On 6/12/13, Joel M Snyder <Joel.Snyder@opus1.com> wrote:
But seriously, how do you measure one's security? In ounces, unless it's a European university, in which case you use liters. Older systems of measuring security involving mass (pounds and kilos) have been deprecated, and you should not be using them anymore in
You need to count the number of employees/users, information assets, applications, systems, IP addresses on your network, and network ports on your switch, processes running on all your machines, files stored on your servers; and place them in the disjoint non-overlapping categories. Then decide a 'weight' for each object, 'impact'; for example, the cost of formatting and reinstalling a server, buying new hardware if a device has been bricked; or the cost of re-creating work from scratch, or settling the lawsuit if your environment's security failure allows this particular file's content to be disclosed, lost, corrupted, or made temporarily unavailable due to a DoS. The weight should be the greatest possible cost of breach, or misbehavior of that object, be that an application, OS, user, switchport, or MAC address, but Users, Applications, Servers, Workstations, Network Devices, and "Documents directories" are some useful categories to use. Then assign a probability of each object, based on the expectation of a breach, given the series of expected attacks over a period of time. Then for each category, take a ratio of the sums of all objects for each category Sum of ( ( 1 minus Probability that an attack succeeds ) X ( Weight ) ) Divided by (Sum of the Weights) Example, I have 5 Windows XP servers on my network, which cost me $100 to recover and replace from attack, for the period of time of 1 year, no firewall, RDP open to the world; so there is a 90% chance estimated that an attacker will eventually find the vulnerability on average over the series of attacks I expect to find in one year, except on one system I patched, so there is a 40% chance. (0.6 * $100 + 0.1 * $100 + 0.1 * $100 + .... ) divided by $500 Then when faced with the complete series of attacks, I expect to lose $400 out of $500; so my OS category is 10% secure for the year, in that case. Your percentage security is the _lowest_, _least desirable_, or _worst_ metric over all the distinct categories you cared about.
jms -- -JH