Skip to Content
威胁建模:安全设计中的风险识别和规避
book

威胁建模:安全设计中的风险识别和规避

by Izar Tarandach, Matthew J. Coles
January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
China Machine Press
Content preview from 威胁建模:安全设计中的风险识别和规避
引言 | 23
征,并得出可以与其他攻击场景或威胁向量的值进行比较的值。通过考虑攻击
者利用漏洞的特征并在各个维度(例如,DREAD)上分别针对低影响力、
中影响力和高影响力问题分配一个分数,可以计算出任何给定攻击场景(安全
漏洞和敌人的组合)的风险值。
每个维度的总分决定了总体风险值。例如,特定系统中的任意安全问题可能具
[D = 3R = 1E = 1A = 3D = 2] 分数,总风险值为 10。你可以将此风
险值与针对该特定系统确定的其他风险进行比较。但是,尝试将此值与其他系
统中的值进行比较不太有用。
风险量化的 FAIR 方法(测量风险)
信息风险因素分析(Factor Analysis of Information RiskFAIR)方法在执行类
型中越来越受欢迎,因为它提供了正确的粒度级别和更多的特异性以实现更有
效的决策。FAIR Open Group 发布,并包含在 ISO/IEC 27005:2018 中。
DREAD 是定性风险计算的一个示例。FAIR 是一项国际标准,用于量化风险建
模,并通过使用行为者对威胁的价值(硬货币成本和软货币成本)和威胁实现
概率(或发生威胁事件)的度量来理解威胁对资产的影响。使用这些量化值可
以向你的管理层和业务负责人描述系统中识别出的风险对业务产生的财务影响,
并将它们与防御威胁事件的成本进行比较。适当的风险管理实践表明,防御成
本不应超过资产的价值或资产的潜在损失,这也称为“5 元笔上了 50 美元锁”
范式。
FAIR 既彻底准确又复杂 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

AirBnbBlueOriginElectronic ArtsHomeDepotNasdaqRakutenTata Consultancy Services

QuotationMarkO’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.
Julian F.
Head of Cybersecurity
QuotationMarkI wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.
Addison B.
Field Engineer
QuotationMarkI’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.
Amir M.
Data Platform Tech Lead
QuotationMarkI'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Mark W.
Embedded Software Engineer

You might also like

What Successful Brick-and-Mortar Retailers Get Right

What Successful Brick-and-Mortar Retailers Get Right

Rob Angell
What Successful Project Managers Do

What Successful Project Managers Do

W. Scott Cameron, Jeffrey S. Russell, Edward J. Hoffman, Alexander Laufer

Publisher Resources

ISBN: 9787111713692