Information Security - PowerPoint PPT Presentation

1 / 16

About This Presentation

Title:

Information Security

Description:

Number of Views:94

Avg rating:3.0/5.0

Slides: 17

Provided by: tj675

Category:

Tags: ascertained | information | security

Transcript and Presenter's Notes

Title: Information Security

1
Information Security

2
Agenda

3
What Is A Metric

4
Measuring Compared To What?

If measuring is a means of calculating progress
towards a goal or estimating what is expected..
What goals, standards, expectations does your
company have for security
Previous time periods (trending)
Service Level Agreements
What does your BOSS want to see?
If you are the boss
Identify a governance standard that fits your
companys business needs
NIST, COBiT, ITiL, ISO, PCI, HIPAA, etc

5
What Are You Measuring

6
Making It Count

Metrics can be effective if
Someone uses them!
Find out if / what decision making personnel
want, are using, would like to see the metrics
Ask those people what they want to see, what
would be helpful, what goals can you help them
with
Send them samples and ask them if they like the
chart, graph, metric
Ask them if they understand the metric and if it
is useful
Ask them how you can make it better or more
useful
KEEP IT SIMPLE
The higher your go, the more refined your metrics
need to be

7
How / Where To Gather Data

Log files
Request Systems
Helpdesk tickets, phones, e-mails,
Scans
Content Filtering Systems
IPS, IDS systems
Manual Reporting or automated via SMS or other
sys admin systems
Incidents Reported and/or Solved
Self-defined rankings
Incidents reported by risk ranking 1-5
Percentage of Metrics-
e.g. percent of IT related projects with
completed risk assessments before go-live
Percent of tiered systems that are tested/
successfully tested in DR plan
Percent of applicable systems that are compliant
with ltnamedgt regulation
Trending- number of x compared to last year/
month/ week
DONT FORGET your financial metrics
Compare your spending with market metrics- your
companies spending compared to national trend,
your industry trend, your competitors

8
http//securitybullshit.files.wordpress.com/2007/0
2/securitybullshit-cartoon019.png
9
The Basic Five by Andrew Jaquith

Metric 1 Baseline Defenses Coverage (Antivirus,
Antispyware, Firewall, and so on)
metric 2 Patch Latency
metric 3 Password Strength
metric 4 Platform Compliance Scores
metric 5 Legitimate E-Mail Traffic Analysis
http//www.csoonline.com/article/220462/A_Few_Goo
d_Information_Security_Metrics?page1

10
Jaquith Details

Baseline Defense
What is your coverage of the perimeter
Antivirus, Spyware, Firewall, IPS/IDS
E.g. percent of assets with current signature/
engine of AV.
E.g. number of attempts of penetration from
outside network
Bad examples- how many attempts blocked..
Better example is percent of attempts blocked
Patch
Devices patched for OS, application, database,
network, telephony
Microsoft patches, application releases also have
patches for security
Remember to provide explanations/ mitigations for
un-patched systems
E.g. separated device(s) by V-LAN with monitoring
and/or ACLs because hardware is no longer
supported
Bad Example Patch did not apply because we have
turned off FTP- turning off a communication or
other service does NOT mean it is no longer
vulnerable
Password Strength
Measure how strong your passwords are
Average time to crack a password in your
environment
Percent of passwords remaining the default or
easily guessed

11
Jaquith Details

Platform Compliance
Primarily used to perform risk assessments
against a platform, group, app, etc. Typically
compared to a regulatory or security standard
like NIST or OWASP
Typically performed with tools and given either a
H,M,L score or a 1-10 numeric classification of
risk.
E.g. The order processing system is analyzed for
PCI compliance using a tool like CIS, NESSUS,
Microsoft Baseline Analyzer, etc.. Each
vulnerability was given a score and then a
combined score was calculated for the overall
system.
be careful using this to executive management
as they will have difficulty determining what
their grade is. This is not a good tool to
give a grade this is a good tool for lower
levels like system owners, system admins, and
internal assessments (not internal audit).
E-mail
Monitoring point for compliance and other
objectives like vulgarity, etc.
E.g. percentage of e-mails leaving the company
with violence and/or vulgarity
E.g. percentage of e-mails leaving the company
with PII data in clear text such as social
security numbers

12
Another Persons Metrics

Miuccio says the security benchmarks They'll
revolve around eight principal topics
Mean time between security incidents.
Mean time to recover from security incidents
Percentage of systems configured to approved
standards.
Percentage of systems patched to policy.
Percentage of systems with antivirus.
Percentage of business applications that had a
risk assessment.
Percentage of business applications that had a
penetration or vulnerability assessment.
Percentage of application code that had a
security assessment, threat model analysis, or
code review prior to production deployment.
Center for Internet Security to release security
benchmark by year-end
By Ellen Messmer , Network World , 09/08/2008

13
My Professional Examples

Operational
Number of Security Incidents open closed for
that period
Monthly
Number of Access Requests for that period
Weekly
Technical
Patch Compliance- Total Number of Assets and
which ones were not patched by OS Group
Each Patch Cycle
Regulatory/ Compliance
Percent of Projects for that period who complete
or passed a security assessment prior to
implementation
Monthly