Академический Документы
Профессиональный Документы
Культура Документы
Overview
Why do we care? What is a metric? How do we decide which metrics to collect? How are they collected? Effective risk analysis through security metrics How do security metrics make a corporation money (operational risk)? Compliance competition and security ROI
Why do we care?
How do we know how secure an organization is?
Metrics help define secure Metrics let us benchmark our security investments against other organizations Compliance The metrics gathering process often leads to identification of security inconsistencies or holes
What is a metric?
The National Institute of Standards and Technology (NIST) define metrics as tools designed to facilitate decision-making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Metrics are simply a standard or system of measurement. In this case, it is a standard for measuring security, specifically measuring an organizations security posture. Although there are some published standards for measuring security, ideally security metrics should be adjusted and tuned to fit a specific organization or situation.
Examples of metrics
Total number of remote connections over a one month period (VPN, ISDN, dial-up, remote desktop) Maximum number of concurrent remote by user The percentage of total applications that have a contingency plan by application criticality. Time to analyze and recommend action on a security event Number of Linux servers at least 90% compliant with the Linux platform security standard
Network
DMZ port scans
Incident
Number of hosts infected with worm XYZ
Vendor
Average security rating for vendors that touch active customer files
People
Number of terminated employees with administrator access
Industry
Number of public security incidents in sector ABC with severity score Z
Political
Hacktivism scores, amount of sites listing sector/company ABC as potential target
Polled
Number of password reset requests (monthly), Usually from SAs or SMEs
Incident based
Number of machines infected with worm XYZ Number of vendors suffering from infections of worm XYZ Usually from industry intelligence/incident response/SAs and SMEs
Policy Statement: All users who connect remotely must be uniquely authenticated. Enforcement Mechanism: Users are required to authenticate with a username, password and securID token to gain access to the internal network. Network Policy (VPN): A user Kerberos account must authenticate with both the Radius and securID privilege granting servers before VPN connectivity is established Question: How do we tell if a user is uniquely authenticated? Metric: Maximum number of remote connections by user in a month. Metric: Maximum number of concurrent connections for a single user Metric: Total time connected in a single month Metric: Number of users granted remote VPN privileges Metric: Number of securID reset requests in a given month Metric/Alert: user connecting to VPN from different countries simultaneously
Risk Scoring
Metric: Maximum number of remote connections by user in a month.
Impact: 6/10 (we care about this 6/10 relative to other metrics in this policys risk, this score may come from SMEs/upper management/industry direction) Risk: 20% + (10% * last months count) this is where the soft analysis takes place
We are spending $YYYY on product XYZ, is it worth it to renew the contract or should we start looking for a new solution?
Metrics specifically surrounding product XYZ and the problem it is solving
Number of successful social engineering attacks and their impact before and after the online training seminar
Regulatory
(doesnt yet exist for most industries)
Baseline metrics (from Spire Security)
Number of patched machines / total Number services running on external facing machines Port Scanning Incidents
Standards contd.
Identity Management Management budget Management FTEs Total User Repositories Total User Accounts Count of user accounts created, accounts modified, password resets, accounts disabled/deleted, accounts evaluated Authentication Events Number of failed authentications Vulnerability Management Spending Number of servers/applications/PCs scanned Number of Vulnerability Management FTEs Count of open ports, known vulnerabilities, patches, configuration changes Trust Management spending Count of Trust Management FTEs, policies written, certificates issued, signed documents, encrypted documents Threat Management Spending Count of Threat Management FTEs, alerts, compromised systems
Tips / Visionaries
Investigations/Government/Regulator may ask information security to monitor specific activities A visionary (author/upper management/consultant) will come up with a new/derived metric to collect in order to report on a new phenomenon
Manual
Email polling Form entry Manual file updating Report analysis/research
Ask the question, do we have policy and guidelines to mitigate/monitor these combinations?
If not, create them In our case, assume we do Mine these policies for potential metrics
Asset Credit Card Database on CFAC Credit Card Database on CFAC Payment Processing Availability
Vuln Mal-intent System Administrators Network hopping/ Sniffing Denial of service Physical equipment destruction
Potential Loss
Contributory risk = measure of process errors during normal course of operations that contribute to a compromise
User Account Management procedures
Historical testing
Look at data leading up to an incident, see what changed
SME predictions/insight
Sometimes they just know
Industry trends
We dont really care about 1024 bit key breaking in 2005, will we in 2012?
Firm specific
Explosion in certain incident types may necessitate a change in the equation
Optimization
After doing risk calculation, dont spend time/money to collect metrics that dont change the final score that much Analyze risk score equation against reality, are we really reporting the proper state of the union?
Add reliability fields to metrics and weigh according to them as well.
Correlation/expert system analysis Prioritize future metrics to be collected (find the value of a metric (risk of not collecting the metrics))
Problems Experienced
Systems unable to report highly critical metrics System integration SAs not willing/able to invest time setting up processes to collect metrics Ad-Hoc requests/reports and their implication on the overall view We didnt do a penetration test on most of our servers, how can call our network secure? Vague risk descriptions, Vague Metric Requests Impossible metrics (usually external) Number of credit card accounts compromised globally across any firm Missing/incomplete historical data Mistrust/inaction/devaluing because of qualitative components Complete trust
References
http://www.secmet.org http://csrc.nist.gov/publications/nistpubs/8 00-55/sp800-55.pdf http://www1.netsec.net/content/securitybri ef/archive/2004-09_Metrics.pdf http://www.cert.org/octave/
Homework
Pretend you are a security analyst at Polytechnic. You have just had the following (highly simplified and fictitious) conversation with a senior manager. Manager: Another engineering school was just sued because students transcripts could be accessed by anyone online. How secure is our new grade transaction server? You: We believe the new design is secure, however, havent allocated time, money and effort to post-implementation security evaluation. Manager: I need to show the board that we are not prone to this type of humiliation, what can you pull together for me in the next 3 months? Your assignment is to describe how you would structure your new metrics proposal which includes the following sections.
Description of which metrics you will be collecting (Based on risk analysis. Remember, this should be a minimal set, you only have 3 months to set this up) A metric collection process example for one of the metrics Suggested, simple weighting of metrics to calculate the overall risk score of the system.