Re: Idea of CAW (Creation of Attack Wood)

[Magosányi Árpád <mag@xxxxxxxxxxxxxxxxxxx>]

A levelezőm azt hiszi, hogy kincses zoli a következőeket írta:
> there is the attack tree concept of Bruce Schneier:
> http://www.schneier.com/paper-attacktrees-ddj-ft.html
> http://www.counterpane.com/attacktrees.pdf

[]
> i am working on attack tree of smartcards, and i have the
> idea of creating as many as possible attack trees for
> different systems and at the end they can build an Attack Wood
> of IT security...and of course this wood is like the real one,
> where new trees are born or old ones die, boughs are broken
> or outgrown etc.

It is a very good idea. Though one should always be aware
of the fact that there are two cake-slicing problems hidden here
(a cake can be sectioned any way you feel comfortable):
-Your definition of the goal is your definition. I might have
a goal which is very similar to yours, but have some different
aspects.
-Your categorisation of the ways attacking the problem is your
categorisation. I might even have a widely different categorisation
of the solutions for the same problem.

This means than you might soon find that your wood have more
instances of the same species and variations of the species.

It is not a problem as such, because one can learn a lot by
studying the different attack trees.

I am wondering if there is a benefit of having a standard set
of attack trees, in a way as part 2 and 3 of the Common
Criteria are standard sets of security functional and assurance
requirements.

> 
> maybe on HEX (http://www.hex2005.org/) we will have the 1.0
> version :-)

Does it mean that we can send you our attack trees for inclusion
in the wood? I have already sent one, and you can expect others.
Where will the webpage of the wood will be located?


-- 
GNU GPL: csak tiszta forrásból