I need to come up with a matrix of threats and countermeasures so I can start doing a risk analysis of what we can be exposed to in my customer's infrastructure environment. Do you have any ideas or tips on how I can get that info?
There are many sources available to help you compile a threat matrix. Many books are written on the subject, as well as numerous web resources, to help you create a risk analysis (RA) matrix. WBDG has a good one, and the NIST publication 800-30 (.pdf) has been around for awhile, but it's still useful.
But before you start to focus on the countermeasures part, you'll need to understand the difference between a threat and a vulnerability to create a framework that makes this differentiation. Once you've compiled those, identify the company assets that would be affected, and rate the severity if a realized threat impacts the asset. Dr. Krutz' and my latest text, The CISSP and CAP Prep Guide: Platinum Edition, explains a high level approach to RA, defines various rate-of-occurrence formulae and provides a template matrix for threat/vulnerability/asset rating.
This was first published in May 2007