InfoSec Philippines

Information Security, Technology News and Opinions

Archive for the ‘Metrics’ Category

Prioritizing Information Security Risks with Threat Agent Risk Assessment

Posted by xrsolis on January 18, 2010

Hello, I’m Xander and I’m a new contributor to the InfoSec Philippines blog. I was lurking on the Security Metrics Mailing list and the recent discussions were about Intel’s TARA methodology, which they’re using for their internal Information Security Risk Assessments. Intel’s methodology is centered on the most exposure that can be brought about by Threat Agents. Check out the whitepaper here.

Posted in Metrics | Tagged: , , , , | 2 Comments »

CIS Consensus Security Metrics V.1.0.0

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 27, 2009

In mid-May the Center for Internet Security, the same people that give us free benchmarks, released their Consensus Metric Definitions V.1.0.0. It’s a free 90 page pdf containing 20 Metric Definitions under 6 Business Functions.

The 6 Business Functions and the metric areas under them are as follows:

Incident Management
– Mean-Time to Incident Discovery
– Number of Incidents
– Mean-Time Between Security Incidents
– Mean-Time to Incident Recovery

Vulnerability Management
– Vulnerability Scanning Coverage
– Percent of Systems with No Known Severe Vulnerabilities
– Mean-Time to Mitigate Vulnerabilities
– Number of Known Vulnerabilities

Patch Management
– Patch Policy Compliance
– Patch Management Coverage
– Mean-Time to Patch

Application Security
– Number of Applications
– Percent of Critical Applications
– Risk Assessment Coverage
– Security Testing Coverage

Configuration Management
– Mean-Time to Complete Changes
– Percent of Changes with Security Reviews
– Percent of Changes with Security Exceptions

Financial Metrics
– IT Security Spending as Percentage of IT Budget
– IT Security Budget Allocation

CIS is currently defining additional consensus metrics, so more there will be more to follow. Please check out CIS’s document to find out how to measure the metrics mentioned above. It would be nice to see a mapping to ISO/IEC 27002:2005… just in case Metric Center’s Catalog doesn’t already have the above metrics. Metric Center’s mapping is the best mapping to ISO/IEC 27k2:2k5 that I’ve seen to date, and I’m hoping that they won’t start charging to check out their site in the future.

Posted in Metrics | Tagged: , | 2 Comments »

NIST Draft on Directions in Security Metrics Research

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 11, 2009

There’s a new draft for evaluation released by the NIST on Directions in Security Metrics Research. It’s a 26 page (15 page body) Interagency report by Wayne Jansen with a lot of good references at the back. It’s a paper that, “provides an overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the state of the art.”


Site News
Added some quotes on the “About” page, and added new links to the “Wireless Security” Links page.

Posted in Metrics | Tagged: , | Leave a Comment »

CAG and Metricon 3 Slides

Posted by Jaime Raphael Licauco, CISSP, GSEC on March 6, 2009

A few days ago, SANS and and a US consortium of FED agencies released the Consensus Audit Guidelines Draft 1.0. It is described as the “Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance”.

Some of these controls may be included in ISO 27001 implementations to complement controls found in 27002 since 27001 has been criticized for not having enough controls regarding Web App Security and Wireless Security. Take note that these controls are specific and technology based.

The controls are as follows:
Critical Control 1: Inventory of authorized and unauthorized hardware.
Critical Control 2: Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers.
Critical Control 4: Secure configurations of network devices such as firewalls, routers, and switches.
Critical Control 5: Boundary Defense
Critical Control 6: Maintenance, Monitoring and Analysis of Complete Audit Logs
Critical Control 7: Application Software Security
Critical Control 8: Controlled Use of Administrative Privileges
Critical Control 9: Controlled Access Based On Need to Know
Critical Control 10: Continuous Vulnerability Testing and Remediation
Critical Control 11: Dormant Account Monitoring and Control
Critical Control 12: Anti-Malware Defenses
Critical Control 13: Limitation and Control of Ports, Protocols and Services
Critical Control 14: Wireless Device Control
Critical Control 15: Data Leakage Protection
Critical Control 16: Secure Network Engineering
Critical Control 17: Red Team Exercises
Critical Control 18: Incident Response Capability
Critical Control 19: Data Recovery Capability
Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps

A related article in GCN states that CAG is not a substitute for FISMA guidance. The NIST will also be finishing the 3rd revision of their SP800-53 (Recommended Security Controls for Fed Info Systems and Orgs) revision soon and comments will be closed by March 27. The current drafts can be found here.


Metricon 3 Slides
Metricon 3 slides have been out for since July 2008, but since I haven’t posted them here, I’m including a link here.

My favorites are:
Sandy Hawke’s Bringing Metrics into the Enterprise, Kevin Peuhkurinen’s Balanced Scorecard Approach to InfoSec Metrics, Caroline Wong’s Global Information Security Metrics, and Yolanta Beres’ Security Analytics Driving Better Metrics.


Site News
Since you’ve probably noticed, I’ve added Search to the site and changed the Theme. I’ve also updated links in ISMS and Security Metrics.

Posted in ISMS, Metrics | Tagged: , , , | 2 Comments »

Recently found Whitepapers and Presentations

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 5, 2008

Joshua Beeman (University of Pennsylvania) and Kathy Bergsma (University of Florida) gave presentations at the Security Professionals Conference in April 2007 on Incident Tracking and Reporting.

Abstract regarding their presentation is as follows:
“The University of Florida and the University of Pennsylvania both regularly generate summary reports of computer incidents for information security managers. The reports help identify units that need improvement, assist with planning and risk assessment, and have contributed to an improvement in the security posture of both universities.”

Matt Tolbert (University of Pittsburgh) from the same conference presented on Effective Security Metrics.

Abstract is as follows:
“This presentation will show how the University of Pittsburgh successfully uses incident, operational, and compliance metrics to demonstrate the effectiveness of its security controls, as well as to substantiate funding for implementing and sustaining them.”

Both of the above links are from Educause Connect.

Posted in Incident Management, Metrics, Presentations, Whitepapers | Tagged: , , , , , , , | Leave a Comment »