Google Answers: Categories or types of information securities exposures

View Question

Q: Categories or types of information securities exposures ( No Answer, 0 Comments )

Question

Subject: Categories or types of information securities exposures
Category: Computers > Security
Asked by: mondial-ga
List Price: $100.00

Posted: 30 Apr 2004 23:49 PDT
Expires: 30 May 2004 23:49 PDT
Question ID: 339282

I am looking for a exhaustive but mutually exclusive categorization of threats, vulnerabilities, attacks, etc. I am sure that the major analysts and industry groups have such lists and I want at least 2 lists with their sources cited though I am hoping/expecting 5 different ones so that I can compare and contrast how the thought leaders are framing the decomposition of the Information Security and Risk space. I will also accept lists from vendors' white papers if they appear to be reasonably comprehensive. Each item on the list need not be described in detail - a single sentence, or even a phrase, for each category would suffice - however, the source of the categorization is VERY important. Lastly, I need a preliminary answer in 24 hours and a complete answer in 36 hours.
Request for Question Clarification by easterangel-ga on 01 May 2004 01:41 PDT Hi! I am really sorry but just to make it sure... 1. Are we talking about threats to computers and/or information systems? 2. You just need a short description of each threat within a particular category? And you DO NOT desire a dsicussion of such threat? 3. Would it be ok if different authors or vendors categorize threats differently? Thanks. :)
Request for Question Clarification by easterangel-ga on 01 May 2004 03:13 PDT Furthermore, what do you mean by "a preliminary answer in 24 hours and a complete answer in 36 hours"? When we post our answer, usually that's final unless you want to clarify some points.
Clarification of Question by mondial-ga on 01 May 2004 07:21 PDT Yes, computers, networks, applications, operating systems, etc - any and all components of information systems. And yes, a short description of each category will suffice And no, I do not need a comprehensive list of threats under each category but do need a couple of example as necessary to describe the category And lastly, yes, not only will it be fine if authors and vendors categorize threats differently but it is almost assumed that they will. Nature of the beast - there is no consensus on this yet. I am interested in the list of categories themselves and not in the contents of each categories. By getting up to 5 different lists I get 5 different SETS of categorizations from 5 different sources. This is my first time using this service and in my own research I always have a preliminary answer for my boss and upon confirmation I finish the work - i.e. find list of categories and second stage, find the others. Whichever you work is fine. It's just that I have to start working on the reports within 18 hours but have 60 hours to get it done. Thanks!
Request for Question Clarification by pafalafa-ga on 01 May 2004 15:47 PDT Most of the IT security "taxonomies" I'm seeing have more to do with institutional categorizations (preparation, evaluation, response) rather than technological categories. An example is: OECD Guidelines for the Security of Information Systems and Networks TOWARDS A CULTURE OF SECURITY 1) Awareness Participants should be aware of the need for security of information systems and networks and what they can do to enhance security. 2) Responsibility All participants are responsible for the security of information systems and networks. 3) Response Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents. 4) Ethics Participants should respect the legitimate interests of others. 5) Democracy The security of information systems and networks should be compatible with essential values of a democratic society. 6) Risk assessment Participants should conduct risk assessments. 7) Security design and implementation Participants should incorporate security as an essential element of information systems and networks. 8) Security management Participants should adopt a comprehensive approach to security management. 9) Reassessment Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures. ========== Is this sort of thing useful to you? If not, perhaps you can clarify what you're after. Technologically oriented classifications tend to be massive dictionaries that build up lists and meta-lists of acknowledged threats, but without any neat sub-categorization that I've yet come across. Let us know how we can best help you out on this. Thanks. pafalafa-ga
Clarification of Question by mondial-ga on 01 May 2004 17:44 PDT A high-level taxonomy with an outside in perspective is infact what I am looking for. Nice rephrasing!! I am not looking for institutional categorizations action oriented taxonomies. So the example you provided is exactly what I DO NOT want. The technology based massive lists are not it either. I have found a single source so far in my own research. It is a list of 5 classes at the bottom of page 4 on the following PDF: http://www.citadel.com/Downloads/PDF-Herc20-4%20page.pdf For my need this is perfect. However, it is from a vendor as opposed to an academic, analyst or industry institution. Secondly, I have no evidence of wide acceptance or recognition of this categorization. Thirdly, it is not comprehensive in terms of all threats to Information Security (for example it does not have a category in which we would include active attacks such as a Denial of Service). But most importantly is the fact that it is only a single list - I want multiple lists of this kind so that I can compare and constrast the approach taken by the list makers in an effort to understand how do people look at this space. You see, I am new to it. It is possible that other security vendors have similar categorization on their product information pages or white papers. Or books on vulnerability and threat detection and mangement or general information security. CERTs, SANS instutite or other industry organization should have had these taxonomies but don't appear to (it is possible I am not navigating their sites well). The comment and clarfications thus far have been interesting but not valuable. Given the impression I am getting I will increase the price of this question to $100.
Request for Question Clarification by pafalafa-ga on 01 May 2004 18:24 PDT That last comment of yours was very helpful (it's hard to beat a concrete example!). Here's another list I found -- is this the sort of thing you're after? ========== 1. Unvalidated Input Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. 2. Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions. 3. Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users� identities. 4. Cross Site Scripting (XSS) Flaws The web application can be used as a mechanism to transport an attack to an end user�s browser. A successful attack can disclose the end user�s session token, attack the local machine, or spoof content to fool the user. 5. Buffer Overflows Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. 6. Injection Flaws Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. 7. Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. 8. Insecure Storage Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. 9. Denial of Service Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. 10. Insecure Configuration Management Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. ========== If this isn't what you're after, then I may not be able to answer your question for you. But if this hits the mark, then I think I can provide a few other similar clasifications as well. HOWEVER, I'm concerned about timing. You asked for a response in 24 hours, which has pretty much come and gone. I cannot meet your 36 hour deadline! Let me know how you would like us to proceed. Thanks. pafalafa-ga
Clarification of Question by mondial-ga on 01 May 2004 18:46 PDT From your list: 2, 3, 10 are example from the class that should be named misconfiguration. 1, 4, 5, 6, 7 are all examples from the class that should be named programmer errors. 8 could be assigned to either or both of the above classes. 10 is in a separate class of attack. Due to you see how my re-categorization is at a higher level and mutual exclusive? That's what I am looking for. The list you discovered is not a taxonomy but just a hodge-podge list... My deadline is shot - please ignore it. I am still very interested in having my question answered. I will continue my research as well and post other examples I found. I hope that it does not turnout that my answer is simply not available. If you feel that is the case please abandon your work and let me know. Thanks!
Request for Question Clarification by pafalafa-ga on 01 May 2004 18:50 PDT Thanks for the fast feedback. I'm going to continue looking into this question. But I'm also going to leave it unlocked, so that it will be available to other researchers as well. I understand (I think) what you're after, but haven't seen examples yet that fully hit the nail on the head. Perhaps I will with a bit more cyberhunting, but perhaps someone else can do it even better and faster. We'll see. Keep your fingers crossed. pafalafa-ga

Answer

There is no answer at this time.

Comments

There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at answers-support@google.com with the question ID listed above. Thank you.

Search Google Answers for

Google Home - Answers FAQ - Terms of Service - Privacy Policy