DIGITAL SECURITY AND INFORMATION ASSURANCE


This blog is created to stimulate academic discussion in partial fulfillment of the degree of Doctorate of Computer Science in DIGITAL SECURITY AND INFORMATION ASSURANCE for the Colorado Technical University, Colorado Springs, Colorado.

Courses includes - EM835 Information Accountability and Web Privacy Strategies; SC862 Digital Security; Quantitative Analysis; Software Architecture and Design - CS854;















Friday, February 18, 2011

Beautiful Security Metrics - Is Beautiful


Beautiful Security Metrics
Review          






Security metrics is a critical methodology that facilitates better system security awareness, decision making and implementation. It helps in the analysis of complex system and application processes and summarized them in a more easily understandable forms. Although security metric usage is still at its infancy, conceited efforts must be made to employ it in IT security management. The author of beautiful security metrics drew a parallel between the system security profession and their medical counterparts.


           The author mentioned the importance of security metric and includes:
- Good for monitoring and performance measurement for controls
- Used for detecting absence of critical controls
- For measuring efficiency and effectiveness.
- Formation of up to date security policies and procedures
- Identity management process for managing user access and entitlements.
- Separation of duties to authorize IT access must be well defined and separated from those that enabled such access.
- Mandatory review should be conducted after an employee’s responsibilities are changed.
- System and application access and processes must be logged in log files.
- Activity log files must be analyzed regularly.
- Regulation, best practices and standards must be thoroughly vetted and complied with.
- Security metrics improves control for identity and access management.
            


                 According to Nichols E (2009), “metric have clearly helped medical practitioners by providing both a framework for quantifying the health of an individual or population and a collection of guidelines to communicate that state to non experts”. The author therefore advised that IT security professionals should use metrics to analysis system vital signs and encourage the sharing of security data across the board. Good security metrics have the following features:
                  
              Cases for acceptable system security metrics and vital signs
- Can be relative
- Subjective
- Measurable
- Probable values could be positive or negative
- Allow for Sharing of data



              The beautiful security metrics shows how two major security breaches could have been prevented if security metric processes have been fully implemented by Barings Bank in UK and TJX group in USA. The lack of security control mechanisms due to internal breaches lead to the demise of the Barings Bank. The identity and access management at Baring was nil and contributed to its failure. TJX lost close to $1 billion because the security breaches. It was perpetrated by outside attackers taking advantages of security vulnerabilities in network and system management protocols used by the company.

                    Beautiful security metrics summarized the events that lead to the system security breaches at Barings bank and attributed them to the followings:
- No clearly defined role for the company personnel
- No separation of duties
- No review process in place
- System controls are lacking


For TJX group, the failures of security lapses are direct results of:
- Inadequate network configuration control
- Inadequate network usage surveillance
- Inadequate server configuration and usage monitoring
- Lack of data protection mechanism
- Access points to connect to the wireless router was not rightly configured and protected. To further worsen the situations, the routers were put in broadcast mode. By using WARDRIVING technique, criminals are able to uncover open wireless networks with a view of stealing customer data and information.
- WEP does not offer adequate protection for wireless network.

Some notable system metrics include but not limited to:
- Comparing two values, one from the authoritative system and the other from the configuration and activity logs can provide the much needed information about secret accounts in the environment.
- Percentage of login accounts that cannot be genuinely accounted for could represent account used for unauthorized access
- Percentage of accounts that have never be justifiable review in the recent past.
- Group of accounts should be well defined and overlap must be prevented



 Conclusion:
There is need to embark on the re-education of system managers and end users on the importance of security metrics in promoting safe computing. Security products should contain manuals about recommended usage, diagnosis and the ways to monitor significant events on systems. Anything out of the ordinary should be analyzed and reported. Auditing of system files, logs, access metrics, and identity management should be part of everyday system management. The interpretation of security anomalies should be simple and devoid of anything complex. Lastly, security metrics facilitates in its entirety, better system awareness, well being and decision making on the part of system managers and support personnel because security metrics improves control for identity and access management




Reference
Oram A. & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 33-61). Beijing: O’Reilly Media  
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)