Home page logo
/

webappsec logo WebApp Sec mailing list archives

RE: Threat Modeling
From: "Dan Morrill" <Dan.Morrill () PREMERA com>
Date: Thu, 20 May 2004 10:01:04 -0700

Ok,

Here is the odd ball question, why not grab a copy of any SNMP or Syslog
listener, drop it to a database, send your firewall, IDS, and other data
there, then do some data mining scripts to find out activity that is going
on. At least then it would be relevant to where you are on the internet, and
would develop a real baseline for your organization. (Don't mind me, did
this already, and can be done using free ware and a good dba). 

For example want to know what day of the week you get the most attacks, use
this MS-SQL script (can be easily rewritten for MySQL).

select CASE datepart(dw,id_timestamp)
 WHEN 1 THEN 'Sunday'
 WHEN 2 THEN 'Monday'
 WHEN 3 THEN 'Tuesday'
 WHEN 4 THEN 'Wednesday'
 WHEN 5 THEN 'Thursday'
 WHEN 6 THEN 'Friday'
 WHEN 7 THEN 'Saturday' END AS DayOfWeek
 , count(*) as NumberOfEvents from event
group by datepart(dw,id_timestamp)
order by datepart(dw,id_timestamp)

Want to know which ports are being scanned, use a script similar to this
one.

SELECT     t_port, COUNT(*) AS [Count of TPort]
FROM         dbo.event
GROUP BY t_port

So software involved:

Kiwi's syslog listener
MySQL
Some cut rate computer with about 1 gig of RAM
Some serious storage space (unless you go to a "trend table" digest at the
end of 48 hours of actual data on line)
Your Operating system of Choice

Just a thought, seen this idea done too many times lately. But the good part
is that you can threat trend for yourself based on your data, based on where
you are on the internet, and develop some really thought provoking threat
modeling based on your company, not on what someone tells you is the right
thing to model for. 

Cheers/r/Dan 

-----Original Message-----
From: aporia () tiscali co uk [mailto:aporia () tiscali co uk] 
Sent: Thursday, May 20, 2004 9:22 AM
Cc: webappsec () securityfocus com
Subject: RE: Threat Modeling

I've been looking for a free set of threat models, too - no luck, though
- would be interested to know if you are successful.

_However_ I can recommend a software product called CRAMM.  I don't know if
you've used it, but basically it's a tool developed by HMG in Cheltenham.
 The great thing about it, and the reason it costs 4,000 GBP is that it
contains a database of over 3000 threats, vulnerabilities and
countermeasures.

It also follows a specific methodology (Crown Copyright), and is aligned to
BS7799.

Unfortunately, the cost is a significant barrier to using it.  What about
just buying the BS7799 (about 150 GBP) and ISO TR 13335: Guidelines for
Management of IT Security (GMIT)? A reasonable starter pack.  This isn't fee
either, unfortunately.  But it is American.

---------------
Ian Ristic [ivanr () webkreator com]

Any links to any free threat modeling tools out there ?

   Does anyone know what happened to the threat modeling tool
   Microsoft announced in late 2003?

--
ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web
applications ]

__________________________________________________
Broadband from an unbeatable £15.99!

http://www.tiscali.co.uk/products/broadband/home.html?code=SM-NL-11AM






  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]