Results 1 to 6 of 6

Thread: Security indicators

  1. #1
    Junior Member
    Join Date
    Feb 2004
    Posts
    3

    Security indicators

    Hi all!
    My name is Alberto and Im new in this forum, but I have three years of experience in IT security.
    Currently Im doing a job about security indicators that help to understand if IT department is doing a good job about security.
    Im looking for numeric indicators like:
    number of hours/man dedicated to review configurations/install patches/search prohibit material in work stations
    Or
    $/years invested in improve security/buy resources (antivirus/firewalls/fingerprint scanners/cameras,and other security stuffs)
    Or
    yearly average of virus incidents
    Or
    Number of unsuccesfull logon events/month
    Do you get the idea?
    The objective is to messure how well the security strategy is going on, and numbers are the best methods to compair.
    I'll appreciate any kind of help!
    Best regards to all of you and excusee mi english

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    What your looking for by the sound of it is an objective way of measuring a subjective issue. The main problem you have is that security is not a "fixed" thing and would be different for every organization.

    If you want to formalize the process then you should start with a complete risk assessment and then you have your baseline. One method of risk assessment will give you a numeric baseline from which to begin, (visit here to see a good write-up on how to conduct the a quantitative riskassessment).

    From there you can address each issue until you have secured the network. At that point a "rerun" of the risk assessment would provide you with your new baseline and the two can be compared.

    Trying to study man hours etc. and then comparing it to another organization really doesn't give an accurate picture. For example, if you spend 4 hours a day going through the previous days log files manually and compare it to my 30 minutes you are going to look really bad. But what you need to know is that I have written scripts to filter out all the "normal" traffic and the result is a log file of my "abnormal" traffic. It takes me a lot less time to go through that each day than my complete 50Mb log of the previous days activity.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Aug 2003
    Posts
    300
    Tiger - you could probably turn that into a tut it would inform alot of people. Just a thought!


    Good post nice work!





    Adiz

  4. #4
    Junior Member
    Join Date
    Feb 2004
    Posts
    3
    Hi tiger:

    Thaks for your quick response.
    You have not understood to me.
    I know about the steps of risk management but in this case it's not I'm looking for. In fact the absense of some indicator could point the necesity of a security policy.
    The intention it is not to obtain indicators to compare diferent companies. Instead is to analize the same company over the time.
    If you have 5 incidents of virus infection this year and you take countermessures, then probably you'll have only 1 or 0 next time and this is an indicator that you are improving. And you can demostrate that your are doing well to director commite in an easy way.
    In fact if you are increased one indicator but reduced 5 you can save your ass.
    I think that it could be possible to express security facts in numbers, but this is a challege.
    I appreciatte your recommendation about www.sans.org/rr, this is one of my favorite site of resources.
    I'll apreciate other opinions.
    Thanks!

    Alberto

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    aigiorgi: Yes, I got what it is you were trying to do that's why I menioned the "reruns" of the risk assessment. In that way your numbers should come out different each time. The change in the numbers should show how well you are doing, (or not )

    What you seem to want to do, using your example, is to run a system where you count the number of viral infections you get on, say, an annual basis and from there determine how well you are doing. To really do that effectively you would need an incredibly complicated statistical model which, in the long run, would probably not prove to be cost effective or useful in the end.

    Lets say that in the first year there were 120 new viruses that entered the wild and during that year you got 15 infected machines within your network. That's a .125 rate of infection during year 1. Then in year 2 there are 100 new viruses entering the wild and you get 8 infected machines. That's a .08 infection rate.... goodie.... we improved. But did we?

    The fact that you got less infections may be purely dependent on the number of viruses sent to you. You may have had a total of 15000 infected emails sent to you in year 1 but only 150 infected emails sent in year 2. The implication of that would be that you are failing miserably. Then there are factors such as how many instances of infection took place before you were aware of the threat? How many instances too place between you becoming aware and having sufficient information to mitigate that threat and finally how many infections took place between your attempt at mitigation and a working virus definition being produced by your AV vendor so that you can update the definitions. As you can see, all these factors would have a great bearing on whether you are actually improving.

