Security indicators.

[Toyama no Benbei <toyamanobenbei2003 () yahoo com>]

Hello everybody.

I was given the task of elaborate weekly reports
concerning the overall infrastructure "level of
security". As ambiguous as this may sound, the fact is
that managment people like reports with graphics and
numbers.

First of all, what I understand as an "indicator" is a
cuatitative entity by means of wich I can monitor the
status of some process. With the help of an indicator,
I can make a decision, focus the work in problematic
areas, etc.

I can install whatever open source tool I need to in
order to get the needed info.

I was thinking something like:

a) Nessus reports.
==================
Would indicate the most important devices
vulnerabilities. Also as reports get generated, they
would show how are we doing concerning patching of
vulnerabilites. (How long before we finally get that
sendmail server updated, for instance).

b) Portsentry reports.
=======================
How many scannings are we getting? (per server, for
example) This number would surely make some impact
whith the bosses. I think it's rather difficult to
"modify" the number of net scannings, but should be a
significant number to have in mind.

c) Password cracker reports.
=============================
To catch joes in the users passwords. We can work on
making users to try better passwords , so this number
get lower with time.

d) Log analizer.
=================
This is a huge one, but I'm not very clear what kind
of valuable _cuantitative_ info. we can get.

The "sar" reports, for instance, are more performance
oriented, I think. On the other hand, disponibility is
one of the basic sercurity services. But it's also
true that the security officer alone, could do barely
anything towards making better "responsive" devices.

How many times does a user fail before typing his/her
password right doesn't help much .... 

Maybe how many people got root access to certain
server /router (ups, it was supoused to be only one).

I'd really like to hear what you think about this.

Thank you all.

ps. I'm not against propietary tools or anything, it's
a budget thing ;)

pss. I feel this is somehow not the rigth path to
follow ... think we should get decent security
policies, and then auditing them. The indicators would
generate then from the process of auditing, naturally.
But then again, I have managment people on my back :\.

__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------