| New User, Welcome! Login |
risk analysis
> this issue covered at the AVAR conference last year (before Vista had even
> been released), there's only the abstract online at
> http://www.aavar.org/avar2006/Program/ericchien.html, but it gives a good
> idea of what the anti-virus guys are concerned about here.
Eric's talk seems to be a good start on risk analysis of gadgets generically.
The design of Vista gadgets seems particularly troubling since it seemed to
have several design flaws which were the subject of the paper.
> Given what an incredible attack vector they are (it's pretty much an open
> invitation to get malware onto PCs), I'm amazed there haven't been any
> Also, you should consider that such actions also have direct political
> and diplomatic ramifications neither of us understands.
>
>
> So, for now, I'd say that each of us should make such decisions by our
> own risk analysis with the trade-off between costs and benefits in
> mind,
> and only for our own networks.
You and I seem perfectly aligned on that, as I state in the article. I would hope that other people would read it first without jumping to the conclusion that I'm making sweeping blocking suggestions (not saying you are).
Also, you should consider that such actions also have direct political
and diplomatic ramifications neither of us understands.
So, for now, I'd say that each of us should make such decisions by our
own risk analysis with the trade-off between costs and benefits in mind,
and only for our own networks.
Aside to that, I know some people in China who work very hard on
security, and do a better job than we do at it. But that does not mean
the situation as it stands now is acceptable.
>
> Such social change to encourage new technological and operational solutions happenes every 2-5 years or so, and I don't expect anything large enough such as an AS-based reputation system to happen anytime soon.
>
> Also, you should consider that such actions also have direct political and diplomatic ramifications neither of us understands.
>
> So, for now, I'd say that each of us should make such decisions by our own risk analysis with the trade-off between costs and benefits in mind, and only for our own networks.
>
> Aside to that, I know some people in China who work very hard on security, and do a better job than we do at it. But that does not mean the situation as it stands now is acceptable.
>
>> IOW, I really don't think the tag had that much to do with it now...
>
Andrew Wright (N-Dimension Solutions)
* Tutorial 2: An introduction to usable security
Jeff Yan (Newcastle University)
* Tutorial 3: Security Risk Analysis of Computer Networks: Techniques
and Challenges
Anoop Singhal (NIST) and Xinming Ou (Kansas State University)
* Tutorial 4: Securing Wireless Systems
Panos Papadimitratos (EPFL)
> Also, you should consider that such actions also have direct political
> and diplomatic ramifications neither of us understands.
>
>
> So, for now, I'd say that each of us should make such decisions by our
> own risk analysis with the trade-off between costs and benefits in
> mind,
> and only for our own networks.
You and I seem perfectly aligned on that, as I state in the article. I would hope that other people would read it first without jumping to the conclusion that I'm making sweeping blocking suggestions (not saying you are).
Hi,
ISECOM has been working on improving and replacing risk analysis,
assessments and management with trust. Our research has shown dramatic
improvements from using a trust model based on fact over risk models.
OSSTMM 3 (www.osstmm.org) outlines much of this already and I am
beginning to address this at various conferences.
Mastering trust has many benefits for security testing including
improved social engineering, improved attack trees, and improved
* privacy and emergency management policies and technologies
* vulnerable online users and privacy sensitization
* evolving nature of lawful surveillance
* smart cards and privacy
* identity theft and management
* privacy audits and risk analysis
* evolving role of privacy officers
Privacy Theme Chair:
Frederic Cuppens, TELECOM Bretagne, France
* privacy and emergency management policies and technologies
* vulnerable online users and privacy sensitization
* evolving nature of lawful surveillance
* smart cards and privacy
* identity theft and management
* privacy audits and risk analysis
* evolving role of privacy officers
Privacy Theme Chair:
Frederic Cuppens, TELECOM Bretagne, France
(Take special notice if you fall under special regulations like
HIPAA or SOX)
3. Create a document to present to the company leadership:
. a. Prepare a complete analysis of the vulnerability including the
exact steps needed to repeat the exploit
b. Make sure that your documentation includes a risk analysis
(without the standard FUD)
c. Make sure that your documentation includes the research on
protection of personal information and breach notification
d. Make sure that your documentation includes both technical
details as well as an executive summary for non-technical executives
> About
> *****
> Digital Security is leading IT security company in Russia,
> providing information security consulting, audit and penetration
> testing services, risk analysis and ISMS-related services and
> certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital
> Security Research Group focuses on web application and database
> security problems with vulnerability reports, advisories and
> whitepapers posted regularly on our website.
* privacy and emergency management policies and technologies
* vulnerable online users and privacy sensitization
* evolving nature of lawful surveillance
* smart cards and privacy
* identity theft and management
* privacy audits and risk analysis
* evolving role of privacy officers
Privacy Theme Chair:
Frederic Cuppens, TELECOM Bretagne, France
|
|
|
