Sunday, June 04, 2006

Follow-Up to Donn Parker Story

My earlier post is being debated on the private Security Metrics mailing list. I posted the following tonight:


Chris Walsh wrote:

> Alrighty.
>
> It's time for a Marines vs. Air Force slapdown!

I should have anticipated that someone on this list would read my blog!

I do not agree with all of Donn's points, and I state in my post some
of his ideas are weak. I would prefer Donn defend himself in person.

However, I am going to stand by this statement:

"As security professionals I agree we are trying to reduce risk, but
trying to measure it is a waste of time."

I agree with Donn that a risk measurement approach has not made us
more secure. That does not mean nothing can be measured. It also
does not mean that measurements are worthless.

Removing the double negatives, I am saying that some things can be
measured, and measurements can be worthwhile.

Rather than spending resources measuring risk, I would prefer to see
measurements like the following:

1. Time for a pen testing team of [low/high] skill with
[external/internal] access to obtain unauthorized access to a
specified asset using [public/custom] tools and [zero/complete] target
knowledge.

Note this measurement contains variables affecting the time to
successfully compromise the asset.

2. Time for a target's intrusion detection team to identify said
intruder (pen tester), and escalate incident details to the incident
response team.

3. Time for a target's incident response team to contain and remove
said intruder, and reconstitute the asset.

These are the operational sorts of problems that matter in the real
world. These are only three small ideas -- not a comprehensive
approach to the problem set.

Sincerely,

Richard

PS: Go Air Force. :)

3 comments:

One Guy Nick said...

Having been an Air Force security 3Cx0 and now being a military contractor...we kick the marines butt's daily in IT. Those guys are just glorified work group managers. HUA! :)

Steven said...

The problem with the first measurement is that there is no objective way to grade pen testers as having high or low skill. You can't grade them by years of experience or college degrees.

The second measurement runs against the first. A successful penetration will occur more quickly if the attacker(s) simply disregard detection--of course, there is the caveat that they could get discovered before they get access. If the attacker's goal is to not be detected, he should proceed very slowly and carefully, generating only a minimum amount of traffic and spreading his activities over a longer period of time to avoid triggering various alert thresholds.

The time taken to contain and remove an intruder will depend on what was compromised which doesn't make this measurement very useful for comparison.

Richard Bejtlich said...

Steven,

1. I can differentiate among pen testers after talking to them for 30 mins or less. More formally, as part of your selection criteria, have candidates complete one or more exercises to vet their skill levels. I have participated in such exercises.

2. Re detection -- easy: Time for a pen testing team of [low/high] skill with
[external/internal] access to obtain [stealthy/semi-stealthy/unstealthy] unauthorized access to a
specified asset using [public/custom] tools and [zero/complete] target
knowledge.

3. The term "specified asset" answers your "what was compromised" comment.