RE: Looking For Security Metrics

["Sheldon Malm" <smalm () ncircle com>]

David: it's important to define what you mean by "metrics".  

If you're talking about an enumerated list of things to cover, then CIS,
NIST, and the collective works of mitre (particularly CCE and CVE) are a
great place to start.  

If, by metrics, you mean risk scoring and trending over time, there is
little available in the public domain than CVSS today.  Vendors have
their own proprietary risk metrics (nCircle has a composite score as
well as CVSS built into IP360; most others use HIGH/MEDIUM/LOW), and
there are countless conceptual risk frameworks (mostly academic today).

I suspect that you mean a checklist/guideline to follow, in which case
CIS and/or Mitre are great places to start.



Sheldon Malm
Director
Security Research & Development
nCircle Network Security

Check out the VERT daily post
http://blog.ncircle.com/vert



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Murda Mcloud
Sent: Tuesday, March 25, 2008 7:18 PM
To: jmacaranas () fxdd com; security-basics () lists securityfocus com
Subject: RE: Looking For Security Metrics

How about looking at NIST for their checklists or CIS?
Maybe SANS have something specific for the platform/app you're using.
Is it like Sharepoint?

> > -----Original Message-----
> > From: listbounce () securityfocus com 
> > [mailto:listbounce () securityfocus com]
> > On Behalf Of jmacaranas () fxdd com
> > Sent: Wednesday, March 26, 2008 4:56 AM
> > To: david.durcsak () verizon net; 
> > security-basics () lists securityfocus com
> > Subject: RE: Looking For Security Metrics
> >
> > openACS?
> >
> > -----Original Message-----
> > From: listbounce () securityfocus com 
> > [mailto:listbounce () securityfocus com]
> > On Behalf Of david.durcsak () verizon net
> > Sent: Tuesday, March 25, 2008 1:27 PM
> > To: security-basics () lists securityfocus com
> > Subject: Looking For Security Metrics
> >
> > To all:
> >
> > We are running a web based document sharing and collaborative 
> > enviornment and don't have the security expertise/time in house to 
> > develop a set of securiy metrics.
> >
> > My thoughts right now are if someone had a list that they could 
> > share, we could use those as a starting point for understanding what 
> > we need to do.
> >
> > Any help would be appreciated.
> >
> > Cheers
> > Dave
> >
> > ---------------------------------------------------------------------
> > ----
> > -------------------------------
> > This message and any files transmitted with it are confidential and 
> > intended solely for the use of the individual or entity to whom it is

> > addressed. It may contain sensitive and private proprietary or 
> > legally privileged information. No confidentiality or privilege is 
> > waived or lost by any mistransmission. If you are not the intended 
> > recipient, please immediately delete it and all copies of it from 
> > your system, destroy any hard copies of it and notify the sender. You

> > must not, directly or indirectly, use, disclose, distribute, print, 
> > or copy any part of this message if you are not the intended
recipient.
> > FXDirectDealer, LLC reserves the right to monitor all e-mail 
> > communications through its networks. Any views expressed in this 
> > message are those of the individual sender, except where the message 
> > states otherwise and the sender is authorized to state them.
> >
> > Unless otherwise stated, any pricing information given in this 
> > message is indicative only, is subject to change and does not 
> > constitute an offer to deal at any price quoted. Any reference to the

> > terms of executed transactions should be treated as preliminary only 
> > and subject to our formal confirmation. FXDirectDealer, LLC is not 
> > responsible for any recommendation, solicitation, offer or agreement 
> > or any information about any transaction, customer account or account

> > activity contained in this communication.