Information Risk Tools - what do you use?

Your answer was selected as Best Answer
Your Public Answer:
“Hi ...., You may capture vulnerability data with vulnerability assessment scanner tools such as data (network scanners like Foundstone, ISS, eEye. Qualys, Nikto, Nstalker Languard, or application testers like SPI dynamics Web Inspect, Appscan, Cenzic or database security scanners, code analysis etc.. The list goes on, I recommend the following presentation for the taxonomy. http://www.owasp.org/images/f/ff/AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt ) But at the end you vulnerabilities gathered from scanning make just one part of the information systems risk picture, you need to add other risks derived from vulnerabilities of policies, people, access control, authorization, audit, physical security, BCP/DR, HR, capacity management, compliance requirements etc. in addition to the risk data you collect from vulnerability scanninf tools. These risks should also be scaled either quantitative or qualitative way based on your business requirements (value , business impact) As you have stated more important task is to prioritization and classification, You need to map the vulnerability data with asset inventory and the business based risks. For this one you need a methodology for risk management. FRAP, FIRM, OCTAVE, DRAM, CRAMM, NIST 800-30, ISO 27005 , ISACA are the initial ones that come to mind as a framework. The most suitable ones would be based on your environment, operation and resources. http://www-t.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf As stated above you can use SkyBoxView (http://www.skyboxsecurity.com) for the analysis of assets and vulnerability scans. We have deployed this tool in several environments and it works great. Skybox is in Security Risk Management category which Another option is Mc Afee’s recently acquired Preventsys series. (You may also check Archer; nCircle; Xacta) For risk assessment only any ISO 27001 toolkit or Citicus will do the jobas well. I have found the fault-tree based risk assessment tools difficult to use (like secureitree) Let me know if you have any specific questions, Regards, - yinal ozkan”