SlideShare a Scribd company logo

Information Assurance Metrics: Practical Steps to Measurement

E
EnclaveSecurity

Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.

Technology
1 of 31
Information Assurance Metrics: Practical Steps to Measurement James Tarala, Enclave Security
Problem Statement • “What’s measured improves.” – Peter Drucker • In an era of security breaches we tend to have only one metric – Have my systems been compromised? • But how do our organization’s measure progress? • How do we know if we’ve accepted a reasonable level of risk? • And why are security engineers making so many business decisions for our organizations? Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Suggested Solution • Proposed Solution = Meaningful Metrics • Organizations need a way to measure security risk in a meaningful way • Better communication is necessary between business owners and security teams • Business leaders need information to make better decisions Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Why are Metrics Needed? • Businesses use metrics to facilitate decision making • Better data leads to better decisions • Metrics allow organizations to set appropriate priorities • Measurement allows comparison: – Between our organization and industry benchmarks – Between our organization and other organizations risk levels – Between levels of accepted risk over time – Between business units within an organization Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Metrics from the Business World • The business world uses metrics all the time • Consider the following examples: – Price to Earnings Ratio – Profit & Loss Statements – Product Sales Quotas – Number of Safety Incidents – Unit Production – Web Advertisement Click Counts – Number of Facebook “Likes” per Post Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Metrics in Technology • Organizations even commonly use metrics to help measure the performance of technology systems as well • Consider the following examples: – System uptime – CPU Utilization Percentage – Memory Use Percentage – Average Email Mailbox Size – Support Technician to Computer Node Ratio – Help Desk Ticket Time to First Touch – Help Desk Ticket Time to Resolution Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Current Research Projects • NIST Special Publication 800-55 (rev 1): Performance Measurement Guide for Information Security • Security Content Automation Protocol (SCAP) / Common Vulnerability Scoring System (CVSS) • CSIS / SANS 20 Consensus Audit Guidelines / 20 Critical Controls • Center for Internet Security (CIS) Consensus Information Security Metrics • Incident Management Capability Metrics (Carnegie Mellon Software Engineering Institute) • Verizon Incident Sharing framework (VERIS) • Systems Security Engineering – Capability Maturity Model (SSE- CMM) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Example: Critical Control #1 • Inventory of Authorized and Unauthorized Devices • Exploit this Control is Meant to Stop: – Exploits due to lack of implemented controls on unknown (un-inventoried) devices • Business goal of this control: – Only authorized systems should be on the agency’s network. • Test to perform: – Add hardened systems to the network to see if they are identified & isolated from the network Understanding the 20 Critical Controls © Enclave Security 2012
Evaluation Test for Control #1 • Place ten unauthorized devices on various portions of the organization’s network unannounced to see how long it takes for them to be detected – They should be placed on multiple subnets – Two should be in the asset inventory database – Devices should be detected within 24 hours – Devices should be isolated within 1 hour of detection – Details regarding location, department should be recorded Understanding the 20 Critical Controls © Enclave Security 2012
Metrics for Control #1 ID Testing / Reporting Metric Response 1a How long does it take to detect new devices Time in added to the organization’s network? Minutes 1b How long does it take the scanners to alert the Time in organization’s administrators that an Minutes unauthorized device is on the network? 1c How long does it take to isolate / remove Time in unauthorized devices from the organization’s Minutes network? 1d Are the scanners able to identify the location, Yes/No department, and other critical details about the unauthorized system that is detected? Understanding the 20 Critical Controls © Enclave Security 2012
IS Metrics: Too Broad? • The first question we need to ask is, “What do we mean by the term Information Security metrics?” • IS Metrics is too broad of a term • “Begin with the end in mind.” – Stephen Covey • Measurement for measurement’s sake helps no one • Organizations must be specific on what they are measuring and the benefits they hope to achieve from it Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Potential Metrics Categories • In the realm of information security, organizations may want to consider measuring: – System availability / performance metrics – Network utilization metrics – Incident management metrics – Security budget metrics – User awareness & training metrics – System governance metrics – Software development risk metrics – System defense metrics Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Metrics for System Defense • Most of you are looking for cool dashboards & system defense metrics • You read the Wall Street Journal & Financial Times, and you want to keep bad actors off your systems – Advanced Persistent Threat = Scary – Nation State Attacks = Scary – Cyberwar = Scary • So what metrics should you choose?!? Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Australian DSD Top 35 / “Sweet Spot” • Australian Top 35 Mitigation Strategies, Australian Department of Defence • Defensive controls to block over 85% of attacks directed against their systems • The Top 35 Mitigation Strategies are ranked in order of overall effectiveness • Rankings are based on DSD’s analysis of reported security incidents and vulnerabilities detected by DSD • They also define 4 top controls as their “sweet spot” http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm Recent Changes to the 20 Critical Controls © Enclave Security 2011
Aus DSD #1: Patch Applications • Specific Australian DSD Top 35 Control: “Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.” – Australian DSD • Business Purpose: To limit the vulnerabilities attackers can exploit by eliminating software application vulnerabilities on enterprise systems. Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Aus DSD #1: Patch Applications (cont) • Potential Metric: – Gather the composite Common Vulnerability Scoring System (CVSS) score of all systems by business unit, according to your vulnerability scanning software • US Dept of State iPost Formula: DoS VUL Score = (CVSS Score)N / 10(N-1) where N=3 Host VUL Score = SUM(VUL scores of all detected vulnerabilities) Host PAT Score = SUM(PAT scores of all incompletely installed patches) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Aus DSD #2: Patch OSs • Specific Australian DSD Top 35 Control: “Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.” – Australian DSD • Business Purpose: To limit the vulnerabilities attackers can exploit by eliminating operating system coding vulnerabilities on enterprise systems. Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Aus DSD #2: Patch OSs (cont) • Potential Metric: – Gather the composite Common Vulnerability Scoring System (CVSS) score of all systems by business unit, according to your vulnerability scanning software • US Dept of State iPost Formula: DoS VUL Score = (CVSS Score)N / 10(N-1) where N=3 Host VUL Score = SUM(VUL scores of all detected vulnerabilities) Host PAT Score = SUM(PAT scores of all incompletely installed patches) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Aus DSD #3: Limit Admin Rights • Specific Australian DSD Top 35 Control: “Minimize the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.” – Australian DSD • Business Purpose: To limit the likelihood of successful vulnerabilities being exploited by limiting the rights of users on operating systems. Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Aus DSD #3: Limit Admin Rights (cont) • Potential Metric: – Create secondary accounts (admin) for anyone needed elevated rights – Establish a baseline of the admin accounts created – Establish a risk score every time a non-baselined admin account or standard user account is configured as an administrator on each system • US Dept of State iPost Formula: SCM Score for a check = score of the check’s Security Setting Category Host SCM Score = SUM(SCM scores of all Failed checks) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Aus DSD #4: Application Whitelisting • Specific Australian DSD Top 35 Control: “Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker.” – Australian DSD • Business Purpose: To limit the likelihood of successful vulnerabilities being exploited by limiting the allowable application binaries that are allowed to execute on a system. Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Aus DSD #4: Application Whitelisting (cont) • Potential Metric: – Establish a baseline of all necessary binaries that would run on a system by system and business unit – Establish a risk score for all binaries that execute successfully that are not on the approved binaries baseline • US Dept of State iPost Formula: Product SOE Score = 5.0 (for each product) Host SOE Score = SUM(SOE scores for each product) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Sample DoS iPost Reporting http://www.state.gov/documents/organization/156865.pdf Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Our Primary Recommendation 1. Start small, excel at gathering a small number of metrics 2. Integrate these metrics into your business process 3. Grow the number of metrics you collect • United States Department of State iPost began with only three data sensors: – Tenable Nessus – Microsoft Active Directory – Microsoft System Management Server (System Center) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Practical Steps: Base • To create an effective, sustainable program to implement metrics, don’t start by creating metrics • Out recommendation would be: 1. Obtain a security management charter from senior management 2. Create an organization wide IS Steering Committee 3. Document your organization’s overall security goals 4. Create & approve appropriate security policies, procedures, & standards 5. Educate your organization on those documents Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Practical Steps: Phase I • Once a base or foundation for information assurance is laid, then you can begin with metrics • The next phase would be to: 1. Identify what information security sensors you have already successfully deployed 2. Determine what meaningful metrics can be gleaned from these sensors 3. Deploy a tool that can centrally aggregate, normalize, and report on the data collected by the sensors 4. Create basic reports based on the metrics from strep #2 5. Work with business owners to remediate risk Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Practical Steps: Phase II • Now you are ready for continuous process improvement • The last steps are to refine your effort, gather more data, and remediate more risk: 1. Deploy additional sensors & aggregate the results 2. Determine meaningful metrics that new sensors can bring 3. Collaborate with business owners to make metrics more meaningful 4. Remediate new risks as they are discovered 5. Automate the response to as many metrics as possible Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Software Tools to Help • Open Source Projects: – Practical Threat Analysis (PTA) Professional – OSSIM Open Source SIEM • Commercial Tools: – Archer Technologies SmartSuite – OpenPages Enterprise GRC – Bwise GRC – MetricStream – Methodware ERA – Protiviti Governance Portal – CCH TeamMate, Sword, & Axentis Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Bare Minimum Response 1. Create an asset inventory 2. Assign data owners to all of your systems 3. Deploy a vulnerability scanner & scan all of your hosts on a regular basis 4. Create overall CVSS risk scores, by business unit, and publish those scores to key business owners 5. Remediate the risk you discover • Focus on the basics, then improve your efforts • Run a 5K first, then try a marathon Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/ • Focused resources for further study: – SANS 20 Critical Controls Project (SEC 566) – The Balanced Scorecard (by Kaplan & Norton) – NIST Special Publication 800-55 (rev 1) – Security Metrics (by Andrew Jaquith) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
Additional Resources • A Few Good Information Security Metrics (Scott Berinato) http://www.csoonline.com/article/220462/a-few-good-information- security-metrics • NIST IR 7564: Directions in Security Metrics Research (Wayne Jansen) http://csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics- research.pdf • Security Metrics: Measurements to Support the Continued Development of Information Security Technology (Shirley Radack) http://csrc.nist.gov/publications/nistbul/Jan2010_securitymetrics.pdf Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012

