How do you measure security?

A perennial type of question that comes up is how to know if you are secure or measure your security.  I have spent some time answering the question here, here, here, here, here, and here.  As you can tell by the multiple ways of asking the same question and the huge differences in opinion expressed in people’s answers, the one underlying trend is that Information Security, as a profession, isn’t in agreement in what we are doing and why we exist.

If you look at my answers, I consistently attempt to define the terms I use and shift the topic onto what I call risk management.  The basic points I make are:

  1. Information Security is misnamed because if fosters the impression that we can somehow be “secure.”
  2. There isn’t any one list of products that you can buy to make you secure.
  3. Any framework that works off the assumption of “security” to generate metrics that measure how “secure” you are is doomed to failure.
  4. A better view is the concept of risk management where risk is objectively measured and managed to acceptable levels.

The reason I consider a risk management framework superior to an Information Security framework boils down to the scientific concept of risk.  The reason I consider this a fundamental requirement in any risk management framework is because it allows for an apples to apples comparison of information risk with other types of business risk.  Since financial and business risk frameworks already use the basic formula of risk as (probability of loss) times (magnitude of loss) annualized. E.g. probable loss aggregated to $10,000/year.  This meaningful metric allows for the ability to make a sound business decision when implementing a new business process.  If the expected profits in the new opportunity are $1 million and the expected annualized loss from all threat vectors – information, financial, opportunity loss, etc. – is $10,000 then it makes sense to proceed with plans in place to absorb the loss.  If the business is comfortable absorbing the loss or can shift the loss to an insurance instrument then I am remiss in recommending a solution that is as “secure” as possible for only $500,000 a year.

I have been fortunate to be exposed to a risk management framework that understands the requirement to objectively measure risk using the basic high level risk metric used by other disciplines.  The framework is called Factored Analysis of Information Risk (FAIR) from a company called Risk Management Insight.

How do you feel Mr. IDS ?

I recently answered this question where the person wanted to get people's opinion on Gartner’s take on Intrusion Detection Systems (IDS).

Gartner says that intrusion detection systems are a costly and ineffective investment that does not add an additional layer of security as promised by vendors. The company recommends that enterprises redirect their security expenditures to firewall vendors that offer both network-level and application-level firewall capabilities in an integrated product … Intrusion detection systems are a market failure, and vendors are now hyping intrusion prevention systems, which have also stalled … Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as anti-virus activities.

In my response I pointed out that if your ONLY security solution is a list of products from vendors then of course they cannot live up to your expectations.  Here was my response in full:

I guess its time to repeat my mantra "Security is not a product." You cannot buy security because you cannot be secure. All you can do is effectively assess and manage risk.

  1. What does an IDS provide if you don't understand the value and location of your business assets both from the business's perspective and the criminals perspective? Hint: Just because you don't see the value doesn't mean your competitor or the scam artist doesn't.
  2. What does an IDS provide if you don't know all the paths to those assets and the strength of the controls in place to protect them? The door is locked but the window is open syndrome.
  3. What does the IDS provide if no one knows what is normal and what isn't. I am still amazed when server owners want me to review their logs for "Bad stuff" If the owner doesn't know what is normal how do you expect me to?
  4. What does the IDS provide if no one is looking at it? The IDS is a tool. Tools are used by professionals. Why get one without the other?
  5. What does the IDS provide if its in the wrong place? This comes back to understanding ALL the paths to your assets.
  6. What does the IDS provide if your security initiatives are a list of products? Unless dedicated professionals are there helping to identify, assess, and help manage your risks then all your IDS will tell you is how much money is walking out the door in lost opportunities.

Close Source or Open Source?

This is my answer to this question.

Open source is definitely a factor to consider as part of a comprehensive needs assessment. What are you/your client attempting to achieve?
What does their environment already contain?
What impact from a user/maintenance standpoint?
Is there in house expertise to support it?
Does the product meet all the business requirements?
What are the support costs?
Etc.

