Firewall Wizards mailing list archives
Re: Security Policy methodologies
From: Ted Doty <ted () iss net>
Date: Wed, 07 Jan 1998 09:42:21 -0500
This is getting way, way out in the theoretical weeds. You want to cut to the chase, skip to the end. <THEORY> At 08:09 AM 1/6/98 -0800, Larry J. Hughes Jr. wrote:
I don't think that the 'what is my statistical liklihood of being attacked?' question is necessarily the right one to be asking. A couple of reasons: First, what is your statistical liklihood of your office being burgled?
There are two components to this question. How strong are your defenses (barbed wide, motion detectors, armed guards, or a rusty padlock), and how bad is the neighborhood. Physical security folks are in the business of managing risk. Risk is the intersection of a vulnerability (unlocked window) and someone who will try to exploit it (someone who wants to steal all the memory chips in your computers, who's casing the business park). No vulnerability, no risk. No threat, no risk. More interestingly, since most of us do not have armed guards/retina scanners/X-Ray machines, risk does exist. The physical security guys manage the risk over time, in a way that uses statistics appropriately to business justify security expenditures (burglary rates are up, so they ask for funding for a motion sensor system). In a network security sense, we have a fairly decent handle on vulnerabilities. Any decent scanner will give you a whopping huge report on all the holes in your systems, and fill your entire 1998 "To Do" list to overflowing. ;-) Unfortunately, we do not have corresponding (statistically valid) information on the liklihood of someone trying to exploit those vulnerabilities, based on useful categories like industry (education, high tech, government, etc). This has huge impact on how we have to approach security. If we can't manage the intersection of vulnerability and threat, it's terribly difficult to develop and justify a rational security program to most business managers. How much security do *you* need? There are different answers depending on whether you work at a bank, a university, or the CIA. The one common thread through the budgeting decisions at each place right now is that the justifications are mostly anecdotal or "educated guesses". [snip]
Second, there are many pointy-hairs around who will misuse the statistics.
Absolutely, but the converse is also true - throw every conceivable security widget against the wall (firewall?) to see what sticks. This is an expensive way to do things. I don't think it's unreasonable for executive management to ask for demonstratable evidence that network security is enhancing overall business goals, or at least to see that they're getting their money's worth out of the three buckets of security they bought last year. Mostly they'd like to see real justification for the fourth bucket, if it's ever needed. IMNSHO, the biggest misuse of statistics we see in the industry is the absence of appropriate statistics in setting and justifying network security policy. [snip]
Third, there is enough attention to be had by creating and disseminating a new interesting hack that any given organization's liklihood of being attacked can literally change overnight.
Of course it changes, but so does everything. Our role as professionals is to manage this change. What's wrong with collecting data that will help us do this? Look - I *want* to have data that I can use to get my boss to spring for the nifty Bugtraq instantaneous update widget (tm). One use for statistics is to show how fast things are changing. If I collect this information, I can use facts to get the purchase order signed. [snip]
Fourth, given that it's so easy to attack a site with impunity, who is to say that there won't be a 10% rise in the overall attack rate in the next 90 days?
Your question is itself an excellent argument for collecting statistical data on attack frequency. [snip]
As a famous statistician once said, "statistics are a great tool for predicting the past." I'm not sure I want to base my current security policy more than a wee bit on the past; rather, on what I can make a reasonable business case for today.
Your mileage may vary. My suspicion is that one of the biggest problems we face in getting sufficient resources for network security is that we can't tap a factual knowlege base to demonstrate to senior management that what we do makes an iota of difference to their business. </THEORY> Back to the original point about the Hanscom folks doing a careful study of their required data flows before crafting and implementing a security policy. Without a valid base of factual data to use in creating a priori security policies, this is the only approach likely to provide good results. - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- Re: Security Policy methodologies Rick Smith (Jan 01)
- Re: Security Policy methodologies Ted Doty (Jan 02)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Re: Security Policy methodologies Marcus J. Ranum (Jan 03)
- Re: Security Policy methodologies Ted Doty (Jan 05)
- Re: Security Policy methodologies Aleph One (Jan 05)
- Re: Security Policy methodologies Ted Doty (Jan 05)
- Re: Security Policy methodologies Larry J. Hughes Jr. (Jan 06)
- Re: Security Policy methodologies Rick Smith (Jan 07)
- Re: Security Policy methodologies Ted Doty (Jan 07)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Re: Security Policy methodologies Ted Doty (Jan 02)
- <Possible follow-ups>
- RE: Security Policy methodologies Rick Smith (Jan 01)
- Re: Security Policy methodologies Aleph One (Jan 03)
- Survey so far - Security Policy methodologies Bret Watson (Jan 04)
- Re: Security Policy methodologies Anton J Aylward (Jan 06)