Nabble - Security - Papers

Re: Vulnerability Assessment Help Needed.

2007-09-29T22:10:31Z

If you are frustrated about the virus infection,nothing serious ,Select AyRecovery that can prevent your PC from virus infection, Trojan effectively.
A very quick recovery software--ayrecovery,it can not only provide PC ROLLBACK, but INSTANT RECOVERY and eliminate the system downtime and PC maintenance cost.

Emmanuel Baffo wrote:

Hello everyone,

I am trying to gather the following information for a management report and would really appreciate any information that anyone can provide...sources of such info will be greatly appreciated as well.

1) What are other companies doing when they detect or uncover security vulnerabilities on exposures such as unsecure server services?

2) Can you provide statistics or metrics.

3 ) What happens when nothing is done?... What are the company's risks and exposures?

Thank you in advance,

Emmanuel Baffo, CISSP

Vulnerability Assessment Help Needed.

2005-09-14T10:23:37Z

Hello everyone,

I am trying to gather the following information for a management report and would really appreciate any information that anyone can provide...sources of such info will be greatly appreciated as well.

1) What are other companies doing when they detect or uncover security vulnerabilities on exposures such as unsecure server services?

2) Can you provide statistics or metrics.

3 ) What happens when nothing is done?... What are the company's risks and exposures?

Thank you in advance,

Emmanuel Baffo, CISSP

RE: Incident Regarding to CIA

2005-09-08T08:46:31Z

Toto,

Here is a sample list that might be able to help you out and build upon.

Kind regards,

Alberto Cardona II, CCSE, MCP, CNA
VP of Information Security - Professional Services

=====================================

1. Unauthorized Access
- Digital
Definition:
An unauthorized user has infiltrated or compromised a system or
network

- Ex-employee/Contractor/Business Partner
Definition:
Ex-employee/contractor/business partner accessing or trying to access
networks / systems.

- Physical
Definition:
An unauthorized user has infiltrated the physical premises

2. Denial of Service
- Denial of Service (DoS)
Definition:
A "denial-of-service" attack is characterized by an explicit attempt
by attackers to prevent legitimate users of a service from using that
service

- Distributed Denial of Service (DDoS)
Definition:
An attack initiated from many individual hosts (acting as drones)
controlled from another central host in order to prevent legitimate users of
a service from using that service

3. Malware
- Virus
Definition:
A program or software code that is loaded onto a system without
user?s knowledge and runs without authorization. Also capable replicate
themselves or destroying data

- Worm
Definition:
A program or algorithm designed to replicate itself over a computer
network and usually performs malicious actions

- Trojan
Definition:
Designed to cause damage or do something malicious to a system, but
disguised as something useful.

- Spyware
Definition:
A program or software code that covertly gathers user information
through the user's Internet connection without his or her knowledge, usually
for advertising purposes

4. Inappropriate Usage
- Policy Non-compliance
Definition:
All employees and other person when they act on behalf of the company
(consultants, business partners) are to abide by the Company Corporate
Policies. Any violations of corporate policies are considered as
?non-compliance? incident. For a list of detailed policies and procedures
please refer to ?IS Policies, Standards & Procedures? .

- Dictionary \ Password Cracking, Brute Force
Definition:
A dictionary attack is in essence a password-guessing attack.
Brute-force attack looks at all possible keys

- Data Replay
Definition:
Capture network traffic (usually authentication credentials) to play
back at a later time and assume identity

- Passive Network Traffic Capture (sniffing), Eavesdropping
Definition:
Reconnaissance method to determine user credentials, traffic
patterns, and available services

- DNS Zone Transfer Requests or poisoning (Internal Network)
Definition:
Unauthorized requests to obtain website?s DNS registration
information

- DNS Zone Transfer poisoning (Internal Network)
Definition:
Unauthorized requests to corrupt website?s DNS registration
information

- Port Sweeping (TCP \ UDP \ ICMP) (Internal Network)
Definition:
Reconnaissance method to determine system vulnerabilities and
?listening? ports. Used to build more focused attacks

- Spoofing
Definition:
Creation of TCP/IP packets using somebody else's IP address

- Inappropriate browsing
Definition:
Browsing non-business related offensive web sites using Internet
infrastructure

- Inappropriate email
Definition:
Sending / Receiving / Forwarding non-business related emails using
Email infrastructure

- Inappropriate Hosting
Definition:
Hosting non-business related FTP servers, Web servers, Shares, Email
systems, News groups using infrastructure

- Hoax
Definition:
Sending / Receiving / Forwarding false messages / deceiving intent
messages using email or other communicating methods

5. External Attacks
- Spoofing
Definition:
Creation of TCP/IP packets using somebody else's IP address

- Network Traffic Redirection, Man-In-The-Middle, Data Manipulation,
Malformation (URL or URI)
Definition:
Interception of network traffic with intent to hijack the session
and modify the data payload or data stream.

- DNS Zone Transfer Requests or poisoning (External Public Network)
Definition:
Unauthorized requests to obtain website?s DNS registration
information

- DNS Zone Transfer poisoning (External Public Network)
Definition:
Unauthorized requests to corrupt website?s DNS registration
information

- Port Sweeping (TCP \ UDP \ ICMP) (External Public Network)
Definition:
Reconnaissance method to determine system vulnerabilities and
?listening? ports. Used to build more focused attacks

- Data
Definition:
A unauthorized or valid user gains circuitous or direct access to
proprietary company information retained on data storage or processing
systems and compromises that data with malicious, illicit intent

>From: "Toto A Atmojo" <toto@...>
>To:
><security-basics@...>,<pen-test@...>,<security-management@...>,<secpapers@...>,
><security-basics@...>
>Subject: Incident Regarding to CIA
>Date: Wed, 7 Sep 2005 00:36:36 +0700
>
>Dear all,
>
>
>
>Right now I'm collecting any Incident regarding to CIA (Confidentiality,
>Integrity and Avaibility).
>
>But I'm afraid that the list is not completed. Is there any documentation
>regarding this issue?
>
>
>
>Example of list:
>
>
>
>Incident regarding to Availability:
>
>1. DOS
>2. Disaster
>3. etc
>
>
>
>Can anyone send me the complete incident?
>
>Incident not only causes by cracker, but outside human touch are acceptable
>also.
>
>
>
>
>
>Thanks.
>
>
>

Incident Regarding to CIA

2005-09-06T11:36:36Z

Dear all,

Right now I’m collecting any Incident regarding to CIA (Confidentiality, Integrity and Avaibility).

But I’m afraid that the list is not completed. Is there any documentation regarding this issue?

Example of list:

Incident regarding to Availability:

DOS
Disaster
etc

Can anyone send me the complete incident?

Incident not only causes by cracker, but outside human touch are acceptable also.

Thanks.

CIA checklist

2005-08-29T17:56:54Z

Dear all,

I’m looking for the checklist regarding CIA (Confidentiality, Integrity and Availability) rules.

The format may look like this:

If a system want to be classified comply Confidentiality, it must be able to prevent this kind of attack:

If a system want to be classified comply Integrity, it must be able to prevent this kind of attack:

I think this checklist will be very useful for system administrator that really concern on security. This list also give us guidance on part that need to be secure, or need more attention regarding security.

Any paper or documentation about this issue will be very appreciated.

Thanks

Xcon2005 papers released

2005-08-28T21:36:11Z

hi all:

Xcon2005 closed successful on Aug 20th, 2005

Those papers released in http://xcon.xfocus.org/
Chinese version papers in http://xcon.xfocus.net/

Hacking Windows CE..............................................-- by San
Windows Kernel Pool Overflow Exploitation ......................-- by SoBeIt
Advanced trojan in Grub ........................................-- by CoolQ
Structural Signature and Signature's Structure..................-- by Funnywei
New thoughts in ring3 nt rootkit ...............................-- by Baiyuanfan
Anti-Virus Heuristics...........................................-- by Drew
Reconfigurable Synchronization Technique........................-- by Cawan
Java & Secure Programming.......................................-- by Marc Schoenefeld
Security in development environment ...........................-- by ICBM
Research on Same Source Feature Measuring Technology of Software-- by Liu,Xin
Profiling Malware and Rootkits from Kernel-Mode ................-- by Matt Conover( Shok)
I want to see farther ..........................................-- by TombKeeper
New architecture and approach in Network Virus Detction ........-- by Seak
Talking About 0day .............................................-- by Sowhat

--
Best Regards
alert7@...

Xfocus TEAM
http://www.xfocus.org

Bay Area Security User Group

2005-08-08T05:29:15Z

All,

I recently moved from Paris to the Bay Area, working for a company named Wind River where I am responsible for Information Security and currently I try to establish a security group in the bay area. The goal is to provide a forum for experts to encourage discussion and share expertise in understanding the latest trends and security threats facing computer networks, systems and data.

Members should be Information Security practitioners, managers, network administrators, etc.

The meetings are intended to be performed on a monthly basis. The location hasn’t been verified yet but I am looking at hosting the event in Alameda.

The meetings will not be used for solicitation purposes from any vendors. Although, some speakers may be from specific vendors, the emphasis will be on the concepts and solutions and not specific products or services.

Contact me if you are interested in becoming a member and everything is still open for discussions therefore feel free to email me suggestions. Remember: the plan is to establish the possibility to exchange of knowledge and skills among a wide variety of information security experts.

Steven Salaets

Re: Is there any way to measure IT Security??

2005-08-04T09:09:40Z

"Measuring IT security" is a broad concept, but a comprehensive risk assessment is the best way to gage overall security posture. Vulnerability assessment is just one piece of that. Standards for best practice, like ISO17799, force you to consider every part of your organization as it relates to infosec. There are many risk assessment frameworks, guidelines and tools available from sites like sans.org, nist.gov, issa.org, etc., as well as commercial offerings.

Unfortunately, there's no cut & dried scoring system, nor a universally adopted measurement standard, so keep your expectations (and management's expectations) realistic. Involve EVERYONE in your assessment and in your security program. I've seen companies ignore outside contractors, cleaning services and maintenance workers because they weren't permanent, full-time employees. That's like ignoring the key under the door mat.

- Rich

"Toto A Atmojo" <toto@...>

07/28/2005 06:02 AM

To	<pen-test@...>, <security-management@...>, <secpapers@...>, <focus-linux@...>, <libnet@...>, <firewalls@...>, <security-basics@...>
cc
Subject	Is there any way to measure IT Security??

Dear all,

Currently I’m looking for a tool, or a technique to measure IT security?

The baseline for security is CIA (Confidentiality, Integrity and Availability), that is every organization which want to called secure must be guarantee that their system comply this matter.
But the problem is, we need a tool/technique to measure how secure are we. Therefore, wee need a tool/technique to measure how close that our system status now to CIA.

Please share your experience about this matter.
If there any link about this issue, I really appreciate if you share to us (You may contact me privately) .

Best Regs,

Toto

RE: Is there any way to measure IT Security??

2005-08-03T23:17:16Z

RE: Is there any way to measure IT Security??

SSE CMM might be a good approach for "measuring security". The library in http://www.sse-cmm.org/lib/lib.asp may be of help. One of the reasons for development of SSE - CMM is "advance security engineering as a defined, mature and measurable discipline"

Most personnel forget that defining, using and implementing security processes are very critical to the Organization. How effectively these have been implemented measures effectiveness of the security. While Technology and the tools can provide that much security, unless people are aware of processes that are involved in keeping, using, maintaining, updating and upgrading these devices, there is no use of the devices. Additionally, one should also look at effectively training people to ensure that they follow the process and use the tools correctly.

While a VA and a PT can effectively provide a measure of security from the technical angle, process-wise BS7799 and IOS17799 provide a really good benchmark. SSE - CMM adds to provide a measurable value to the BS and ISO.

More important do a good risk analysis - this is the foundation. Understand what affects, you how, why, when........ The risk would be completely different for the same device in multiple topologies and the best tool I guess is the human brain for this

Rgds,
Shankar

-----Original Message-----
From: Marriott, Bill (US - Dallas) [bmarriott@...]
Sent: Thursday, August 04, 2005 1:25 AM
To: John Alexander; Gary Everekyan; irony@...; toto@...
Cc: pen-test@...; security-management@...; secpapers@...; security-basics@...

