Beautiful Security Metrics

Beautiful Security

Chapter three

Beautiful Security Metrics

To turn IT security into a science instead of an art, security metrics are needed. This chapter states that medical research, in order to advance human health has used metrics. The author has stated that as you can feel health but you cannot touch it, you can feel security but you cannot touch it.  Also health and security are about achieving the absence of something. In health care is about absence of failures in physical or mental well being. And security is about absence of failures in confidentiality, availability and integrity.

5 questions which Security metrics should deliver are;

1.      How secure am I?

2.      Am I better off now than I was this time last year?

3.      Am I spending the right amount of dollars, effort, or time?

4.      How do I compare with my peers?

5.      Could that happen to me?

There are three problems to answer these questions:

·        First: What is the definition of secure?

·        Second problem is Context. For Vulnerability in an IT asset, the criticality, use, and connectedness of the asset should be considered.

·        The third problem is Uncertainty. Many executives have no idea about vulnerabilities.

Security Metrics:

One example for security metrics: TJX (outsider breach) the biggest case of payment card theft ever recorded (as of 2008). Author believes this breach have started in July 2005 and continued for 18 months until December 2006, when TJX took action. Card holders began to see strange transactions on their credit card bills.

How it happened:

Public perspective:

·        TJX Cos says it suffered an unauthorized intrusion into its computer systems

·        Credit card companies, banks and customers begin to report fraudulent use of credit and debit card numbers

·        TJX reports that hackers may have access to its computer

Technology perspective:

·        Wireless LANs born: IEEE 802.11b completed and approved.

·        Hack to crack WEP protection of wireless communication demonstrated.

·        IEEE 802.1 X ratified to address port-level security using extensible authentication protocol (EAP).

·        IEEE 802.11 B security weaknesses stated.

·        TJX use of WEP protection still prevalent at retail stores.

Some recommendations:

·        Set the value of all SSIDs for IEEE 802.1b to something obscure.

·        Change the default setting for authentication to disallow open access for all clients

·        Update the configurations for every client and WAP when you change the key management for WEP

·        To achieve a strong wireless security:

ü  Turn off WEP

ü  Select obscure SSIDs

ü  Isolate wireless subnets with routers and firewalls

ü  Use 802.1X for key management

What did TJX wrong?

o   TJX did not follow guidelines issued. The hackers used this fact to access to TJX’s network.

o   They used default configuration for WAP

o   They used self-evident SSID’s and open access

The TJX’s WAP’s let hackers gather enormous quantities of valuable data with an incredible small investment.

Reference:

Oram, Andy, Viega, John (2009). “Beautiful Security, Leading Security Experts Explain How They Think”, Copyright 2009 O’reilly Media, Inc.