From: infosecgod@gmail.com
Date: Thu Jan 13 2005 - 19:51:58 EST
>If you use some Google hacking you can find security scan reports. =3D)
>Not exactly what you want..but
>
>Nessus
>http://www.computec.ch/dokumente/windows/sicherheit_von_windows/2-scanni
>ng/nessus-report.html
>http://mrcorp.infosecwriters.com/os_scan/xpscan/default/default.html
>http://www.rit.edu/~wjh3710/pub/old.html
>http://www.kefk.net/Admin/Nessus/kefk_net/
>
It is important to understand the difference between a vulnerability scanner report - which these are - and what has been requested - a risk assessment report.
This is one of the main reasons why security has gotten a bad name for itself in the corporate world - IT/security managers do not want to see another list of things they need to do (fix). A risk assessment takes the information delivered by the scanners and other testing techniques and provides understanding of the scanning results within the context of business risks. This means that using Nessus/ISS/eEYE results do NOT equal risk assessment. These tools are important parts of the risk assessment process but do not represent risk assessment.
Risk assessments assign values to IT assets and use these values to understand risk within a business context. A better area to look would be at the risk methodologies themselves such as –
http://www.security-risk-analysis.com/
http://www.cert.org/octave/
http://www.riskworld.net/
are good places to start
J/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:13 EDT