Full Disclosure mailing list archives
Re: Patterns and Security Measurement
From: foofus () foofus net
Date: Fri, 5 May 2006 10:41:16 -0500
On Fri, May 05, 2006 at 05:30:50PM +0200, Nguyen Pham wrote:
Actually, I am trying to measure security (and then security assurance) level of a complex telecommunication network. I am looking for a method/approach/product using sets of predefined, standard entities (station, server, firewall, router, ...) and relations (forming "patterns" like pipe, cluster, bus, gateway, ..., architectures) which have already been measured to simplify the process of system security measurement. An aggregation algorithm is then needed to arrive at an overall system security value.
I've done some work along these lines, involving just servers and workstations. My materials from ToorCon might contain some items of interest for you: http://www.toorcon.org/2005/slides/foofus-howbigisthatfootinthedoor.pdf
Any recommendation of academic or industrial solutions would be welcome.
In my bibliography, you'll see a reference to "Archipelago," which is a more general project. Their work is academic in nature, but I think their software is freely downloadable.
Other suggestions for solving the problem (security measurement of complex network) are also greatly appreciated.
See also NIST special publication 800-26; its a set of guidelines for evaluating security maturity. Non-technical in nature, but it provides a scale that can be nicely applied to more or less any specific security objective. --Foofus. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Patterns and Security Measurement Nguyen Pham (May 05)
- Re: Patterns and Security Measurement foofus (May 05)
- Re: Patterns and Security Measurement Sol Invictus (May 05)
- Re: Patterns and Security Measurement eric williams (May 05)