Prioritizing Information Security Risks with Threat Agent Risk Assessment

Hello, I’m Xander and I’m a new contributor to the InfoSec Philippines blog. I was lurking on the Security Metrics Mailing list and the recent discussions were about Intel’s TARA methodology, which they’re using for their internal Information Security Risk Assessments. Intel’s methodology is centered on the most exposure that can be brought about by Threat Agents. Check out the whitepaper here.

Advertisement

CIS Consensus Security Metrics V.1.0.0

In mid-May the Center for Internet Security, the same people that give us free benchmarks, released their Consensus Metric Definitions V.1.0.0. It’s a free 90 page pdf containing 20 Metric Definitions under 6 Business Functions.

The 6 Business Functions and the metric areas under them are as follows:

Incident Management
– Mean-Time to Incident Discovery
– Number of Incidents
– Mean-Time Between Security Incidents
– Mean-Time to Incident Recovery

Vulnerability Management
– Vulnerability Scanning Coverage
– Percent of Systems with No Known Severe Vulnerabilities
– Mean-Time to Mitigate Vulnerabilities
– Number of Known Vulnerabilities

Patch Management
– Patch Policy Compliance
– Patch Management Coverage
– Mean-Time to Patch

Application Security
– Number of Applications
– Percent of Critical Applications
– Risk Assessment Coverage
– Security Testing Coverage

Configuration Management
– Mean-Time to Complete Changes
– Percent of Changes with Security Reviews
– Percent of Changes with Security Exceptions

Financial Metrics
– IT Security Spending as Percentage of IT Budget
– IT Security Budget Allocation

CIS is currently defining additional consensus metrics, so more there will be more to follow. Please check out CIS’s document to find out how to measure the metrics mentioned above. It would be nice to see a mapping to ISO/IEC 27002:2005… just in case Metric Center’s Catalog doesn’t already have the above metrics. Metric Center’s mapping is the best mapping to ISO/IEC 27k2:2k5 that I’ve seen to date, and I’m hoping that they won’t start charging to check out their site in the future.

Black Hat Presentations, Flash App Tools, Free AV and News

The next BlackHat.com webcast will be about Mobility and Security on May 21 1pm PDT (Friday, May 22, 2009 at 4 AM in Manila, according to The World Clock).

Black Hat Webcast 9 (34MB audio, around 79 mins running time; WebSync version is here) is a preview of the Black Hat Conference in Amsterdam that was held from April 16-17, 2009 (see link to presentations below).
The following people and their presentation topic were in this webcast:

Enno Ray – Attacking Backbone Technologies
Charlie Miller and Vincenzo Iozzo – Fun and Games with Mac OS X and iPhone Payloads
Stefano Zanero – Web App Firewall Based on Anomaly Detection
Roberto Gassira’ and Roberto Piccirillo – Hijacking Mobile Data Connections

Past Black Hat Conferences:
Video of Charlie Miller and Vincenzo Iozzo’s presentation on Mac and iPhone payloads (152 MB)
Black Hat Europe 2009 (Amsterdam) Media Archives
Black Hat USA 2008 Archives

---

Flash App Vulnerability Tools

Exposing Flash Application Vulnerabilities with SWFScan
Flare
SWFIntruder

---

Free Anti-Virus

F-Secure Online Scanner Beta Program

---

InfoSec News

(Inquirer.net) Has your e-mail address won in a lottery?
(Computerworld PH) Report: Web continues to rise as security threat

(Inquirer.net) RP gov’t websites vulnerable to hacking
(Inquirer.net) Cyber spies hack into DFA computers
(Inquirer.net) RP needs cybersecurity program–CICT
(Inquirer.net) PNP experts tell how to catch a hacker

(Inquirer.net) Purge 2-M ‘flying’ voters, Comelec told
(Manila Times) Lawmaker to hack Comelec electronic counting machines
(Inquirer.net) Hack poll machines and win P100M
(Inquirer.net) P100M hack reward ‘dishonors’ poll automation
(Inquirer.net) Hacking poll results to take lots of time
(Inquirer.net) Comelec to tap DOST on poll machine testing
(Inquirer.net) Comelec mulls inclusion of more provinces in poll automation

(Inquirer.net) Comelec eyes YouTube stardom to lure voters

(PhilStar) Is quitting Twitter more popular than re-tweeting?
(IT Matters.com) Twitter — a rising marketing channel?

(PhilStar) Globe backs ICT Awards

(Inquirer.net) RP seeks removal from USTR watch list
(Inquirer.net) Twitter, Facebook abuzz over Pacquiao win

(Computerworld) Facebook’s privacy options
(Computerworld) How Facebook mucks up office life
(Wired) PIN Crackers Nab Holy Grail of Bank Card Security

(SecurityFocus) Researcher argues for CERTs with teeth
(Inquirer.net) Cyberspies hack into US fighter project
(H Security) Linux cache poisoning attacks easier than on Windows?
(Computerworld) 20 kick-ass network research projects

(Computerworld) Leaked copies of Windows 7 RC contain Trojan
(Computerworld) Botnet probe turns up 70GB of personal, financial data
(Computerworld) Heartland earns back spot on PCI-approved list

(The Register) Security researchers fret over Adobe PDF flaw
(H Security) Demo exploits for new vulnerabilities in Adobe Reader
(SecurityFocus) Companies slowest to fix Office, Acrobat flaws
(SecurityFocus) JavaScript flaw reported in Adobe Reader

(The Register) US Congress wants hack teams for self-penetration
(Boston.com) US looks to hackers to protect cyber networks
(NY Times) ‘Hackers wanted’ ad fed security misconception

(The Register) Botnet hijacking reveals 70GB of stolen data
(The Register) Twitter breach gives behind-the-scenes Obama peek

(The Register) Firefox finds more pesky bugs
(H Security) Firefox 3.0.10 fixes critical vulnerability

(The Register) Hacker behind P2P botnet gets no jail time
(The Register) US military’s cyberwar rules ‘ill-formed,’ says panel
(NY Times) Panel Advises Clarifying U.S. Plans on Cyberwar
(The Register) Adobe users imperiled by critical Reader flaw

(H Security) Lost+found: Worms, Exploits, Online Scanners
(NY Times) H.P. Labs Pulls Out the Measuring Stick

NIST Draft on Directions in Security Metrics Research

There’s a new draft for evaluation released by the NIST on Directions in Security Metrics Research. It’s a 26 page (15 page body) Interagency report by Wayne Jansen with a lot of good references at the back. It’s a paper that, “provides an overview of the security metrics area and looks at possible avenues of research that could be pursued to advance the state of the art.”

---

Site News
Added some quotes on the “About” page, and added new links to the “Wireless Security” Links page.

Recently found Whitepapers and Presentations

Joshua Beeman (University of Pennsylvania) and Kathy Bergsma (University of Florida) gave presentations at the Security Professionals Conference in April 2007 on Incident Tracking and Reporting.

Abstract regarding their presentation is as follows:
“The University of Florida and the University of Pennsylvania both regularly generate summary reports of computer incidents for information security managers. The reports help identify units that need improvement, assist with planning and risk assessment, and have contributed to an improvement in the security posture of both universities.”

Matt Tolbert (University of Pittsburgh) from the same conference presented on Effective Security Metrics.

Abstract is as follows:
“This presentation will show how the University of Pittsburgh successfully uses incident, operational, and compliance metrics to demonstrate the effectiveness of its security controls, as well as to substantiate funding for implementing and sustaining them.”

Both of the above links are from Educause Connect.