Administrivia #29691: TruSecure Global Risk Index Survey

From: Russ Cooper (Russ.Cooper_at_TRUSECURE.CA)
Date: 10/19/04

  • Next message: Jakob Balle: "Secunia Research: Multiple Browsers Tabbed Browsing Vulnerabilities" 
    Date:         Tue, 19 Oct 2004 15:04:15 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    This is going to come across as a bit salesy, but bear with me.

    As I mentioned in my note on the 8th, TruSecure has created a "Global
    Risk Index", more than four years of thousands of metrics and
    significant events formulated in such a way as to demonstrate the
    changing risks an organization faces. Data from network latency and
    outages to vulnerability and then patch announcements. Significant
    events like Blaster, and its calculated effects, plus every other
    significant event. Imagine that risk was "1000" on 1/1/2000...we
    calculate what has happened to that number since, to this date, and can
    make predictions about what will happen in the future.

    Now add to this the things you can do to mitigate risk. Best Practice
    implementation, like blocking attachments at your email gateway or
    default deny at your routers. With these factors added, its possible to
    provide your organization with a number which can be compared to the
    Global Risk Index value, showing how much better or worse you are, or to
    other companies to determine the risks involved in cooperative
    networking. This goes way beyond an insurance companies claim that using
    Windows requires some premium on your insurance rates...

    What we need now is real world results on what quality of controls are
    implemented, and to what extent. Do you have comprehensive controls or
    are they merely informal? Does a control apply to all events in its
    category or only to specific and critical events? If a control is
    comprehensive and applies to all events in its category, then that's
    ideal. We're trying to gauge how far from ideal the world is today. Your
    data will give us an excellent sampling.

    Our survey has ~120 questions for you to answer. Many of the questions
    are fairly specific and ask about certain classifications of devices or
    periods of time. Almost all use radio buttons indicating your current
    implementation on a scale of 1-7. They go from "Comprehensive" to "Not
    Implemented". We're not looking for your opinion on the effectiveness of
    a control, merely where the level of your current implementation stands.
    We also ask some questions about the cost and frequency of events in
    your organization.

    Your responses will help us fine-tune the wording we will use when the
    survey is offered to the general public. If it turns out that everyone
    is doing something, then we don't ask if you do, instead we ask how well
    you do it...that sort of thing.

    We firmly believe in the Global Risk Index as a far more accurate
    designation of where we stand, security-wise. What's the use of a Green,
    Orange, Red indication when you can't see how your mitigators affect the
    risk. Who cares if a new worm is out if you've so effectively mitigated
    your risks that it can't affect you. The Global Risk Index will let you
    know, and you can help make it happen.

    In order to participate in this survey either click on this link, or
    copy and paste it into your browser;
    <http://research.zarca.com/clients/TruSecure_2/survey.aspx?sid=1>

    We encourage you to learn more about the TruSecure Index with an
    archived webinar available at;
    <http://www112.placeware.com/cc/trusecure/view?id=TSGRI-25>
    Password: Global Index

    Cheers,
    Russ and the TruSecure Global Index Team 

    --
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--
  • Next message: Jakob Balle: "Secunia Research: Multiple Browsers Tabbed Browsing Vulnerabilities"