    Bear in mind that all we are talking about are email viruses here. There are numerous other forms of security threats that you have to take into account in a similar fashion all of which becomes complex and time consuming in order to quantify your success or failure. By the time you have successfully quantified all that another 5 infections would have taken place....<s>

    I think you should look more at your strategy for defense and ensure that it fits properly within your organization. Some things are a fact of life, such as new viruses that users click on before the AV world is aware of their presence. You are going to have to live with them. But you also need a strategy to mitigate as much damage as you can. So, for example, I use the following mitigating techniques simply for the event that we get an infection:-

    1. Viruses carrying their own SMTP engine can't spread from my network because the mail servers are the only PC's allowed to make outbound SMTP connections through the firewall. All other attempts to do so are blocked and the firewall IM's me to inform me of the incident so I may have the machine disconnected from the network till I can get to it.

    2. Viruses that are network aware may spread in a wormlike fashion across my network so I, a) keep all machines patched through the use of SUS.
    b) do not allow domain authorized users to access other machines across the network, (no permissions except to the local administrator, domain account of the machine owner and domain admins on the local machine).
    c) Baseline network activity and monitor for changes.
    d) Fileservers which hold the vast majority of shared folders have AV autoprotection running and all files are scanned. If a virus gets there before the def is published then as soon as the AV is updated all the infected files are locked upon access attempts which slows down the spread and indicates the infected machines by the users granted rights to the shares.

    3. Viruses that drop trojans are neutered by the fact that _nothing_ is allowed inbound through the firewall to network workstations on any port - period!!!!!!

    4. Viruses that call home are a problem over unblockable outbound ports..... I monitor and hope to catch them and keep the Snort sigs up to date.

    Using those strategies I am "pre-mitigating" viral infection. I'm not just using those strategies because I'm some kind of genius that just worked them all out..... There was a little experience that went into all that...... and my measure of improvement is not what I have successfully kept out, because as we have seen it might be misleading, but rather how long does it take me to recover which is much more easily quantifyable.

    There are three levels of virus in my mind:-

    1. Easy: Takes little or no time to determine which PC's are infected, (mass mailer), there is an automated tool for removal.
    2. Moderate: Harder to locate infections across PC's, (wormy), there is an automated tool for removal.
    3. Ouch: Difficult to locate, (wormy/trojan/call home backdoor), manual removal or system regeneration required.

    If you take any specific virus infection to be an incident be there 1 or 100 infections, categorize them into one of the three categories for reporting purposes and then work out the average time per infection to reach a clean state.

    It's not going to be a lot but it will begin to show as you put in place the "pre-mitigation" strategies.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Junior Member
    Join Date
    Feb 2004
    Posts
    3
    Tiger:

    I couldn't agree more with you.
    I can see that you have posted 1217 posts here and I assume there will be difficult (or impossible) to convince you that it is not the thing I'm looking for.
    I'll try to express in other form.
    To drive is a risk activity, there are many facts that influence in this risky activity.
    Some threats are drunk drivers, bad weather, crowd traffic, bad luck, bad mood, to be tired.
    You can take countermessure to minimize the risk, use security belt, to drive slowly, respect the signs, don't drink, to use airbags.
    But after a long week end you read in the newspaper how many accidents or deads happened. And this numbers are compared with the previous year (despite bad weather, an important fact that increase the number of accidents).
    I know is very difficult to express security in numbers (and this is the reason Im asking for help) but if you think, the assurance companies work only with numbers, security facts translated to numbers.
    This is Im looking for, the goal it is not to make an statistical analisys, the goal is to find what indicators could help to measure the security.
    Do you think this is possible?
    Are there another opinions?
    Thank to everybody.

    Alberto

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •