The "How Secure Are You" article is fascinating. I'm sure some of you have heard of this. Thoughts? Has anyone used the security tool referenced? Geo -----Original Message----- From: Security Wire Perspectives [mailto:searchSecurity@private] Sent: Monday, August 30, 2004 3:01 AM To: Security Wire Perspectives Subject: Security Wire Perspectives, Vol. 6, No. 67, August 30, 2004 *HOW SECURE ARE YOU? By Mathew Schwartz, Contributing Writer A tool released today will help organizations move beyond general best-security practices to discern exactly how many systems are actually protected. The new version of the Open Source Security Testing Methodology Manual (OSSTMM), an open standard methodology for performing security tests, gives organizations a bias-free way to assess their information security effectiveness. A number of public, private and government organizations worldwide already use the previous version of the OSSTMM, released by the Institute for Security and Open Methodologies (ISECOM). "The OSSTMM is the bible of security testing," said Scott C. McCready, president of CIOview Corp., based in Maynard, Mass., which helps organizations assess the financial impact of changes in IT investments. For the methodology's new version, its creator -- Pete Herzog, managing director of ISECOM -- wanted to move beyond the questions and answers common to risk-assessment tests, since he thinks most respondents fudge their responses. The goal: a bias-free security assessment. To run the assessment, which takes four to eight hours, a security tester counts: the number of systems (scope); visibility, trust and access for each system (operational security); and all loss controls, such as authentication. For example, "for every system that's open to another, that's trust, and all you do is count these things. There's no opinion," said Herzog. Similarly, "if you have 250 Microsoft boxes in a DMZ providing IIS Web servers and they're not hardened, well then we have a problem with trust. We don't care if you have a firewall. What we care about is what's accessible." Using simple mathematics, the tester finds the actual security level, which, to be relevant, must then be multiplied by the number of daily interactions on the network. For example, when comparing a home system averaging 50 interactions per day to a company with a million interactions per day, being 91.4% secure means something different. For the latter, there are 10,941 incidents daily that could be malicious. The results give companies a quick way to create baselines of actual security. "The only secret to this is no one thought about counting in this way before. All security metrics were based on how many firewalls, antivirus and systems you have, but really that doesn't mean squat if they're not configured right," said Herzog. How can companies apply the results? Herzog said Gedas Iberia S.A., the Spanish IT subsidiary of Volkswagen Group, is already using the new OSSTMM baselines to direct its security spending. Coupled with an assets assessment -- such as BS7799 -- it can, for example, decide whether a $10,000 firewall is worth $1,000 of protection value. "We think this is going to fundamentally change security spending in the sense that people will be driven by financial implications, rather than being driven by thinking that one technology or approach is the best," said McCready. Herzog added that the U.S. Department of Justice IT security guidelines have also been added to the OSSTMM audit report to assure proper verification for government offices. The new tool is available at http://www.osstmm.org *CASE STUDY: INFLOW MANDATES INTEGRATION FOR SECURITY PRODUCTS By Edmund X. DeJesus, Contributing Writer Ask a dozen security administrators what their greatest priority is and you might hear about specific challenges like viruses, patch management or perimeter defense. For Inflow, higher-level concerns, including asset management and solution integration, are crucial to protecting its nearly 1,000 customers. Inflow is a Denver-based provider of hosting and managed services, as well as business continuity and disaster recovery. It operates 13 data centers across the United States, and more than 900 customers rely on its services for everyday business processes and critical recovery operations. Naturally, with so many different customers, Inflow runs many different platforms at each data center, including Windows, Solaris, HP-UX and AIX, as well as systems like S/390s. Inflow's hundreds of servers host all the major databases, plus proprietary applications written by its customers. Among the security challenges that Inflow faces are system-level issues (patch and configuration management), network-level issues (perimeter defense and intrusion detection) and application-level issues (internal vulnerabilities and insufficiently tested code). "Recently, we've been confronting the many vulnerability notification solutions we use, and trying to move beyond manual methods of interpreting and prioritizing their information," said Lenny Mansour, general manager of hosting and infrastructure. Integration of many separate solutions is a main concern. "We want to control solutions in a more uniform environment, not manage each solution separately," said Mansour. He is encouraged by the efforts of vendors on the network level to tie together firewalls, intrusion detection, patch management and other products. At the system level, asset management is essential for Inflow. "How can you possibly deal with patch management or change management if you don't know what you have?" noted Mansour. Inflow uses software from Opsware in Sunnyvale, Calif. for asset management, scanning resources before making decisions to push patches out to appropriate platforms. The company values how the software can integrate with other processes, including reporting, change requests and handling modifications to proprietary applications. "For example, we had estimated