[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Patterns and Security Measurement
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Patterns and Security Measurement
- From: foofus@xxxxxxxxxx
- Date: Fri, 5 May 2006 10:41:16 -0500
On Fri, May 05, 2006 at 05:30:50PM +0200, Nguyen Pham wrote:
> Actually, I am trying to measure security (and then security assurance)
> level of a complex telecommunication network. I am looking for a
> method/approach/product using sets of predefined, standard entities
> (station, server, firewall, router, ...) and relations (forming
> "patterns" like pipe, cluster, bus, gateway, ..., architectures) which
> have already been measured to simplify the process of system security
> measurement. An aggregation algorithm is then needed to arrive at an
> overall system security value.
I've done some work along these lines, involving just servers
and workstations. My materials from ToorCon might contain some
items of interest for you:
http://www.toorcon.org/2005/slides/foofus-howbigisthatfootinthedoor.pdf
> Any recommendation of academic or industrial solutions would be welcome.
In my bibliography, you'll see a reference to "Archipelago," which
is a more general project. Their work is academic in nature, but
I think their software is freely downloadable.
> Other suggestions for solving the problem (security measurement of
> complex network) are also greatly appreciated.
See also NIST special publication 800-26; its a set of guidelines
for evaluating security maturity. Non-technical in nature, but
it provides a scale that can be nicely applied to more or less
any specific security objective.
--Foofus.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/