A levelezőm azt hiszi, hogy kincses zoli a következőeket írta: > there is the attack tree concept of Bruce Schneier: > http://www.schneier.com/paper-attacktrees-ddj-ft.html > http://www.counterpane.com/attacktrees.pdf [] > i am working on attack tree of smartcards, and i have the > idea of creating as many as possible attack trees for > different systems and at the end they can build an Attack Wood > of IT security...and of course this wood is like the real one, > where new trees are born or old ones die, boughs are broken > or outgrown etc. It is a very good idea. Though one should always be aware of the fact that there are two cake-slicing problems hidden here (a cake can be sectioned any way you feel comfortable): -Your definition of the goal is your definition. I might have a goal which is very similar to yours, but have some different aspects. -Your categorisation of the ways attacking the problem is your categorisation. I might even have a widely different categorisation of the solutions for the same problem. This means than you might soon find that your wood have more instances of the same species and variations of the species. It is not a problem as such, because one can learn a lot by studying the different attack trees. I am wondering if there is a benefit of having a standard set of attack trees, in a way as part 2 and 3 of the Common Criteria are standard sets of security functional and assurance requirements. > > maybe on HEX (http://www.hex2005.org/) we will have the 1.0 > version :-) Does it mean that we can send you our attack trees for inclusion in the wood? I have already sent one, and you can expect others. Where will the webpage of the wood will be located? -- GNU GPL: csak tiszta forrásból
