most people seem to support - all assets need to be broken down into
subcomponents.- OS , configuration, database etc separately
Is there any website link which has list of threats or vulnerabilties
which are applicable to these IT asset components...I am assuming that
this list will be pretty much standard across any organisation and
geography....
On 6/26/06, Ellenburg, George <GELLENBR (at) southernco (dot) com [email concealed]> wrote:
>
>
>
> You should be breaking your assets down into their component parts.
>
> A web server running Apache on Windows Server 2003 would be susceptible to a
> different set of characteristics and vulnerabilities than a web server
> running Apache on Linux.
>
> Likewise, if your web server is running FrontPage Extensions you might be
> susceptible to a different set of potential vulnerabilities than if you were
> running PHP 5.
>
> So, to answer your question... "yes".
>
> Your OS is susceptible to potential vulnerabilities which might be
> exploitable depending on which ports are opened to it.
>
> Your web server, running as an application/ daemon on top of your OS, is
> susceptible to potential vulnerabilities which might be exploitable through
> ports 80, 443, etc.
>
> Your web applications, running on top of your web server, which in turn is
> running on your OS, are potentially susceptible to any number of
> vulnerabilities through ports 80, 443, etc., and via any data received by it
> from a remote user.
>
> Your data, which your web applications I presume connect to, are also
> susceptible to any number of vulnerabilities and misconfigurations via your
> web applications or any vulnerabilities in your web applications.
>
> Regards,
>
> George Ellenburg
>
>
>
> On 6/26/06 6:04 AM, "shakti velu" <shaktivelu88 (at) gmail (dot) com [email concealed]> wrote:
>
>
> You should be breaking your assets down into their component parts.
>
> A web server running Apache on Windows Server 2003 would be susceptible to a
> different set of characteristics and vulnerabilities than a web server
> running Apache on Linux.
>
> Likewise, if your web server is running FrontPage Extensions you might be
> susceptible to a different set of potential vulnerabilities than if you were
> running PHP 5.
>
> So, to answer your question... "yes".
>
> Your OS is susceptible to potential vulnerabilities which might be
> exploitable depending on which ports are opened to it.
>
> Your web server, running as an application/ daemon on top of your OS, is
> susceptible to potential vulnerabilities which might be exploitable through
> ports 80, 443, etc.
>
> Your web applications, running on top of your web server, which in turn is
> running on your OS, are potentially susceptible to any number of
> vulnerabilities through ports 80, 443, etc., and via any data received by it
> from a remote user.
>
> Your data, which your web applications I presume connect to, are also
> susceptible to any number of vulnerabilities and misconfigurations via your
> web applications or any vulnerabilities in your web applications.
>
> Regards,
>
> George Ellenburg
>
>
>
> On 6/26/06 6:04 AM, "shakti velu" <shaktivelu88 (at) gmail (dot) com [email concealed]> wrote:
>
>
>
>
> Michal
>
> my query is should we dissect the webserver - into OS of webserver,
> web server application, web server data files etc.
>
> how is everyone doing it ...putting webserver as one asset or breaking
> it further inot more smaller components ! or is there a different
> aproach to asset identification
>
> which is better when we take this to next step - risk assessment
>
> On 6/26/06, Michal Merta <michal.merta (at) gmail (dot) com [email concealed]> wrote:
> > Hi all,
> >
> > from ISO 27001 definition is asset anything that has value to an
> organisation.
> > So, web server is asset, database server is asset, configuration of
> > web server is asset too.
> > Good idea is to group assets, ie all webservers can be considered as
> > one asset - webservers (webservers as hardware I mean).
> > Michal
> >
> > On 6/26/06, shakti velu <shaktivelu88 (at) gmail (dot) com [email concealed]> wrote:
> > > What is an asset in ISO 27001.
> > >
> > > I have already done my basic checks. In a datacenter I have
> > > application servers, database servers , web servers.
> > >
> > > Do we consider each server in total as an asset or should we consider
> > > data within a database as a seperate asset and OS of the database as a
> > > seperate asset. If yes, on what basis - is it because the threats and
> > > vulnerabilities on database is different from the OS.
> > >
> > > The standard is quite vague on this.
> > >
> >
> >
> > --
> > Michal Merta
> > Network Security Engineer
> > http://www.misuta.cz
> >
> > The information contained in this electronic message and any
> > attachments to this message are intended for the exclusive use of the
> > addressee(s) and may contain proprietary, confidential or privileged
> > information. If you are not the intended recipient, you should not
> > disseminate, distribute or copy this e-mail. Please notify the sender
> > immediately and destroy all copies of this message and any
> > attachments.
> >
>
>
>
subcomponents.- OS , configuration, database etc separately
Is there any website link which has list of threats or vulnerabilties
which are applicable to these IT asset components...I am assuming that
this list will be pretty much standard across any organisation and
geography....
On 6/26/06, Ellenburg, George <GELLENBR (at) southernco (dot) com [email concealed]> wrote:
>
>
>
> You should be breaking your assets down into their component parts.
>
> A web server running Apache on Windows Server 2003 would be susceptible to a
> different set of characteristics and vulnerabilities than a web server
> running Apache on Linux.
>
> Likewise, if your web server is running FrontPage Extensions you might be
> susceptible to a different set of potential vulnerabilities than if you were
> running PHP 5.
>
> So, to answer your question... "yes".
>
> Your OS is susceptible to potential vulnerabilities which might be
> exploitable depending on which ports are opened to it.
>
> Your web server, running as an application/ daemon on top of your OS, is
> susceptible to potential vulnerabilities which might be exploitable through
> ports 80, 443, etc.
>
> Your web applications, running on top of your web server, which in turn is
> running on your OS, are potentially susceptible to any number of
> vulnerabilities through ports 80, 443, etc., and via any data received by it
> from a remote user.
>
> Your data, which your web applications I presume connect to, are also
> susceptible to any number of vulnerabilities and misconfigurations via your
> web applications or any vulnerabilities in your web applications.
>
> Regards,
>
> George Ellenburg
>
>
>
> On 6/26/06 6:04 AM, "shakti velu" <shaktivelu88 (at) gmail (dot) com [email concealed]> wrote:
>
>
> You should be breaking your assets down into their component parts.
>
> A web server running Apache on Windows Server 2003 would be susceptible to a
> different set of characteristics and vulnerabilities than a web server
> running Apache on Linux.
>
> Likewise, if your web server is running FrontPage Extensions you might be
> susceptible to a different set of potential vulnerabilities than if you were
> running PHP 5.
>
> So, to answer your question... "yes".
>
> Your OS is susceptible to potential vulnerabilities which might be
> exploitable depending on which ports are opened to it.
>
> Your web server, running as an application/ daemon on top of your OS, is
> susceptible to potential vulnerabilities which might be exploitable through
> ports 80, 443, etc.
>
> Your web applications, running on top of your web server, which in turn is
> running on your OS, are potentially susceptible to any number of
> vulnerabilities through ports 80, 443, etc., and via any data received by it
> from a remote user.
>
> Your data, which your web applications I presume connect to, are also
> susceptible to any number of vulnerabilities and misconfigurations via your
> web applications or any vulnerabilities in your web applications.
>
> Regards,
>
> George Ellenburg
>
>
>
> On 6/26/06 6:04 AM, "shakti velu" <shaktivelu88 (at) gmail (dot) com [email concealed]> wrote:
>
>
>
>
> Michal
>
> my query is should we dissect the webserver - into OS of webserver,
> web server application, web server data files etc.
>
> how is everyone doing it ...putting webserver as one asset or breaking
> it further inot more smaller components ! or is there a different
> aproach to asset identification
>
> which is better when we take this to next step - risk assessment
>
> On 6/26/06, Michal Merta <michal.merta (at) gmail (dot) com [email concealed]> wrote:
> > Hi all,
> >
> > from ISO 27001 definition is asset anything that has value to an
> organisation.
> > So, web server is asset, database server is asset, configuration of
> > web server is asset too.
> > Good idea is to group assets, ie all webservers can be considered as
> > one asset - webservers (webservers as hardware I mean).
> > Michal
> >
> > On 6/26/06, shakti velu <shaktivelu88 (at) gmail (dot) com [email concealed]> wrote:
> > > What is an asset in ISO 27001.
> > >
> > > I have already done my basic checks. In a datacenter I have
> > > application servers, database servers , web servers.
> > >
> > > Do we consider each server in total as an asset or should we consider
> > > data within a database as a seperate asset and OS of the database as a
> > > seperate asset. If yes, on what basis - is it because the threats and
> > > vulnerabilities on database is different from the OS.
> > >
> > > The standard is quite vague on this.
> > >
> >
> >
> > --
> > Michal Merta
> > Network Security Engineer
> > http://www.misuta.cz
> >
> > The information contained in this electronic message and any
> > attachments to this message are intended for the exclusive use of the
> > addressee(s) and may contain proprietary, confidential or privileged
> > information. If you are not the intended recipient, you should not
> > disseminate, distribute or copy this e-mail. Please notify the sender
> > immediately and destroy all copies of this message and any
> > attachments.
> >
>
>
>
[ reply ]