Subject: RE: Is there any way to measure IT Security??

The NSA IAM/IEM is a methodology for managing controlled
penetration/vulnerability for a particular system/app. The OWASP is for
web application testing. These might give you an idea of security
posture of one server or application, but not overall for your company.
This kind of testing makes up a small amount of managing a secure
organization.

Take a look at the new ISO version, 2005. This fall, there will be a
different ISO standard, 27001, which will allow a company to be
certified against the standard.
http://www.iso.org/iso/en/commcentre/pressreleases/2005/Ref963.html

Hope that helps.
/bpm

-----Original Message-----
From: John Alexander [aj@...]
Sent: Wednesday, August 03, 2005 4:21 AM
To: Gary Everekyan; irony@...; toto@...
Cc: pen-test@...; security-management@...;
secpapers@...; focus-linux@...;
libnet@...; firewalls@...;
security-basics@...
Subject: Re: Is there any way to measure IT Security??

Basically IT Security covers a gamut of areas, i am just listing some ,
on the fly

* Antivirus Solutions
* Intrusion Prevention
* Intrusion Detection
* Patch Management
* Firewall
* VPN Gateway
* Vulnerability Assessment & Reporting
* Identity Access Management (single-sign-on, SOX/HIPAA/GLB
compliance....)
* Network Security
* Security Policy Compliance Management
* AntiSpam (mail protection software)
* Web Content Filtering

I'm not sure whether we have one-size-fits-all solution which can help
us in measuring your enterprise IT Security posture.

I can list some good tools i have come across personally like NMap,
ScanFi, Nessus, IdentityAccess Manager,GFI ....but the list is endless,
so give them a try in google :-)

----- Original Message -----
From: "Gary Everekyan" <karo.onnik@...>
To: irony@..., toto@...
Subject: Re: Is there any way to measure IT Security??
Date: Tue, 02 Aug 2005 14:32:30 -0400

>
> Google Risk reporting and you will get whole list of research links.
> It would also be helpful to look at owasp www.owasp.org
> HTH
> Regards,
>
> Gary Everekyan
> CISSP, CISM, ISSAP, ISSPCS, MCSE, MCT
> garyeve@...
> "High achievement always takes place in the framework of high
> expectation" -Jack Kinder
>
>
> -----Original Message-----
> From: "Larry Marin (Irony Account)" [irony@...]
> Date: 08/02/2005 01:09 PM
>
> You should check out NSA IAM/IEM Methodology...it works well for me.
> http://www.iatrp.com/iam.cfm
>
>
> Toto A Atmojo wrote:
>
> > Dear all,
> >
> > Currently I'm looking for a tool, or a technique to measure IT
security?
> >
> > The baseline for security is CIA (Confidentiality, Integrity and
> > Availability), that is every organization which want to called
> > secure must be guarantee that their system comply this matter.
> >
> > But the problem is, we need a tool/technique to measure how
> > secure are we. Therefore, wee need a tool/technique to measure
> > how close that our system status now to CIA.
> >
> > Please share your experience about this matter.
> >
> > If there any link about this issue, I really appreciate if you
> > share to us (You may contact me privately) .
> >
> > Best Regs,
> >
> > Toto
> >

--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

------------------------------------------------------------------------
------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
------------------------------------------------------------------------
-------

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

RE: Is there any way to measure IT Security??

2005-08-03T13:55:22Z

This is a good list, but somewhat incomplete. I think you should
consider that security is not a destination, it is a process. There are
plenty of sources out there that you can measure yourself against, from
a process point of view. Check out the ISO17799 standard or the BS7799
standard, they outline the processes which go into a well developed
security program. Or look at the Generally Accepted Information
Security Principles (under development -
http://www.issa.org/gaisp/gaisp.html).

The NSA IAM/IEM is a methodology for managing controlled
penetration/vulnerability for a particular system/app. The OWASP is for
web application testing. These might give you an idea of security
posture of one server or application, but not overall for your company.
This kind of testing makes up a small amount of managing a secure
organization.

Take a look at the new ISO version, 2005. This fall, there will be a
different ISO standard, 27001, which will allow a company to be
certified against the standard.
http://www.iso.org/iso/en/commcentre/pressreleases/2005/Ref963.html

Hope that helps.
/bpm

-----Original Message-----
From: John Alexander [mailto:aj@...]
Sent: Wednesday, August 03, 2005 4:21 AM
To: Gary Everekyan; irony@...; toto@...
Cc: pen-test@...; security-management@...;
secpapers@...; focus-linux@...;
libnet@...; firewalls@...;
security-basics@...
Subject: Re: Is there any way to measure IT Security??

Basically IT Security covers a gamut of areas, i am just listing some ,
on the fly

* Antivirus Solutions
* Intrusion Prevention
* Intrusion Detection
* Patch Management
* Firewall
* VPN Gateway
* Vulnerability Assessment & Reporting
* Identity Access Management (single-sign-on, SOX/HIPAA/GLB
compliance....)
* Network Security
* Security Policy Compliance Management
* AntiSpam (mail protection software)
* Web Content Filtering

I'm not sure whether we have one-size-fits-all solution which can help
us in measuring your enterprise IT Security posture.

I can list some good tools i have come across personally like NMap,
ScanFi, Nessus, IdentityAccess Manager,GFI ....but the list is endless,
so give them a try in google :-)

----- Original Message -----
From: "Gary Everekyan" <karo.onnik@...>
To: irony@..., toto@...
Subject: Re: Is there any way to measure IT Security??
Date: Tue, 02 Aug 2005 14:32:30 -0400

security?

> >
> > The baseline for security is CIA (Confidentiality, Integrity and
> > Availability), that is every organization which want to called
> > secure must be guarantee that their system comply this matter.
> >
> > But the problem is, we need a tool/technique to measure how
> > secure are we. Therefore, wee need a tool/technique to measure
> > how close that our system status now to CIA.
> >
> > Please share your experience about this matter.
> >
> > If there any link about this issue, I really appreciate if you
> > share to us (You may contact me privately) .
> >
> > Best Regs,
> >
> > Toto
> >

--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

------------------------------------------------------------------------
------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
------------------------------------------------------------------------
-------

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. [v.E.1]

Re: Is there any way to measure IT Security??

2005-08-03T09:34:56Z

Larry,

I have worked for major fortune 100 and 500 companies. Some of these
companies use a product called Enterprise Security Management and is made by
Archer (www.archer-tech.com). It is highly customizable and you are able to
setup different metrics to monitor. It ties in and correlates the different
facets of an InfoSec program:

- Threat Management
- Incident Management
- Asset Management
- Risk Management
- Policy Management

You can set up different gauges, metrics and report on your company security
posture.
Below are the different modules:

Incident Management:
Report incidents, manage their escalation, track investigations and analyze
resolutions.
Key features:
- Based on the CERT Security Incident Response Handbook
- Easily open, prioritize and track security incidents with built-in
workflow.
- Perform impact analyses of incidents on critical assets and business
processes.
- Manage incident escalation, investigations and forensic activities.
- Track remediation efforts and document incident postmortem.
- Manage response team contact information, processes and procedures.

Threat Management:
Track threats through a comprehensive early warning system to help prevent
system compromise.
Key features:
- Receive real-time intelligence feeds from iDEFENSE, Symantec or TruSecure.
- Filter alert notifications based on your environment.
- Prioritize remediation plans and corrective actions.
- Utilize a CVE-compliant threat and vulnerability database.
- Integrate with your existing vulnerability scanning tools.
- Search for data using a powerful reporting engine with built-in and custom
reports.

Asset Management:
Manage enterprise assets and their relationships to secure them according to
management expectations.
Key features:
- Build the asset database
- Define groups of assets and assign individual responsibilities.
- Tie policies, baselines and procedures to specific assets
- Filter real-time alerts based on the assets under your control
- Manage the activities required to secure those assets.
- Document business criticality for an asset in terms of confidentiality,
integrity and availability.
- Link critical assets to the business processes they support.
- Fully integrate with Archer Policy, Threat, Risk and Incident Management
solutions.
- Import data from third-party discovery, scanning and asset management
tools.
- Track vulnerabilities, remediation efforts and configuration changes.
- Tie in to Change Managment System
- Filter real-time alerts and other security content.
- Utilize advanced reporting and analysis tools.

Risk Management:
http://www.archer-tech.com/solutions/riskmgmt.html
Perform online risk assessments to determine the proper controls to
implement based on use and risk.
Key features:
- Utilize integrated risk management methodology based on industry
standards.
- Generate Online risk assessment questionnaires
- Generate Asset risk scorecards and actionable plans for managing your
enterprise information risk.
- Automate the risk assessment process.
- Employ predefined and customizable assessment templates.
- Build online risk assessment questionnaires.
- Create risk scorecards and profiles.
- Search for data using advanced management reporting tools.

Policy Management:
http://www.archer-tech.com/solutions/policymgmt.html
Create policies, distribute them online, educate and train employees and
track compliance.
Key features:
- Creation and Administration:
Link policies to the industry, regulatory or corporate standards they
support.
Attach relevant files to policies (procedures, flowcharts, examples,
images, etc.).
Utilize content workflow features for version control and management
approval.
- Communication and Distribution
Display policies to users in an easy-to-understand tree format.
Filter and view policies by job function.
Alert users of changes to existing policies or new policies via email.
Allow users to perform keyword searches to quickly find specific
information among policies.
Enable users to export policy content directly into Word, Excel, HTML,
CSV or XML formats.
Set up, maintain and moderate discussion forums for specific users and
groups.
- Tracking and Reporting
Receive online acknowledgement that users have read and accepted
specific policies.
Monitor and report on user access to specific policies.
Track exceptions that have been granted for specific policies and the
dates exceptions will expire.
Allow users to report policy violations.
Track policy violations by date of occurrence and date of remediation
for compliance.
Utilize the full policy compliance reporting capability.
- Policy Library
Access a library of policies and standards that have been developed by
leading information security subject matter experts for managing
compliance with industry regulations and industry-specific legislation.
- All standards in the Policy Library have been mapped to the following
leading industry standards:
ISO/IEC 17799 (Code of Practice for Information Security Management)
Information Security Forum (The Forum?s Standard of Good Practice)
FFIEC Security Handbook
Health Insurance Portability Accountability Act (HIPAA) Final Ruling
European Union Directive on Data Protection
Basel II
CobIT
COSO
Monetary Authority of Singapore?s ?Technology Risk Management Guidelines

Kind regards,

Alberto Cardona II, CCSE, MCP, CNA
VP of Information Security - Professional Services

>From: "Larry Marin (Irony Account)" <irony@...>
>To: Toto A Atmojo <toto@...>
>CC: pen-test@...,security-management@...,
>secpapers@...,focus-linux@...,
>libnet@...,firewalls@...,
>security-basics@...
>Subject: Re: Is there any way to measure IT Security??
>Date: Thu, 28 Jul 2005 12:29:57 -0400
>
>You should check out NSA IAM/IEM Methodology...it works well for me.
>http://www.iatrp.com/iam.cfm
>
>
>Toto A Atmojo wrote:
>
>>Dear all,
>>
>>Currently I?m looking for a tool, or a technique to measure IT security?
>>
>>The baseline for security is CIA (Confidentiality, Integrity and
>>Availability), that is every organization which want to called secure must
>>be guarantee that their system comply this matter.
>>
>>But the problem is, we need a tool/technique to measure how secure are we.
>>Therefore, wee need a tool/technique to measure how close that our system
>>status now to CIA.
>>
>>Please share your experience about this matter.
>>
>>If there any link about this issue, I really appreciate if you share to us
>>(You may contact me privately) .
>>
>>Best Regs,
>>
>>Toto
>>

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

Re: Is there any way to measure IT Security??

2005-08-03T03:21:02Z

Basically IT Security covers a gamut of areas, i am just listing some , on the fly

* Antivirus Solutions
* Intrusion Prevention
* Intrusion Detection
* Patch Management
* Firewall
* VPN Gateway
* Vulnerability Assessment & Reporting
* Identity Access Management (single-sign-on, SOX/HIPAA/GLB compliance....)
* Network Security
* Security Policy Compliance Management
* AntiSpam (mail protection software)
* Web Content Filtering

I'm not sure whether we have one-size-fits-all solution which can help us in measuring your enterprise IT Security posture.

