Re: Security Policy methodologies

[Ted Doty <ted () iss net>]

This is getting way, way out in the theoretical weeds.  You want to cut to
the chase, skip to the end.

<THEORY>
At 08:09 AM 1/6/98 -0800, Larry J. Hughes Jr. wrote:
> I don't think that the 'what is my statistical liklihood of being
> attacked?' question is necessarily the right one to be asking. A couple of
> reasons:
>
> First, what is your statistical liklihood of your office being burgled? 

There are two components to this question.  How strong are your defenses
(barbed wide, motion detectors, armed guards, or a rusty padlock), and how
bad is the neighborhood.

Physical security folks are in the business of managing risk.  Risk is the
intersection of a vulnerability (unlocked window) and someone who will try
to exploit it (someone who wants to steal all the memory chips in your
computers, who's casing the business park).

No vulnerability, no risk.  No threat, no risk.  More interestingly, since
most of us do not have armed guards/retina scanners/X-Ray machines, risk
does exist.  The physical security guys manage the risk over time, in a way
that uses statistics appropriately to business justify security
expenditures (burglary rates are up, so they ask for funding for a motion
sensor system).

In a network security sense, we have a fairly decent handle on
vulnerabilities.  Any decent scanner will give you a whopping huge report
on all the holes in your systems, and fill your entire 1998 "To Do" list to
overflowing. ;-)

Unfortunately, we do not have corresponding (statistically valid)
information on the liklihood of someone trying to exploit those
vulnerabilities, based on useful categories like industry (education, high
tech, government, etc).

This has huge impact on how we have to approach security.  If we can't
manage the intersection of vulnerability and threat, it's terribly
difficult to develop and justify a rational security program to most
business managers.

How much security do *you* need?  There are different answers depending on
whether you work at a bank, a university, or the CIA.  The one common
thread through the budgeting decisions at each place right now is that the
justifications are mostly anecdotal or "educated guesses".

[snip]

> Second, there are many pointy-hairs around who will misuse the statistics. 

Absolutely, but the converse is also true - throw every conceivable
security widget against the wall (firewall?) to see what sticks.  This is
an expensive way to do things.  I don't think it's unreasonable for
executive management to ask for demonstratable evidence that network
security is enhancing overall business goals, or at least to see that
they're getting their money's worth out of the three buckets of security
they bought last year.  Mostly they'd like to see real justification for
the fourth bucket, if it's ever needed.

IMNSHO, the biggest misuse of statistics we see in the industry is the
absence of appropriate statistics in setting and justifying network
security policy. 

[snip]

> Third, there is enough attention to be had by creating and disseminating a
> new interesting hack that any given organization's liklihood of being
> attacked can literally change overnight.

Of course it changes, but so does everything.  Our role as professionals is
to manage this change.  What's wrong with collecting data that will help us
do this?

Look - I *want* to have data that I can use to get my boss to spring for
the nifty Bugtraq instantaneous update widget (tm).  One use for statistics
is to show how fast things are changing.  If I collect this information, I
can use facts to get the purchase order signed.

[snip]

> Fourth, given that it's so easy to attack a site with impunity, who is to
> say that there won't be a 10% rise in the overall attack rate in the next
> 90 days?

Your question is itself an excellent argument for collecting statistical
data on attack frequency.

[snip]

> As a famous statistician once said, "statistics are a great tool for
> predicting the past."  I'm not sure I want to base my current security
> policy more than a wee bit on the past; rather, on what I can make a
> reasonable business case for today. 

Your mileage may vary.  My suspicion is that one of the biggest problems we
face in getting sufficient resources for network security is that we can't
tap a factual knowlege base to demonstrate to senior management that what
we do makes an iota of difference to their business.

</THEORY>

Back to the original point about the Hanscom folks doing a careful study of
their required data flows before crafting and implementing a security
policy.  Without a valid base of factual data to use in creating a priori
security policies, this is the only approach likely to provide good results.

- Ted

--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East            | Fax:   +1 770 395 1972
Atlanta, GA 30346  USA              | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE