The InfoSec Blog

All Threats? All Vulnerabilities? All Assets?

Posted by Anton Aylward

One list I subscribe I saw this outrageous statement:

ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset - that means that you have to
consider whether every threat from your list is related to each of
your assets.

"All"? "Every"?
I certainly hope not!
Unless you have a rule as to where to stop those lists - vectors that you are going to multiply - are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.

See
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
for a more complete discussion of this aspect of 'risk'.

See
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
in which Jeff Lowder has a discussion of the "utility value" approach to controls

Because its the controls and their effectiveness that really count.

Network Segmentation is Common Sense

Posted by Anton Aylward

On one of the professional forums I subscribe to there was a request for "references" to justify the separation of development and production networks and facilities.  It seems some managers "don't get it" when it comes to things like change control and undocumented and unplanned changes.  Many guidelines discuss this, but its seems that some key ones like NIST and ISO-27001 do not explicitly mandate it, and some managers use this as a reason to not do it.

Some of us security droids find this frightening.

My colleague Miriam Britt managed to sum up the reasons why one should have separation quite sussinctly and forcefully.  With her permission I have copied her reasoning here and I hope many people will either reference this or copy it to their own blogs.  This kind of straight forward statement needs a wide exposure.