Recommended

Information security – risk identification is all
Information security – risk identification is allInformation security – risk identification is all
Information security – risk identification is allPECB
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
Gestion de Seguridad informatica
Gestion de Seguridad informaticaGestion de Seguridad informatica
Gestion de Seguridad informaticaCarlos Cardenas Fernandez
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 

Recommended

Information security – risk identification is all
Information security – risk identification is allInformation security – risk identification is all
Information security – risk identification is allPECB
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Chapter 1 Presentation
Chapter 1 PresentationChapter 1 Presentation
Chapter 1 PresentationAmy McMullin
 
Information Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsInformation Security Metrics - Practical Security Metrics
Information Security Metrics - Practical Security MetricsJack Nichelson
 
ICS security
ICS securityICS security
ICS securityAhmed Shitta
 
Gestion de Seguridad informatica
Gestion de Seguridad informaticaGestion de Seguridad informatica
Gestion de Seguridad informaticaCarlos Cardenas Fernandez
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Potential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructurePotential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructureUnisys Corporation
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)Corporate Registers Forum
 
Information security
Information securityInformation security
Information securityLJ PROJECTS
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009Deborah Obasogie
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptYash Diwakar
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedJisc
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 

More Related Content

What's hot

Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)Jack Forbes
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesKellep Charles
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideLudovic Petit
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Potential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructurePotential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructureUnisys Corporation
 
Information security
Information securityInformation security
Information securityLJ PROJECTS
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020Jiunn-Jer Sun
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP CertificationSam Bowne
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptYash Diwakar
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedJisc
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 

