Marcus, I think that your statement is true for most commercial organizations whose drivers are related to finances and regulatory issues. Unfortunately, security risk management activities seem to take a back seat to this. It seems this is The Way, for the objectives of each camp are less instersecting than I would like on seeing some of the results of a recent SAS-70 Type II audit. The root seems that few are practicing business-level risk management on IT assets and safeguards because the risks are difficult to quantify and express in dollar units as they do in the physical realm. The policies ask for it but the control objectives beat-around-the-bush. Quantifying probabilities and loss expectancies from IT security risk in dollars actually requires monitoring in the first place. Add a certain amount of eye-of-newt and ear-of-bat, and you could come up with an ALE that might point out that some increased vigilance, increased precision of monitoring could result in lower operational cost (from the risk component). If the risk component is not too large, risk acceptance and monitoring of the risk level is an equally good practice. My issue is that most organizations accept unquantifiable risk without even attempting to measure it. This is not good risk management. Others many have sized the potential $risk by eyeball, and are afraid to actually put the $numbers to slide decks because of the $safeguards required to demonstrate $effective risk management. Government departments in Canada are working toward compliance of a different sort. Communications Security Establishment has laid out control objectives in "a series of Baseline Security Requirements" that are prescribed by Canadian Government Security Policy. These control objectives are prescriptive, if unrealistic, for zones of the network. ie: "Continuous" monitoring is prescribed for most network zones. A database often resides in a zone that requires continuous monitoring. The next step is to define what are the attributes of a effective monitoring system. What is the point of an exception monitoring and handling system if it does not generate and handle exceptions? We often talk of monitoring but that's only part of the process. Business types are too literal. Why monitor without identifying exceptions, determining if they are sufficient risk to contain and if necessary eradicate? Too often management are afraid of extra unscoped costs that a investigating the exceptions a monitoring system will inevitably generate. Estimate a reasonable budget we IT security gurus should say "we can start with $x in monitoring and response, and we will measure how much risk we would not manage". For databases specifically, the reports that the control objectives that are inducing are fundamentally misaligned with many web application designs that drive today's business. Few web applications map the application-layer user instance back to the database-layer user instance. However, many current control objectives assume that is true. That's just one instance of the misalignment. Many other objectives are oversimplified and rules-based so the rest of the world can put complex systems into simple little tick-boxes. As an omnibus safeguard, they actually get in the way of practical risk management. IT systems often do not fit into simple little boxes and that is part of the problem. We build cloverleafs at dirt-road intersections to avoid teaching people about the 4-way stop. W -- Wynn Fenwick, Chief Techincal Architect, CGI Managed Security Services -----Original Message----- From: loganalysis-bounces+wynn.fenwick=cgi.com@private [mailto:loganalysis-bounces+wynn.fenwick=cgi.com@private] On Behalf Of Marcus J. Ranum Sent: Wednesday, March 21, 2007 2:25 PM To: Anton Chuvakin; LogAnalysis@private Subject: [logs] Re: on database logging Anton Chuvakin wrote: >Ouch, how about security? I guess we are dealing with some case of >mental inertia here All the current trend toward legislating compliance has accomplished is setting the bar very low, and encouraging companies to look only at meeting that standard. I've had senior IT managers tell me "We are going to do the exact minimum, wherever possible." In log analysis terms, that means that the logs to to a big bucket which is periodically dumped into the compost heap. Nobody'll look in the bucket until someone passes legislation requiring people to LOOK at it. And, of course, when that happens, they'll do the exact minimum, &c... mjr. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 09:14:20 PST