Re: [Full-disclosure] Patterns and Security Measurement

["eric williams" <nfobro@xxxxxxxxx>]

On 5/5/06, Nguyen Pham <nguyen.petronius@xxxxxxxxx> wrote:
> Hi list,
>
> Actually, I am trying to measure security (and then security assurance)
> level of a complex telecommunication network. I am looking for a
> method/approach/product using sets of predefined, standard entities
> (station, server, firewall, router, ...) and relations (forming "patterns"
> like pipe, cluster, bus, gateway, ..., architectures) which have already
> been measured to simplify the process of system security measurement. An
> aggregation algorithm is then needed to arrive at an overall system security
> value.
>
> Any recommendation of academic or industrial solutions would be welcome.

Depending on your status w.r.t. US based offerings there are two NSA
sanctioned methodologies for assessment of complex information system
infrastructures and information security.  The INFOSEC Assessment
Methodology and the INFOSEC Evaluation Methodology (IAM and IEM,
respectively).

I can recommend both highly.  Given what you have posted I think the
IEM would be your best bet.  Again, accessing these methods will
depend on your status with respect to US Gov't affiliated offerings.

http://www.iatrp.com/iam.cfm
http://www.iatrp.com/iem.cfm

> Other suggestions for solving the problem (security measurement of complex
> network) are also greatly appreciated.
>
> Many thanks,

no problema.

-e

> Nguyen Pham.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/