Any mature implementation plan will treat the licensing requirements - closed or open – as one part of the selection criteria. Once we step back from the closed/open debate and look at licensing in general then the specific clauses in each license matter? Not all closed source licenses are the same, not all open source licenses are the same. Each specific license has requirements and limitations imposed on you – it is these limitations and impositions that must be weighed. Not the Closed/Open label.

Defining INFOSEC

The below excerpt if from this LinkedIn question. I was attempting to point out that we already had the tools and methods we needed to do our jobs if we only took the time to realize what our jobs actually were.

I love the saying "There is nothing new in the world, just different perspectives." INFOSEC is no different. We are grappling with the age old impact of human nature at it's worst. Greed, Malice, Hate, Envy, Spite - age old threats to any human endeavor. I once had a debate with another INFOSEC professional who was arguing that our industry had failed because we weren't *secure* yet. I ask you how can you secure something without changing human nature? After centuries of working on the same issue we still find the need for police, should we say we have failed because there is still crime?
As INFOSEC matures we will realize that we are not something new or special. We are just facing the same dark side of human nature expressed through different tools. Now we can sit here feeling special grappling for new ways to deal with the issue or realize that similarities and apply centuries of progress to the issue and go with what already works.
So what are we to do? First off dump that INFOSEC moniker, there is no such thing as security since there is no such thing as being "secure." All we can do is effectively and efficiently analyze and manage risk. By reducing the opportunities for crime to happen we can reduce the risk of loss. Again, this is a human psychology issue, we have to deter the criminal from bothering us. I refuse to speak in INFOSEC best practices. I view my job as risk management and loss prevention. While it isn't sexy as thinking of my job in sames terms of a security guard, my responses are more effective that way. Now if only that CD drive would hold donuts ....

How should best practices be developed, who should be involved, and how are they shared in a manner that will make them most credible?

My answer to the question was long and rambling.

Your question assumes that these decisions are best made using a top down organization where certain select few experts decide what should and shouldn't be. I am not going to debate that point; I just want to highlight a hidden assumption and offer a different way.
Humans as a species work from a bottom up thought process. We, as social animals, watch and emulate others. We form opinions of others based on our past experiences with them or through a network of trusted opinions of others that we call someone's reputation. When someone who's reputation you respect offers an opinion about a way of doing something you will at least consider it. The idea itself has a certain fitness depending on its ability to solve the problem at hand. The ideas that are the fittest tend to get passed on and those that don't - don't. The fitness of ideas that people recommend operate in a feedback loop effecting the reputations of those that pass them on; those individuals that consistently pass on fit ideas gain a reputation as an expert in their field, etc. Since human society is a scale free network; certain ideas hit a tipping point of acceptance where the aggregate reputation of the individuals passing on the idea out ways any fitness of the idea itself. e.g. the increase to my reputation when I pass on a fit idea is 1 to 1 while the potential decrease to my reputation by passing on an unfit idea is 1 to n where the loss in reputation is diluted among everyone passing on the idea. This effect could be seen in the sayings "No one ever got in trouble recommending IBM" that became "No one ever got in trouble recommending Microsoft."
So what are best practices? They are nothing more than the collection ideas that have exceeded some threshold of saturation in the scale free network of human society. Does that make them good? Sure, they at a minimum survived and out competed the competitor ideas that died off. The whole survival of the fittest thing. Are they the best solution to your specific problems? I wouldn't bet on it.
The answer isn't to decide who should create best practices. The goal is not to base your security program on them. Your program should be based on a sound risk management framework that objectively measures the risk that business decisions have and select the fittest controls to reduce the risk to acceptable levels.
I am a convert to the Factored Analysis of Information Risk (FAIR) framework. Measuring and selecting solutions based on actual needs is always better then playing the keeping up with the neighbors game.
My fundamental point I keep making is that this computer stuff isn't new. All we are doing is continuing the same old human nature with new tools.

Blog restart

Well, after a long absence I plan on restarting this blog. For those of you not using LinkedIn, I have been spending my energy answering people's security questions in their forums. I plan on taking some of the questions and my answers that I found interesting and reposting them here. Stay tuned.