it would require nine technicians to manage our 600 Windows servers, but with Opsware it only requires three," Mansour said. Mansour looks forward to software and hardware applications to integrate, and simplify, solutions even further. "We're trying to address the application level more effectively," he explained. The company is also interested in new network-level devices that combine the roles of firewall, VPN, intrusion detection and intrusion prevention. Not only can these devices improve security, but they should also decrease the complexity and cost of achieving and managing that security. "We feel more in control, now that we have asset management in place," Mansour said. "We have a much better handle on what we have and how it all fits together." ===================================================== HEADLINES A look at other significant industry happenings from our sister publication, Security Wire Daily *Oracle users: Monthly patch cycle prudent [SearchSecurity.com] Despite reservations some Windows users have with Microsoft's monthly patching cycle, experts believe a similar schedule makes sense for Oracle. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1 002437,00.html?track=NL-358&ad=490416 *Multiple vulnerabilities in Cisco server [SearchSecurity.com] Multiple vulnerabilities in Cisco's Secure Access Control Server and Access Control Server Solution Engine can be exploited. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1 002563,00.html?track=NL-358&ad=490416 *Vulnerabilities affect multiple Symantec products [SearchSecurity.com] A vulnerability in multiple Symantec products could be exploited for a denial-of-service attack. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1 002514,00.html?track=NL-358&ad=490416 *Security Bytes: Experts skeptical of Internet doom [SearchSecurity.com] U.S. named top producer of spam; Shruggle targets 64-bit files; DoJ cracks down on cybercrime; Slackware, Fedora, Debian and Sun issue fixes. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1 002195,00.html?track=NL-358&ad=490416 *Microsoft acquisition targets Outlook hole [SearchExchange.com] The stated purpose of Redmond's recent deal for Lookout Software was to bolster MSN's search capabilities, but some analysts say it also plugs a gap in Microsoft's e-mail client. http://searchexchange.techtarget.com/originalContent/0,289142,sid43_gci1 002324,00.html?track=NL-358&ad=490416 *Serious flaw affects Sun and Netscape products [SearchSecurity.com] Financial institutions will likely be the target of a flaw in the Netscape Network Security Services (NSS) library suite that could allow remote compromise. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1 002291,00.html?track=NL-358&ad=490416 *When to run the XP SP2 Windows Firewall [SearchWin2000.com] If you aren't currently running a local firewall on your company's computers, the new Windows Firewall is a great way to secure your computers for free. But, if you've already deployed a third-party firewall, Redmond's offering is not for you. http://searchwin2000.techtarget.com/tip/0,289483,sid1_gci1000900,00.html ?track=NL-358&ad=490416 *Security flaw could put EMC Centera users at risk [SearchStorage.com] EMC Centera relies on MD5 hash integrity for its single-instancing storage feature -- potentially compromising its ability to provide SEC compliance. http://searchstorage.techtarget.com/originalContent/0,289142,sid5_gci100 1882,00.html?track=NL-358&ad=490416 ===================================================== *ADVERTISEMENT* Fast, Accurate Vulnerability Scans In today's complex computing environments, implementing a network security strategy can be like playing chess blindfolded. New vulnerabilities are discovered daily and attackers only need to detect one critical weakness in order to breach your entire network. Large or small, no organization is immune. Retina(R) Network Security Scanner enables you to proactively guard against costly intrusions and outbreaks by regularly auditing your network to uncover and fix security weaknesses. Download a free trial version of the Retina Network Security Scanner today: http://ttarget.adbureau.net/adclick/CID=00006a480000000000000000 ===================================================== SOUND BYTES *REPURPOSING FUD By Ira Winkler, Contributing Writer Security newsletters regularly publish press releases, especially those with top 10 lists. And top 10s, which proclaim potential terrorist events or anything else that furthers the cause of fear, uncertainty, and doubt (FUD) are all the better. These lists make the rounds and get a great deal of attention, since they're generally more interesting than the latest vendor updates. I was in the Philippines when I read the latest list from iJet, a travel risk management services firm, on the top 10 countries to avoid for business travel, which ironically included the Philippines. I can see that there would be many theoretical reasons to avoid the Philippines: The water can make you sick; taxi drivers may try to rip you off; and the person who lost the presidential election has advocated putting spikes on highways as a form of protest. The list can go on forever. However, it can be reasonably argued that there have been more terrorist events inside the United States than in the Philippines. Sure, there have been some terrorist events in remote southern Philippine islands, but not widespread throughout the country. More importantly, the iJet study defines areas for avoiding business travel, though, there's little business to do on those southern islands. Does this justify placing the Philippines on iJet's list? The cyberworld has it's own top 10 lists. These often predict some type of doom from malicious attacks and inundate us with the threat of the mythical "Electronic Pearl Harbor" -- the attack that will devastate the world, as we know it. Does it really matter what the top 10 viruses are? Personally I believe it's more important