January 2023
Intermediate to advanced
214 pages
3h 43m
Chinese
Content preview from 威胁建模:安全设计中的风险识别和规避
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
引言 | 23
征,并得出可以与其他攻击场景或威胁向量的值进行比较的值。通过考虑攻击
者利用漏洞的特征并在各个维度(例如,D,R,E,A,D)上分别针对低影响力、
中影响力和高影响力问题分配一个分数,可以计算出任何给定攻击场景(安全
漏洞和敌人的组合)的风险值。
每个维度的总分决定了总体风险值。例如,特定系统中的任意安全问题可能具
有 [D = 3,R = 1,E = 1,A = 3,D = 2] 分数,总风险值为 10。你可以将此风
险值与针对该特定系统确定的其他风险进行比较。但是,尝试将此值与其他系
统中的值进行比较不太有用。
风险量化的 FAIR 方法(测量风险)
信息风险因素分析(Factor Analysis of Information Risk,FAIR)方法在执行类
型中越来越受欢迎,因为它提供了正确的粒度级别和更多的特异性以实现更有
效的决策。FAIR 由 Open Group 发布,并包含在 ISO/IEC 27005:2018 中。
DREAD 是定性风险计算的一个示例。FAIR 是一项国际标准,用于量化风险建
模,并通过使用行为者对威胁的价值(硬货币成本和软货币成本)和威胁实现
概率(或发生威胁事件)的度量来理解威胁对资产的影响。使用这些量化值可
以向你的管理层和业务负责人描述系统中识别出的风险对业务产生的财务影响,
并将它们与防御威胁事件的成本进行比较。适当的风险管理实践表明,防御成
本不应超过资产的价值或资产的潜在损失,这也称为“5 美元笔上了 50 美元锁”
范式。
FAIR 既彻底准确又复杂 ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.