Re: Patterns and Security Measurement

[foofus () foofus net]

On Fri, May 05, 2006 at 05:30:50PM +0200, Nguyen Pham wrote:
> Actually, I am trying to measure security (and then security assurance) 
> level of a complex telecommunication network. I am looking for a 
> method/approach/product using sets of predefined, standard entities 
> (station, server, firewall, router, ...) and relations (forming 
> "patterns" like pipe, cluster, bus, gateway, ..., architectures) which 
> have already been measured to simplify the process of system security 
> measurement. An aggregation algorithm is then needed to arrive at an 
> overall system security value.

I've done some work along these lines, involving just servers
and workstations.  My materials from ToorCon might contain some
items of interest for you:
http://www.toorcon.org/2005/slides/foofus-howbigisthatfootinthedoor.pdf

> Any recommendation of academic or industrial solutions would be welcome.

In my bibliography, you'll see a reference to "Archipelago," which
is a more general project.  Their work is academic in nature, but
I think their software is freely downloadable.

> Other suggestions for solving the problem (security measurement of 
> complex network) are also greatly appreciated.

See also NIST special publication 800-26; its a set of guidelines
for evaluating security maturity.  Non-technical in nature, but
it provides a scale that can be nicely applied to more or less
any specific security objective.

--Foofus.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/