3

In our organization we wanted to review the overall IT landscape and check the most critical applications for vulnerability in phase 1, and then look at lesser critical applications in phase 2... as we embarked on exercise, we realized that certain non-critical applications might be the entry point for critical applications. (so what seemed like a low-impact app built with very little focus; might be entry to critical appln)

Is there an approach we can take, by which we can look at severity of applications through this indirect mode also. Any direction/pointers will be appreciated

raghu
  • 283
  • 1
  • 2
  • 7
  • One metric to consider (among others) would be the average time an app is kept running times the number of computers it is running on. However, unless you think and act like an attacker, little useful will come out of this. Hire a professional pentester! – Deer Hunter Mar 31 '13 at 08:34

2 Answers2

1

ISO/IEC 27001 and 27002 encompass this quite comprehensively. They tend to be non-specific, but thorough. You'll find useful guidelines in the 27000 series generally.

NIST SP800-30 Guide for Conducting Risk Assessments is perhaps more approachable, I recommend you start there. Then check the NIST SP800 series for additional documents, including at least SP800-115 Technical Guide to Information Security Testing and Assessment.

The ISO/IEC standard documents are not free, you can find copious related documents, including for the British standard (on which these are largely based) BS 7799. The NIST SP800 documents are free.

Some of the answers to this related question may also be useful: Looking for an open risk assessment methodology

Community
  • 1
mr.spuratic
  • 7,937
  • 25
  • 37
0

What you ask in the question and what you ask in the content of the question seems different things. One thing is to evaluate assets (application for example) an other thing is evaluate vulnerabilities.

For evaluating assets there existe multiple risk assessment methodologies like ISO 27005 (a framework for implementing your own methodology), Magerit, Mehari, Octave and others. What I'm going to explain is just an example that can be used. First evaluate your applications in terms of need for confidentiality, integrity and availability. You can use an scale from 1 to 5 (for example) and the sum of the three will be the value for that particular application. The most important vulnerability could be the one that affects the most critical asset.

Other way of assessing the criticality of a vulnerability could be to use the CVSS standard.

kinunt
  • 2,759
  • 2
  • 23
  • 30
  • 1
    Thanks... and my apologies that I haven't been able to articulate correct. I know how to evaluate vulnerability via ISO/ NIST standards. Is there a structured way to check if a non-critical application might provide entry to exploiting a critical application. (else might get missed out as default view would be that this weak application is non-critical) – raghu Mar 30 '13 at 18:39
  • I think that in order to evaluate if a non-critical application increments the attack surface of a critical application you should analyze the relation and interaction between the two applications. You should think about the kind of control has one app over the other and the structures that both applications share. If both applications work at user level, if they are not sharing explicitly nothing, the operative system is the responsible for separating them. – kinunt Mar 31 '13 at 10:55