>”
1995-10-17 (Mon, 16 Oct 95 18:19:07 PDT) - Security Spectra - “P.J. Ponder” <ponder@wane-leon-mail.scri.fsu.edu>