RE: Is there any way to measure IT Security??

From: Steve Goldsby (ICS) (sgoldsby_at_integrate-u.com)
Date: 08/04/05

  • Next message: Alexandre Paradis: "RE: Is there any way to measure IT Security??"
    Date: Thu, 4 Aug 2005 16:49:11 -0500
    To: <pen-test@securityfocus.com>
    
    

    We have been struggling for years in infosec to get discrete metrics.
    One of the challenges is that these are complex heterogeneous systems
    changing on a daily basis, if not more often.

    I have some personal biases with respect to assessment methodologies.

    ISO17799/BS7799 lacks likelyhood determination in it's measurement of
    risk (e.g. a hurricane is rated just as high in N. Dakota as it is in
    Miami, Florida), and lacks operational guidance useful after the
    assessment (e.g. remediation guidance). Having said this, it is a good
    starting point for an immature security program and can be delivered
    much more cost effectively than other, more robust methodologies. Note:
    ISO costs $995 per copy/update. I'm not a big fan of that, but I
    understand the need to support development.

    NSA-IAM started out of the chute a few years back with a lot of
    momentum, primarily I believe due to the "NSA" moniker attached to it.
    It's a good methodology useful for evaluting critical systems and data.
    I call it the "family jewels" methodology as it focuses not on your
    organization as a whole, but rather on those assets you identify as most
    critical. In my opinion, a nice middle ground between ISO/BS/OCTAVE and
    NIST. Note: NSA-IAM is freely available. Russ Roger's folks at
    SecurityHorizons deliver excellent certification in this methodology.

    OCTAVE has a lot of street cred as it hails from the CMM folks. Like
    ISO, though, it lacks the likelihood determination component, and it not
    as well vetted or robust as NIST 800, but does offer some of the same
    advantages as ISO.

    NIST is my personal favorite. It's the most robust (and costly to
    implement). The upsides are that it provides a lot of post-assessment
    guidance such as remediation methods, how to implement a CSIRT, etc.
    The NIST 800-series is a continually updated set of "plug-ins" for the
    800-26/800-30 modules used in the assessment phase. There are 800
    series documents for HIPAA, etc. A NIST 800-30 assessment will capture
    a great deal of organizational as well as technical information, and
    categorizes your assets into "systems". This makes the elephant
    (remediation) easier to eat. The other upside to NIST 800 is that it
    provides a clear path to certification and accreditation, which the
    other methodologies I mentioned do not. It's well vetted in the
    security community and embraded by the federal government. Oh, and it's
    freely available. All of it.

    I mentioned that ISO can be less disruptive and costly to implement, but
    if you can tolerate the additional cost (it's not extreme) and labor
    required, you will be rewarded with deliverables that you can use to
    identify your intial baseline and followup deltas to effectively and
    objectively measure the effectiveness of your security dollars.

    Just my $0.02.

    Steve Goldsby
    Integrated Computer Solutions, Inc.
    www.integrate-u.com / www.networkarmor.com

    -----Original Message-----
    From: Marriott, Bill (US - Dallas) [mailto:bmarriott@deloitte.com]
    Sent: Wednesday, August 03, 2005 3:55 PM
    To: John Alexander; Gary Everekyan; irony@trini.org; toto@playon.co.id
    Cc: pen-test@securityfocus.com; security-management@securityfocus.com;
    secpapers@securityfocus.com; security-basics@securityfocus.com
    Subject: RE: Is there any way to measure IT Security??

    This is a good list, but somewhat incomplete. I think you should
    consider that security is not a destination, it is a process. There are
    plenty of sources out there that you can measure yourself against, from
    a process point of view. Check out the ISO17799 standard or the BS7799
    standard, they outline the processes which go into a well developed
    security program. Or look at the Generally Accepted Information
    Security Principles (under development -
    http://www.issa.org/gaisp/gaisp.html).

    The NSA IAM/IEM is a methodology for managing controlled
    penetration/vulnerability for a particular system/app. The OWASP is for
    web application testing. These might give you an idea of security
    posture of one server or application, but not overall for your company.
    This kind of testing makes up a small amount of managing a secure
    organization.

    Take a look at the new ISO version, 2005. This fall, there will be a
    different ISO standard, 27001, which will allow a company to be
    certified against the standard.
    http://www.iso.org/iso/en/commcentre/pressreleases/2005/Ref963.html

    Hope that helps.
    /bpm

    -----Original Message-----
    From: John Alexander [mailto:aj@adexec.com]
    Sent: Wednesday, August 03, 2005 4:21 AM
    To: Gary Everekyan; irony@trini.org; toto@playon.co.id
    Cc: pen-test@securityfocus.com; security-management@securityfocus.com;
    secpapers@securityfocus.com; focus-linux@securityfocus.com;
    libnet@securityfocus.com; firewalls@securityfocus.com;
    security-basics@securityfocus.com
    Subject: Re: Is there any way to measure IT Security??

