Educause Security Discussion mailing list archives

Re: Measuring security

From: Chris Green <cmgreen () UAB EDU>
Date: Fri, 7 Nov 2008 15:39:25 -0600

I highly recommend
http://www.amazon.com/Security-Metrics-Replacing-Uncertainty-Doubt/dp/03
21349989 for assistance on what makes a good and bad security metric and
lots of insight into great metrics.   Prioritizing its information is
one of my ongoing goals.

 

One of the few comparisons metrics I've gotten implemented is related to
a subset of nessus and WSUS information.   By department, I keep tabs on
"number of days a system has a patch failing" and number of days that a
groups system has on average remained exploitable per remote
vulnerability scanners.    The unfairness category I've got to normalize
is accounting for the number of assets a single group runs.  Having 9
systems failing a patch doesn't seem so bad if you run 5000 systems but
if you run 10 systems, it's pretty bad.

 

All over different time periods:

 

Applications in Use

Applications Reviewed for Security Issues

Applications with stale users

Notebooks in Use

Notebooks Encrypted

 

I try very hard to downplay the metric of "number of incidents
discovered or reported".  Getting people to be more open about virus
infections and not treating them like break/fix increases your number
but is actually a better awareness metric. 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Heather Flanagan
Sent: Wednesday, November 05, 2008 4:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Measuring security

 

Hi all -

 

I've been asked to create some measurable target goals for data
security.  This is proving to be a tricky set of metrics to define!
What I've realized so far is:

 

1 - trying to go by how many holes or warnings are found by nessus won't
work; way to many false positives

2 - trying to go by what a third-party penetration test might find won't
work; what they are measuring varies too much and there have so far been
way too many false positives or things we considered completely
acceptable (yes, a domain controller is going to act as a time server to
anyone who checks)

3 - trying to go by "well, doesn't look like we've been hacked
recently"...  not quite the business metric I'm looking for

 

Is anyone out there finding any particular set of metrics working for
you and your campus leadership?  

Heather Flanagan

Director, System Administration

heatherf () stanford edu

Current thread:

Measuring security Heather Flanagan (Nov 05)
- <Possible follow-ups>
- Re: Measuring security Gary Dobbins (Nov 05)
- Re: Measuring security Basgen, Brian (Nov 05)
- Re: Measuring security Isac Balder (Nov 06)
- Re: Measuring security Ness, Carl J (Nov 06)
- Re: Measuring security Joel Rosenblatt (Nov 07)
- Re: Measuring security Hugh Burley (Nov 07)
- Re: Measuring security Chris Green (Nov 07)