Attack Trees, eh? I've had a look at the Java-based solution over at http://www.amenaza.com/ . Looks like it might suit your needs. Fairly easy to use, and does a hell of a lot more than Visio. Here's a quote: "(Amenza) ...the developers of SecurITree, a risk assesment tool and methodology that can help your organization determine possible threats to your IT systems and how to best ward off these threats." -Luddites.Canada ---------- Original Message ---------------------------------- From: "Kruse, Darren (DEH)" <Kruse.Darren2at_private> Date: Fri, 22 Mar 2002 13:30:18 +1030 >I'm puzzling over what is the best way to draw attack trees. >Attack trees provide a formal, methodical way of describing the security of >systems, based on varying attacks. Basically, you represent attacks against >a system in a tree structure, with the goal as the root node and different >ways of achieving that goal as leaf nodes. >Bruce Schnier's Secrets and Lies - Digital Security in a Networked World >http://www.amazon.com/exec/obidos/ASIN/0471253111/qid=1016671800/sr=8-1/ref= >sr_8_67_1/002-8209990-0206427 , in particular chapter 21 covers Attack Trees >There's also a DDJ article on attack trees >http://www.ddj.com/documents/s=896/ddj9912a/9912a.htm (also by Bruce >Schnier) that covers virtually the same ground as the book. >I'm thinking that it would make a really good motivational tool for >management to see what all the threats are against our systems. >Having a documented attack tree would also help me in identifying what holes >,and threats I need to worry about RIGHT NOW ! >My first thought was to wade in, and start drawing with Visio - making use >of the layers feature to distinguish between different sets of values.. >Possible / Impossible Cost script kiddie tool released ? >etc.. >But does anyone know of a more "closely-suited" tool than Visio ? I've done >a google search on "attack tree" software, and come up blank. >There are cheaper alternatives to Visio - maybe Kivio mp >http://www.thekompany.com/products/kivio/faq.php3 ?? Unfortunately, the KDE >version (Kivio without the mp suffix) doesn't do layers. :-( >Would a web interface be better ? - certainly for navigating between >threats, but how about when you want to see a larger part of the tree ? , or >the whole attack tree ?? >Maybe MS Project ? - it's good at showing inter-related tasks , that have >dependancies and costs, and can output to HTML as well. >How about when I want to add , or share bits of someone else's attack tree ? >It would be cool to be able to download discrete sub-branches, just like you >download additional Snort IDS signatures. > >Darren Kruse CCNP CCDP >WAN/LAN Networking Consultant >Mobile : (+61) 0407 446 399 >mailto://darren_kruseat_private >http://www.geocities.com/darren_kruse > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus Security Intelligence Alert (SIA) >Service. For more information on SecurityFocus' SIA service which >automatically alerts you to the latest security vulnerabilities please see: >https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sat Mar 23 2002 - 13:24:07 PST