What's hot (20)

Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Identity and Access Management (IAM)
Identity and Access Management (IAM)Identity and Access Management (IAM)
Identity and Access Management (IAM)
 
The Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best PracticesThe Security Vulnerability Assessment Process & Best Practices
The Security Vulnerability Assessment Process & Best Practices
 
OWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference GuideOWASP Secure Coding Practices - Quick Reference Guide
OWASP Secure Coding Practices - Quick Reference Guide
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Potential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical InfrastructurePotential Impact of Cyber Attacks on Critical Infrastructure
Potential Impact of Cyber Attacks on Critical Infrastructure
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
Information security
Information securityInformation security
Information security
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
Introduction: CISSP Certification
Introduction: CISSP CertificationIntroduction: CISSP Certification
Introduction: CISSP Certification
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
OS Security 2009
OS Security 2009OS Security 2009
OS Security 2009
 
Ransomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCryptRansomware: WanaCry, WanCrypt
Ransomware: WanaCry, WanCrypt
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-Practices
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
ISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learnedISO 27001 - three years of lessons learned
ISO 27001 - three years of lessons learned
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 

Viewers also liked

The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseEnclaveSecurity
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionTripwire
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
Scorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement StrategiesScorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement StrategiesHuman Capital Media
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 

Viewers also liked (10)

The CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for DefenseThe CIS Critical Security Controls the International Standard for Defense
The CIS Critical Security Controls the International Standard for Defense
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
Sans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business MissionSans 20 CSC: Connecting Security to the Business Mission
Sans 20 CSC: Connecting Security to the Business Mission
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Scorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement StrategiesScorecards, Learning Metrics and Measurement Strategies
Scorecards, Learning Metrics and Measurement Strategies
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 

Similar to Information Assurance Metrics: Practical Steps to Measurement

Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2Manish Kumar
 
Security metrics
Security metrics Security metrics
Security metrics PRAYAGRAJ11
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingBlack Duck by Synopsys
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaJohn Gilligan
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metricscentralohioissa
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxLokNathRegmi1
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?IT Governance Ltd
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis Belsis MPhil/MRes/BSc
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsIRJET Journal
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementIvanti
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareCloudera, Inc.
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxAkramAlqadasi1
 

Similar to Information Assurance Metrics: Practical Steps to Measurement (20)

Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
 
Security metrics
Security metrics Security metrics
Security metrics
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
PCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s MissingPCI and Vulnerability Assessments - What’s Missing
PCI and Vulnerability Assessments - What’s Missing
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security MetricsJack Nichelson - Information Security Metrics - Practical Security Metrics
Jack Nichelson - Information Security Metrics - Practical Security Metrics
 
Chapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptxChapter_5_Security_CC.pptx
Chapter_5_Security_CC.pptx
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?What is the UK Cyber Essentials scheme?
What is the UK Cyber Essentials scheme?
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
Comparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment ToolsComparative study of Cyber Security Assessment Tools
Comparative study of Cyber Security Assessment Tools
 
How to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability ManagementHow to Perform Continuous Vulnerability Management
How to Perform Continuous Vulnerability Management
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomware
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 

More from EnclaveSecurity

Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellEnclaveSecurity
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityEnclaveSecurity
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsEnclaveSecurity
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security failEnclaveSecurity
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionEnclaveSecurity
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controlsEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usualEnclaveSecurity
 

More from EnclaveSecurity (13)

Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 
Enterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security AssessmentsEnterprise PowerShell for Remote Security Assessments
Enterprise PowerShell for Remote Security Assessments
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Practical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device securityPractical steps for assessing tablet & mobile device security
Practical steps for assessing tablet & mobile device security
 
An Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security AssessmentsAn Introduction to PowerShell for Security Assessments
An Introduction to PowerShell for Security Assessments
 
Governance fail security fail
Governance fail security failGovernance fail security fail
Governance fail security fail
 
The intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protectionThe intersection of cool mobility and corporate protection
The intersection of cool mobility and corporate protection
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
Overview of the 20 critical controls
Overview of the 20 critical controlsOverview of the 20 critical controls
Overview of the 20 critical controls
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 
Cyber war or business as usual
Cyber war or business as usualCyber war or business as usual
Cyber war or business as usual
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 

Information Assurance Metrics: Practical Steps to Measurement

  • 1. Information Assurance Metrics: Practical Steps to Measurement James Tarala, Enclave Security
  • 2. Problem Statement • “What’s measured improves.” – Peter Drucker • In an era of security breaches we tend to have only one metric – Have my systems been compromised? • But how do our organization’s measure progress? • How do we know if we’ve accepted a reasonable level of risk? • And why are security engineers making so many business decisions for our organizations? Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 3. Suggested Solution • Proposed Solution = Meaningful Metrics • Organizations need a way to measure security risk in a meaningful way • Better communication is necessary between business owners and security teams • Business leaders need information to make better decisions Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 4. Why are Metrics Needed? • Businesses use metrics to facilitate decision making • Better data leads to better decisions • Metrics allow organizations to set appropriate priorities • Measurement allows comparison: – Between our organization and industry benchmarks – Between our organization and other organizations risk levels – Between levels of accepted risk over time – Between business units within an organization Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 5. Metrics from the Business World • The business world uses metrics all the time • Consider the following examples: – Price to Earnings Ratio – Profit & Loss Statements – Product Sales Quotas – Number of Safety Incidents – Unit Production – Web Advertisement Click Counts – Number of Facebook “Likes” per Post Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 6. Metrics in Technology • Organizations even commonly use metrics to help measure the performance of technology systems as well • Consider the following examples: – System uptime – CPU Utilization Percentage – Memory Use Percentage – Average Email Mailbox Size – Support Technician to Computer Node Ratio – Help Desk Ticket Time to First Touch – Help Desk Ticket Time to Resolution Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 7. Current Research Projects • NIST Special Publication 800-55 (rev 1): Performance Measurement Guide for Information Security • Security Content Automation Protocol (SCAP) / Common Vulnerability Scoring System (CVSS) • CSIS / SANS 20 Consensus Audit Guidelines / 20 Critical Controls • Center for Internet Security (CIS) Consensus Information Security Metrics • Incident Management Capability Metrics (Carnegie Mellon Software Engineering Institute) • Verizon Incident Sharing framework (VERIS) • Systems Security Engineering – Capability Maturity Model (SSE- CMM) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 8. Example: Critical Control #1 • Inventory of Authorized and Unauthorized Devices • Exploit this Control is Meant to Stop: – Exploits due to lack of implemented controls on unknown (un-inventoried) devices • Business goal of this control: – Only authorized systems should be on the agency’s network. • Test to perform: – Add hardened systems to the network to see if they are identified & isolated from the network Understanding the 20 Critical Controls © Enclave Security 2012
  • 9. Evaluation Test for Control #1 • Place ten unauthorized devices on various portions of the organization’s network unannounced to see how long it takes for them to be detected – They should be placed on multiple subnets – Two should be in the asset inventory database – Devices should be detected within 24 hours – Devices should be isolated within 1 hour of detection – Details regarding location, department should be recorded Understanding the 20 Critical Controls © Enclave Security 2012
  • 10. Metrics for Control #1 ID Testing / Reporting Metric Response 1a How long does it take to detect new devices Time in added to the organization’s network? Minutes 1b How long does it take the scanners to alert the Time in organization’s administrators that an Minutes unauthorized device is on the network? 1c How long does it take to isolate / remove Time in unauthorized devices from the organization’s Minutes network? 1d Are the scanners able to identify the location, Yes/No department, and other critical details about the unauthorized system that is detected? Understanding the 20 Critical Controls © Enclave Security 2012
