I think that your way (run Nessus) would leave a lot to be desired. Risk management is fairly complex and deals with maintaining an accepted level of risk. I have seen on the OSSTMM discussion mailing list a push for a concept called RAVs (risk assessment values) in the next version of OSSTMM (2.0) which makes uses of these things. Supposedly they even have a calculator too where you can input what parts of your Internet presence were tested and when and you can pull out what risk level you are at and how fast your security decays daily based on the complexity of your network and vigilance.
Z. -----Original Message----- From: Marc Ducharme [mailto:[EMAIL PROTECTED]] Sent: jueves, 15 de noviembre de 2001 18:25 To: leon; 'Ralph Chapman'; [EMAIL PROTECTED] Subject: RE: Risk Analysis and Management software The site you are looking for is http://www.eventid.net/ Regards, -Marc -----Original Message----- From: leon [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 13, 2001 4:02 PM To: 'Ralph Chapman'; [EMAIL PROTECTED] Subject: RE: Risk Analysis and Management software Sure, run Nessus or your vuln scanner of choice and if you get get high risk vulns (and they are not false positive) one could put the quantitative impact at the cost of the information. I never really understood qualitative risk analysis myself. HTH, Leon -----Original Message----- From: Ralph Chapman [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 01, 2001 12:53 AM To: [EMAIL PROTECTED] Subject: Risk Analysis and Management software Does anyone have any ideas of software available to help quantify the impact of potential threats (quantitative and qualitative) and mitigate risk for a company. Thanks for the help in advance! __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com