I can list some good tools i have come across personally like NMap, ScanFi, Nessus, IdentityAccess Manager,GFI ....but the list is endless, so give them a try in google :-)

----- Original Message -----
From: "Gary Everekyan" <karo.onnik@...>
To: irony@..., toto@...
Subject: Re: Is there any way to measure IT Security??
Date: Tue, 02 Aug 2005 14:32:30 -0400

>
> Google Risk reporting and you will get whole list of research links.
> It would also be helpful to look at owasp www.owasp.org
> HTH
> Regards,
>
> Gary Everekyan
> CISSP, CISM, ISSAP, ISSPCS, MCSE, MCT
> garyeve@...
> "High achievement always takes place in the framework of high
> expectation" -Jack Kinder
>
>
> -----Original Message-----
> From: "Larry Marin (Irony Account)" [irony@...]
> Date: 08/02/2005 01:09 PM
>
> You should check out NSA IAM/IEM Methodology...it works well for me.
> http://www.iatrp.com/iam.cfm
>
>
> Toto A Atmojo wrote:
>
> > Dear all,
> >
> > Currently Im looking for a tool, or a technique to measure IT security?
> >
> > The baseline for security is CIA (Confidentiality, Integrity and
> > Availability), that is every organization which want to called
> > secure must be guarantee that their system comply this matter.
> >
> > But the problem is, we need a tool/technique to measure how
> > secure are we. Therefore, wee need a tool/technique to measure
> > how close that our system status now to CIA.
> >
> > Please share your experience about this matter.
> >
> > If there any link about this issue, I really appreciate if you
> > share to us (You may contact me privately) .
> >
> > Best Regs,
> >
> > Toto
> >

Re: Is there any way to measure IT Security??

2005-08-02T12:32:30Z

Google Risk reporting and you will get whole list of research links.

It would also be helpful to look at owasp www.owasp.org

HTH

Regards,

Gary Everekyan

CISSP, CISM, ISSAP, ISSPCS, MCSE, MCT
garyeve@...
"High achievement always takes place in the framework of high expectation" -Jack Kinder

-----Original Message-----
From: "Larry Marin (Irony Account)" [irony@...]
Date: 08/02/2005 01:09 PM

You should check out NSA IAM/IEM Methodology...it works well for me.
http://www.iatrp.com/iam.cfm

Toto A Atmojo wrote:

> Dear all,
>
> Currently Im looking for a tool, or a technique to measure IT security?
>
> The baseline for security is CIA (Confidentiality, Integrity and
> Availability), that is every organization which want to called secure
> must be guarantee that their system comply this matter.
>
> But the problem is, we need a tool/technique to measure how secure are
> we. Therefore, wee need a tool/technique to measure how close that our
> system status now to CIA.
>
> Please share your experience about this matter.
>
> If there any link about this issue, I really appreciate if you share
> to us (You may contact me privately) .
>
> Best Regs,
>
> Toto
>

RE: Is there any way to measure IT Security??

2005-07-29T00:27:56Z

Toto,

I am afraid that no tool can fulfill your requirement. I think in order to be able to measure the effectiveness of your IT security controls; you should first start with defining security policies fitting your organizational requirements. Based on these policies and your corporate security strategy you can define security metrics to measure conformance with the security policies. As an example the number/percentage of audited/security accredited systems (against the system security policy) is a metric you can use in order to measure the effectiveness of your system security policy (preventive control).

I wouldn’t rather think in tools, but processes within your IT security department to help you out drive performance, and achieve policy compliance.

Hope this helps

Salah

From: Toto A Atmojo [mailto:toto@...]
Sent: Thursday, July 28, 2005 12:02 PM
To: pen-test@...; security-management@...; secpapers@...; focus-linux@...; libnet@...; firewalls@...; security-basics@...
Subject: Is there any way to measure IT Security??

Dear all,

Currently I’m looking for a tool, or a technique to measure IT security?

