>>-----Original Message-----
>>From: Mark Curphey [mailto:mark (at) curphey (dot) com [email concealed]]
>>
>>CRAMM is a general / generic Risk Assessment tool for
>>information securtity.
For those who don't know, CRAMM is a high-level tool designed to model risk at the physical, policy and procedural level, rather than the technical. Early versions were difficult to use, and even harder to interpret. The ISO 17799 aligned version is far more powerful, although it needs someone skilled to drive it.
A more technical, network-level risk assessment/threat modelling tool back in the late 1990's was the L3 Network Security Expert/Retriever, a (for the time) sophisticated network mapping and risk analysis system . It was bought by Symantec about 2000 and fairly promptly disappeared. If I remember correctly, you were able to define any type of custom threats and countermeasures, and model them with a reasonable level of granularity. I only ever used it to model systems, rather than applications, but it was a really interesting hybrid tool.
Both tools use/used some variation of the standard:
Neither of these addresses your requirements (particularly L3, since it appears to have gone), although I think the L3 tool(s) came closest. There isn't anything I know of that even comes close to doing some of this, never mind everything. Most of the case and sequence diagrams I've seen have been manually defined and Visio drawn (paradoxically, probably the main utility that helped kill off L3 Expert/Retriever). Risk modelling has been extrapolated from those, in a generally ad hoc fashion.
In many respects, I think you've answered your own question - there is a gap in this area. If Symantec still have the L3 code base lying around (and it didn't metamorphose into the Vulnerability Assessment product) it might be worth dusting down.
Mark
Mark Brewis
Security Consultant
EDS
UK Information Assurance Group
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.
This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views or opinions presented are solely those of the author. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly prohibited.
Precautions have been taken to minimise the risk of transmitting software viruses, but you must carry out your own virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software viruses.
>>From: Mark Curphey [mailto:mark (at) curphey (dot) com [email concealed]]
>>
>>CRAMM is a general / generic Risk Assessment tool for
>>information securtity.
For those who don't know, CRAMM is a high-level tool designed to model risk at the physical, policy and procedural level, rather than the technical. Early versions were difficult to use, and even harder to interpret. The ISO 17799 aligned version is far more powerful, although it needs someone skilled to drive it.
A more technical, network-level risk assessment/threat modelling tool back in the late 1990's was the L3 Network Security Expert/Retriever, a (for the time) sophisticated network mapping and risk analysis system . It was bought by Symantec about 2000 and fairly promptly disappeared. If I remember correctly, you were able to define any type of custom threats and countermeasures, and model them with a reasonable level of granularity. I only ever used it to model systems, rather than applications, but it was a really interesting hybrid tool.
Both tools use/used some variation of the standard:
* Define Assets
* Define Vulnerabilities
* Define Threats
* Define Mitigation Strategies
within
* Technical
* Management
* Operational
Risk-Remediation areas.
Neither of these addresses your requirements (particularly L3, since it appears to have gone), although I think the L3 tool(s) came closest. There isn't anything I know of that even comes close to doing some of this, never mind everything. Most of the case and sequence diagrams I've seen have been manually defined and Visio drawn (paradoxically, probably the main utility that helped kill off L3 Expert/Retriever). Risk modelling has been extrapolated from those, in a generally ad hoc fashion.
In many respects, I think you've answered your own question - there is a gap in this area. If Symantec still have the L3 code base lying around (and it didn't metamorphose into the Vulnerability Assessment product) it might be worth dusting down.
Mark
Mark Brewis
Security Consultant
EDS
UK Information Assurance Group
Wavendon Tower
Milton Keynes
Buckinghamshire
MK17 8LX.
Tel: +44 (0)1908 28 4013
Mbl: +44 (0)7989 291 648
Fax: +44 (0)1908 28 4393
E@: mark.brewis (at) eds (dot) com [email concealed]
This email is confidential and intended solely for the use of the individual(s) to whom it is addressed. Any views or opinions presented are solely those of the author. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this mail is strictly prohibited.
Precautions have been taken to minimise the risk of transmitting software viruses, but you must carry out your own virus checks on any attachment to this message. No liability can be accepted for any loss or damage caused by software viruses.
[ reply ]