Sunday, June 04, 2006

Follow-Up to Donn Parker Story

My earlier post is being debated on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 private Security Metrics mailing list. I posted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following tonight:


Chris Walsh wrote:

> Alrighty.
>
> It's time for a Marines vs. Air Force slapdown!

I should have anticipated that someone on this list would read my blog!

I do not agree with all of Donn's points, and I state in my post some
of his ideas are weak. I would prefer Donn defend himself in person.

However, I am going to stand by this statement:

"As security professionals I agree we are trying to reduce risk, but
trying to measure it is a waste of time."

I agree with Donn that a risk measurement approach has not made us
more secure. That does not mean nothing can be measured. It also
does not mean that measurements are worthless.

Removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 double negatives, I am saying that some things can be
measured, and measurements can be worthwhile.

Racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than spending resources measuring risk, I would prefer to see
measurements like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

1. Time for a pen testing team of [low/high] skill with
[external/internal] access to obtain unauthorized access to a
specified asset using [public/custom] tools and [zero/complete] target
knowledge.

Note this measurement contains variables affecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to
successfully compromise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset.

2. Time for a target's intrusion detection team to identify said
intruder (pen tester), and escalate incident details to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 incident
response team.

3. Time for a target's incident response team to contain and remove
said intruder, and reconstitute cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 asset.

These are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operational sorts of problems that matter in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real
world. These are only three small ideas -- not a comprehensive
approach to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem set.

Sincerely,

Richard

PS: Go Air Force. :)

3 comments:

One Guy Nick said...

Having been an Air Force security 3Cx0 and now being a military contractor...we kick cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 marines butt's daily in IT. Those guys are just glorified work group managers. HUA! :)

Anonymous said...

The problem with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first measurement is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no objective way to grade pen testers as having high or low skill. You can't grade cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m by years of experience or college degrees.

The second measurement runs against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first. A successful penetration will occur more quickly if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker(s) simply disregard detection--of course, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 caveat that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could get discovered before cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y get access. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacker's goal is to not be detected, he should proceed very slowly and carefully, generating only a minimum amount of traffic and spreading his activities over a longer period of time to avoid triggering various alert thresholds.

The time taken to contain and remove an intruder will depend on what was compromised which doesn't make this measurement very useful for comparison.

Richard Bejtlich said...

Steven,

1. I can differentiate among pen testers after talking to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for 30 mins or less. More formally, as part of your selection criteria, have candidates complete one or more exercises to vet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir skill levels. I have participated in such exercises.

2. Re detection -- easy: Time for a pen testing team of [low/high] skill with
[external/internal] access to obtain [stealthy/semi-stealthy/unstealthy] unauthorized access to a
specified asset using [public/custom] tools and [zero/complete] target
knowledge.

3. The term "specified asset" answers your "what was compromised" comment.