The baseline for security is CIA (Confidentiality, Integrity and Availability), that is every organization which want to called secure must be guarantee that their system comply this matter.

But the problem is, we need a tool/technique to measure how secure are we. Therefore, wee need a tool/technique to measure how close that our system status now to CIA.

Please share your experience about this matter.

If there any link about this issue, I really appreciate if you share to us (You may contact me privately) .

Best Regs,

Toto

RE: Is there any way to measure IT Security??

2005-07-28T19:38:16Z

Hi Guys,

Have you try out with MBSA Tool that provided by Microsoft.This tool can used for measure what are the patches install on your machine.Nevertheless , this tool used to measure password strength and account information.

Regards,

Arasu

-----Original Message-----
From: Toto A Atmojo [mailto:toto@...]
Sent: Thursday, July 28, 2005 6:02 PM
To: pen-test@...; security-management@...; secpapers@...; focus-linux@...; libnet@...; firewalls@...; security-basics@...
Subject: Is there any way to measure IT Security??

Dear all,

Currently I’m looking for a tool, or a technique to measure IT security?

The baseline for security is CIA (Confidentiality, Integrity and Availability), that is every organization which want to called secure must be guarantee that their system comply this matter.

But the problem is, we need a tool/technique to measure how secure are we. Therefore, wee need a tool/technique to measure how close that our system status now to CIA.

Please share your experience about this matter.

If there any link about this issue, I really appreciate if you share to us (You may contact me privately) .

Best Regs,

Toto

RE: Is there any way to measure IT Security??

2005-07-28T17:17:16Z

17799 - part2
SANS have a few measures
The NSA and NIST methodologies are good
ITOL
COSO
COBIT

Lots and the list goes on....

Craig

-----Original Message-----
From: Larry Marin (Irony Account) [mailto:irony@...]
Sent: 29 July 2005 2:30
To: Toto A Atmojo
Cc: pen-test@...; security-management@...;
secpapers@...; focus-linux@...;
libnet@...; firewalls@...;
security-basics@...
Subject: Re: Is there any way to measure IT Security??

You should check out NSA IAM/IEM Methodology...it works well for me.
http://www.iatrp.com/iam.cfm

Toto A Atmojo wrote:

> Dear all,
>
> Currently I'm looking for a tool, or a technique to measure IT
security?
>
> The baseline for security is CIA (Confidentiality, Integrity and
> Availability), that is every organization which want to called secure
> must be guarantee that their system comply this matter.
>
> But the problem is, we need a tool/technique to measure how secure are

> we. Therefore, wee need a tool/technique to measure how close that our

> system status now to CIA.
>
> Please share your experience about this matter.
>
> If there any link about this issue, I really appreciate if you share
> to us (You may contact me privately) .
>
> Best Regs,
>
> Toto
>

Re: Is there any way to measure IT Security??

2005-07-28T10:29:57Z

You should check out NSA IAM/IEM Methodology...it works well for me.
http://www.iatrp.com/iam.cfm

Toto A Atmojo wrote:

> Dear all,
>
> Currently I’m looking for a tool, or a technique to measure IT security?
>
> The baseline for security is CIA (Confidentiality, Integrity and
> Availability), that is every organization which want to called secure
> must be guarantee that their system comply this matter.
>
> But the problem is, we need a tool/technique to measure how secure are
> we. Therefore, wee need a tool/technique to measure how close that our
> system status now to CIA.
>
> Please share your experience about this matter.
>
> If there any link about this issue, I really appreciate if you share
> to us (You may contact me privately) .
>
> Best Regs,
>
> Toto
>

Is there any way to measure IT Security??

2005-07-28T04:02:09Z

Dear all,

Currently I’m looking for a tool, or a technique to measure IT security?

The baseline for security is CIA (Confidentiality, Integrity and Availability), that is every organization which want to called secure must be guarantee that their system comply this matter.

But the problem is, we need a tool/technique to measure how secure are we. Therefore, wee need a tool/technique to measure how close that our system status now to CIA.

Please share your experience about this matter.

If there any link about this issue, I really appreciate if you share to us (You may contact me privately) .

Best Regs,

Toto