    Basically IT Security covers a gamut of areas, i am just listing some ,
    on the fly

    * Antivirus Solutions
    * Intrusion Prevention
    * Intrusion Detection
    * Patch Management
    * Firewall
    * VPN Gateway
    * Vulnerability Assessment & Reporting
    * Identity Access Management (single-sign-on, SOX/HIPAA/GLB
    compliance....)
    * Network Security
    * Security Policy Compliance Management
    * AntiSpam (mail protection software)
    * Web Content Filtering

    I'm not sure whether we have one-size-fits-all solution which can help
    us in measuring your enterprise IT Security posture.

    I can list some good tools i have come across personally like NMap,
    ScanFi, Nessus, IdentityAccess Manager,GFI ....but the list is endless,
    so give them a try in google :-)

    ----- Original Message -----
    From: "Gary Everekyan" <karo.onnik@bluetie.com>
    To: irony@trini.org, toto@playon.co.id
    Subject: Re: Is there any way to measure IT Security??
    Date: Tue, 02 Aug 2005 14:32:30 -0400

    >
    > Google Risk reporting and you will get whole list of research links.
    > It would also be helpful to look at owasp www.owasp.org HTH Regards,
    >
    > Gary Everekyan
    > CISSP, CISM, ISSAP, ISSPCS, MCSE, MCT
    > garyeve@Microsoft.com
    > "High achievement always takes place in the framework of high
    > expectation" -Jack Kinder
    >
    >
    > -----Original Message-----
    > From: "Larry Marin (Irony Account)" [irony@trini.org]
    > Date: 08/02/2005 01:09 PM
    >
    > You should check out NSA IAM/IEM Methodology...it works well for me.
    > http://www.iatrp.com/iam.cfm
    >
    >
    > Toto A Atmojo wrote:
    >
    > > Dear all,
    > >
    > > Currently I'm looking for a tool, or a technique to measure IT
    security?
    > >
    > > The baseline for security is CIA (Confidentiality, Integrity and
    > > Availability), that is every organization which want to called
    > > secure must be guarantee that their system comply this matter.
    > >
    > > But the problem is, we need a tool/technique to measure how secure
    > > are we. Therefore, wee need a tool/technique to measure how close
    > > that our system status now to CIA.
    > >
    > > Please share your experience about this matter.
    > >
    > > If there any link about this issue, I really appreciate if you share

    > > to us (You may contact me privately) .
    > >
    > > Best Regs,
    > >
    > > Toto
    > >

    --
    ___________________________________________________________
    Sign-up for Ads Free at Mail.com
    http://promo.mail.com/adsfreejump.htm
    ------------------------------------------------------------------------
    ------
    FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
    Don't
    Learn the hacker's secrets that compromise wireless LANs. Secure your
    WLAN by understanding these threats, available hacking tools and proven
    countermeasures. Defend your WLAN against man-in-the-Middle attacks and
    session hijacking, denial-of-service, rogue access points, identity
    thefts and MAC spoofing. Request your complimentary white paper at:
    http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
    ------------------------------------------------------------------------
    ------- 
    This message (including any attachments) contains confidential
    information intended for a specific individual and purpose, and is
    protected by law.  If you are not the intended recipient, you should
    delete this message. Any disclosure, copying, or distribution of this
    message, or the taking of any action based on it, is strictly
    prohibited. [v.E.1]
    ------------------------------------------------------------------------
    ------
    FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
    Don't
    Learn the hacker's secrets that compromise wireless LANs. Secure your
    WLAN by understanding these threats, available hacking tools and proven
    countermeasures. Defend your WLAN against man-in-the-Middle attacks and
    session hijacking, denial-of-service, rogue access points, identity
    thefts and MAC spoofing. Request your complimentary white paper at:
    http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
    ------------------------------------------------------------------------
    -------
    ------------------------------------------------------------------------------
    FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't
    Learn the hacker's secrets that compromise wireless LANs. Secure your
    WLAN by understanding these threats, available hacking tools and proven
    countermeasures. Defend your WLAN against man-in-the-Middle attacks and
    session hijacking, denial-of-service, rogue access points, identity
    thefts and MAC spoofing. Request your complimentary white paper at:
    http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
    -------------------------------------------------------------------------------
    

  • Next message: Alexandre Paradis: "RE: Is there any way to measure IT Security??"