  • 11. IS Metrics: Too Broad? • The first question we need to ask is, “What do we mean by the term Information Security metrics?” • IS Metrics is too broad of a term • “Begin with the end in mind.” – Stephen Covey • Measurement for measurement’s sake helps no one • Organizations must be specific on what they are measuring and the benefits they hope to achieve from it Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 12. Potential Metrics Categories • In the realm of information security, organizations may want to consider measuring: – System availability / performance metrics – Network utilization metrics – Incident management metrics – Security budget metrics – User awareness & training metrics – System governance metrics – Software development risk metrics – System defense metrics Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 13. Metrics for System Defense • Most of you are looking for cool dashboards & system defense metrics • You read the Wall Street Journal & Financial Times, and you want to keep bad actors off your systems – Advanced Persistent Threat = Scary – Nation State Attacks = Scary – Cyberwar = Scary • So what metrics should you choose?!? Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 14. Australian DSD Top 35 / “Sweet Spot” • Australian Top 35 Mitigation Strategies, Australian Department of Defence • Defensive controls to block over 85% of attacks directed against their systems • The Top 35 Mitigation Strategies are ranked in order of overall effectiveness • Rankings are based on DSD’s analysis of reported security incidents and vulnerabilities detected by DSD • They also define 4 top controls as their “sweet spot” http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm Recent Changes to the 20 Critical Controls © Enclave Security 2011
  • 15. Aus DSD #1: Patch Applications • Specific Australian DSD Top 35 Control: “Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.” – Australian DSD • Business Purpose: To limit the vulnerabilities attackers can exploit by eliminating software application vulnerabilities on enterprise systems. Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 16. Aus DSD #1: Patch Applications (cont) • Potential Metric: – Gather the composite Common Vulnerability Scoring System (CVSS) score of all systems by business unit, according to your vulnerability scanning software • US Dept of State iPost Formula: DoS VUL Score = (CVSS Score)N / 10(N-1) where N=3 Host VUL Score = SUM(VUL scores of all detected vulnerabilities) Host PAT Score = SUM(PAT scores of all incompletely installed patches) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 17. Aus DSD #2: Patch OSs • Specific Australian DSD Top 35 Control: “Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.” – Australian DSD • Business Purpose: To limit the vulnerabilities attackers can exploit by eliminating operating system coding vulnerabilities on enterprise systems. Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 18. Aus DSD #2: Patch OSs (cont) • Potential Metric: – Gather the composite Common Vulnerability Scoring System (CVSS) score of all systems by business unit, according to your vulnerability scanning software • US Dept of State iPost Formula: DoS VUL Score = (CVSS Score)N / 10(N-1) where N=3 Host VUL Score = SUM(VUL scores of all detected vulnerabilities) Host PAT Score = SUM(PAT scores of all incompletely installed patches) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 19. Aus DSD #3: Limit Admin Rights • Specific Australian DSD Top 35 Control: “Minimize the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.” – Australian DSD • Business Purpose: To limit the likelihood of successful vulnerabilities being exploited by limiting the rights of users on operating systems. Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 20. Aus DSD #3: Limit Admin Rights (cont) • Potential Metric: – Create secondary accounts (admin) for anyone needed elevated rights – Establish a baseline of the admin accounts created – Establish a risk score every time a non-baselined admin account or standard user account is configured as an administrator on each system • US Dept of State iPost Formula: SCM Score for a check = score of the check’s Security Setting Category Host SCM Score = SUM(SCM scores of all Failed checks) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 21. Aus DSD #4: Application Whitelisting • Specific Australian DSD Top 35 Control: “Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker.” – Australian DSD • Business Purpose: To limit the likelihood of successful vulnerabilities being exploited by limiting the allowable application binaries that are allowed to execute on a system. Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 22. Aus DSD #4: Application Whitelisting (cont) • Potential Metric: – Establish a baseline of all necessary binaries that would run on a system by system and business unit – Establish a risk score for all binaries that execute successfully that are not on the approved binaries baseline • US Dept of State iPost Formula: Product SOE Score = 5.0 (for each product) Host SOE Score = SUM(SOE scores for each product) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 23. Sample DoS iPost Reporting http://www.state.gov/documents/organization/156865.pdf Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 24. Our Primary Recommendation 1. Start small, excel at gathering a small number of metrics 2. Integrate these metrics into your business process 3. Grow the number of metrics you collect • United States Department of State iPost began with only three data sensors: – Tenable Nessus – Microsoft Active Directory – Microsoft System Management Server (System Center) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 25. Practical Steps: Base • To create an effective, sustainable program to implement metrics, don’t start by creating metrics • Out recommendation would be: 1. Obtain a security management charter from senior management 2. Create an organization wide IS Steering Committee 3. Document your organization’s overall security goals 4. Create & approve appropriate security policies, procedures, & standards 5. Educate your organization on those documents Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 26. Practical Steps: Phase I • Once a base or foundation for information assurance is laid, then you can begin with metrics • The next phase would be to: 1. Identify what information security sensors you have already successfully deployed 2. Determine what meaningful metrics can be gleaned from these sensors 3. Deploy a tool that can centrally aggregate, normalize, and report on the data collected by the sensors 4. Create basic reports based on the metrics from strep #2 5. Work with business owners to remediate risk Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 27. Practical Steps: Phase II • Now you are ready for continuous process improvement • The last steps are to refine your effort, gather more data, and remediate more risk: 1. Deploy additional sensors & aggregate the results 2. Determine meaningful metrics that new sensors can bring 3. Collaborate with business owners to make metrics more meaningful 4. Remediate new risks as they are discovered 5. Automate the response to as many metrics as possible Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 28. Software Tools to Help • Open Source Projects: – Practical Threat Analysis (PTA) Professional – OSSIM Open Source SIEM • Commercial Tools: – Archer Technologies SmartSuite – OpenPages Enterprise GRC – Bwise GRC – MetricStream – Methodware ERA – Protiviti Governance Portal – CCH TeamMate, Sword, & Axentis Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 29. Bare Minimum Response 1. Create an asset inventory 2. Assign data owners to all of your systems 3. Deploy a vulnerability scanner & scan all of your hosts on a regular basis 4. Create overall CVSS risk scores, by business unit, and publish those scores to key business owners 5. Remediate the risk you discover • Focus on the basics, then improve your efforts • Run a 5K first, then try a marathon Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 30. Further Questions • James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit, @jamestarala – Blog: http://www.enclavesecurity.com/blogs/ • Focused resources for further study: – SANS 20 Critical Controls Project (SEC 566) – The Balanced Scorecard (by Kaplan & Norton) – NIST Special Publication 800-55 (rev 1) – Security Metrics (by Andrew Jaquith) Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012
  • 31. Additional Resources • A Few Good Information Security Metrics (Scott Berinato) http://www.csoonline.com/article/220462/a-few-good-information- security-metrics • NIST IR 7564: Directions in Security Metrics Research (Wayne Jansen) http://csrc.nist.gov/publications/nistir/ir7564/nistir-7564_metrics- research.pdf • Security Metrics: Measurements to Support the Continued Development of Information Security Technology (Shirley Radack) http://csrc.nist.gov/publications/nistbul/Jan2010_securitymetrics.pdf Information Assurance Metrics: Practical Steps to Measurement © Enclave Security 2012

Editor's Notes

  1. Show up to a security presentation, walk away with a specific action plan. In this presentation, James Tarala, a senior instructor with the SANS Institute, will be presenting on making specific plans for information assurance metrics in an organization. Clearly this is an industry buzzword at the moment when you listen to presentations on the 20 Critical Controls, NIST guidance, or industry banter). Security professionals have to know that their executives are discussing the idea. So exactly how do you integrate information assurance metrics into action in an organization and actually achieve value from the effort. Learn what efforts are currently underway in the industry to create consensus metrics guides and what initial steps an organization can take to start measuring the effectiveness of their security program. Small steps are better than no steps, and by the end of this presentation, students will have a start integrating metrics into their information assurance program.