to know that keeping antivirus software up to date prevents all of them, which makes the "Electronic Pearl Harbor" warnings even more useless and distorting. Meantime, common and preventable computer attacks and flaws accumulate to cause a higher loss than one devastating attack -- if it were to ever occur. The studies and news stories that report on FUD predictions focus on a mystical threat rather than a plan of action. This means that less is done to protect our information infrastructures. From a traditional risk perspective, I was exponentially more likely to die during my flights to and from the Philippines than be killed by a terrorist incident in the country. For that matter, I was statistically more at risk of dying in a car accident at home than from a terrorist attack in the Philippines. Therefore, in terms of traditional risk, your organization is exponentially more likely to suffer regular losses due to completely preventable computer problems than to be hit by cyberattacks. While iJet's study did provide information, the sound bytes that came out of the report were misleading, and the usefulness was minimal and counterproductive. Sound bytes without details distort planned actions. Did I need to avoid the Philippines? Clearly not. However, I probably would have liked to know which three islands to avoid out of the more than 7,000 islands comprising the Philippines. Avoiding those three islands would be a reasonable action to consider. Avoiding the entire country is ridiculous. The computer world is similar. Security practitioners need detail on which to base their decisions. They need to know the signature release dates for the most common viruses to determine the scope of the deficiencies in antivirus programs; they need to know what enables potential losses to know what to target in their security programs. Security professionals need to know what the highest payback countermeasures are as opposed to vague threats that provide useless detail. IRA WINKLER, CISSP, CISM has almost 20 years of experience in the intelligence and security fields, and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us. Have an opinion on this article? E-mail your letters to Shawna McAlearney ( mailto:smcalearney@private ), and include your name, title and organization. Letters may be edited for space and clarity. ===================================================== *Win a Mercedes* Qualify for complimentary admission and the chance to win a Mercedes-Benz SLK sponsored by Symantec at the Information Security Decisions conference coming to Chicago October 6-8. Benefit from tips, tactics and real-world solutions to today's most critical security challenges -- and with no vendor sales pitches disguised as session content. Register for the conference today: http://infosecurityconference.techtarget.com/?track=NL-358&ad=490416&Off er=swdadmb ===================================================== LINKS TO THE INDUSTRY On Demand Webcast: Policy compliance for end-point devices The age of virtual computing and the increasingly remote, distributed workforce means there are many untrustworthy devices trying to access the network every day. Listen to this webcast for tips on securing your end-point systems. http://searchsecurity.techtarget.com/webcastRegister/0,295011,sid14_gci9 69449,00.html?track=NL-358&ad=490416 Summer Security Quiz: Are you ready to go on vacation? Summer is still in full swing. That means lots of vacation time, and thinned security staff and resources. So, before you hit the road and leave your security worries to co-workers, make sure you have all your firewalls in a row. Take this short quiz to find out if you're really ready for the worst-case scenario. http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci992028,00.htm l?track=NL-358&ad=490416 Security Tip: Best practices for writing an information classification policy When developing your organization's information classification policy, there are three best practices that you should keep in mind. http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci995256,00.htm l?track=NL-358&ad=490416 Market Monitor Current security company stock prices: http://searchSecurity.com/r/0,,22258,00.htm?track=NL-358&ad=490416&n/a SearchSecurity.com Top 10 Clicks Each week the editors of SearchSecurity.com gather up the top five tips and news articles that our users visited the most. If you missed them the first time around, here's your chance to take advantage of the resources your peers have pre-screened and deemed most valuable. We update this page weekly, so don't forget to come back or -- better yet -- bookmark the page. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci9 13161,00.html?track=NL-358&ad=490416 ::::::::::::::::::::: ABOUT THIS NEWSLETTER :::::::::::::::::::::: Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is an e-mail newsletter brought to you on Mondays and Thursdays by Information Security magazine, a TechTarget publication. Copyright (c) 2004, Information Security and TechTarget. No reuse or redistribution without the express written authorization of Information Security and TechTarget. Permission requests, questions or comments should be e-mailed to Shawna McAlearney, news editor, mailto:smcalearney@private *A copy of the BPA Audit is available for download at: http://www.bpai.com/library/statement_files/s343h0j2.pdf _____________________________________________________________________ To unsubscribe from "Security Wire Perspectives": Go to unsubscribe: http://SearchSecurity.com/u?cid=490416&lid=559334&track=NL-358 Please note, unsubscribe requests may take up to 24 hours to process; you may receive additional mailings during that time. A confirmation e-mail will be sent when your request has been successfully processed. Contact us: SearchSecurity Member Services 117 Kendrick Street, Suite 800 Needham, MA 02494
This archive was generated by hypermail 2.1.3 : Tue Aug 31 2004 - 09:19:05 PDT