[SystemSafety] "Security Risk" and Probability
Martyn Thomas
martyn at thomas-associates.co.uk
Wed Oct 25 11:29:01 CEST 2017
A good blog, Peter.
I would add that the probability of a successful attack depends on:
1. the existence of a vulnerability (I know of no system that has been
systematically attacked where the attackers have failed, and most
are penetrated within a few minutes, so unless you have strong proof
of security it is wise to assume that there are vulnerabilities).
2. the existence of an attacker who has the motivation to attack (these
may include vandals, employees, competitors, suppliers and former
suppliers, low-level criminals, activists of various sorts, serious
organised criminals, terrorists and nation states).
3. The capability of one of your motivated attackers to exploit the
vulnerability (this may change overnight, for example next time the
Shadow Brokers upload a gigabyte of stolen NSA cyber tools to
WikiLeaks).
4. Your active defences (if any) , and whether they work on this
occasion against this attack.
5. Whether you systems have /already/ been compromised by a potential
attacker (without strong proof to the contrary, you should assume
that every system of national importance is already compromised -
because otherwise adversary nation states have been incompetent).
Martyn
On 25/10/2017 09:54, Peter Bernard Ladkin wrote:
> Yesterday, I read yet another account suggesting/attempting some sort of equivalence between SILs
> and Security Levels (SLs). Please, stop it, people!
>
> https://abnormaldistribution.org/index.php/2017/10/25/security-risk-and-probability/
>
> PBL
>
> Prof. Peter Bernard Ladkin, Bielefeld, Germany
> MoreInCommon
> Je suis Charlie
> Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
>
>
>
>
>
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20171025/6916a7a8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 560 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20171025/6916a7a8/attachment-0001.sig>
More information about the systemsafety
mailing list