Entries in risk (7)

Data, Data, Everywhere

Suppose your security system chooses 10,000 controls (vulnerability checks, scripts, signatures, etc -- pick your preferred terminology) that can be applied to some example asset (a server, executive laptop, or whatever). That number could be smaller or it could be larger depending on the system but let’s say that 10,000 is the count after filtering out those controls that don’t apply (e.g., there’s no Apache server on that Windows 7 laptop).

Now, suppose that each control returns 100 characters of evidence data. That means you have 1,000,000 characters of data for one full assessment of one system. You are going to store those data in Unicode format because our company is international and hence so are our evidence data. That turns our 1,000,000 characters into 2,000,000 bytes of data.

The original story was on the M2GRC blog:

The full article can also be found here. :)

Click to read more ...

CIS Consensus Information Security Metrics - Converting Uncertainty into Risk

Full Disclosure

In my day job I am Solutions Architect for the McAfee Risk and Compliance Business Unit. Our products cover compliance management, risk management, IT security risk analysis, and a range of application and change control technologies.

[3/2/2010 note: when I wrote this article I worked for McAfee. I do, however, no longer. :)]

In a former life I evaluated complex, multidimensional data sets using models and metrics - I was a scientist performing quantitative analysis of noisy data. The result is that I've spent many years and a lot of energy thinking about and using models, metrics, and measurement. That background gives me certain views, opinions, and expectations.

Now that you know where I'm coming from let's talk about risk, measurements, metrics, and uncertainty. ;)

Click to read more ...

Predatory Encryption and Risk Management

We learned some things this week about the US Predator drone program that has some people appalled and indignant - it is the kind of story that makes news.

A Predator drone is an unmanned aerial vehicle (UAV) used by the United States Air Force both for reconnaissance and for offensive operations. It seems that the video downlink from these drones has never been encrypted and it has been possible for those under surveillance to intercept and view the video feed.

This is the kind of news that makes great headlines. People read about it and slap their foreheads, proclaiming in a righteous voice, "What were they thinking? Head's should roll!" Stuff like that.

Here is an alternative viewpoint: this whole situation could just be a result of acceptable RISK MANAGEMENT practices.

Click to read more ...

Risk Is Better Than Uncertainty

The IT GRC field is in transition. Today we are dealing with UNCERTAINTY when we really, really want to be working with RISK because the management tools are so much better. However, there is a light at the end of the tunnel. The electronic medium that caused the situation should also help us solve the problem. We just need to keep collecting data, tracking the improvements produced through compliance, and creating new models and metrics.

Click to read more ...

Risk, Metrics, and Models

It is widely agreed that managing IT security risk requires security metrics. This seems to be where widespread agreement stops, however. If we are going to work through this phase of the maturing of IT security we must speak a common language derived from common conceptual frameworks.

Click to read more ...

Are Vulnerability Metrics and Risk Metrics Different?

The Common Vulnerability Scoring System (CVSS) was constructed as a Vulnerability Metric. However, there is no structural difference between CVSS and a generalized Risk Metric model. The types of information that go into both are the same and the behavior of CVSS is consistent with the model.

Click to read more ...

Risk? What Do You Mean?

The products that my employer develops are all about buzzwords like Vulnerability, Compliance, and Risk. You will find these words and phrases all over the computer security field along with others, like Buffer Overflow, Malware, PUPS (potentially unwanted programs, meaning, stuff you probably don't want but if someone called it Malware someone could get sued), Data Loss Prevention, Host Intrusion Prevention System, SPAM, and Antivirus. Most folks are only really aware of one, Antivirus, and may think it means all of the above. :)

Click to read more ...