Re: Group crafts rating system for server security

[InfoSec News <isn () C4I ORG>]

Forwarded by: Dan Tobin <dont () csds uidaho edu>

While I certainly do see the need for a system like this, I have no
faith that it can happen, especially by folks with so many vested
interests in the economics of it.

For this to happen in the time frame allocated, a gargantuan effort
would need to be launched, and then validated with series of
controlled experiments.  However, as Weld alluded, there is no way to
control enough variables to make this statistically valid.  Further,
how long is the "single number" going to be valid for?  The security
posture of a "system", however you want to define it, changes daily.

Put me into that famous category of peoiple actually wanting to add
"science" back into "Computer Science".

Finally, the threat each network/organization faces is highly variable
as well, and any security rating that is given a network MUST be
measured against the particular threats faced... not everyone faces
the same threats... nor will have the same response mechanisms.

Wow... if it were this easy, I would have finished my PhD long ago
probably...

Don Tobin
Center for Secure and Dependable Software, Univ of Idaho Meandering
PhD Student, Retired USAF Officer, and just a realist in general


On Fri, 22 Dec 2000, InfoSec News wrote:

> http://news.cnet.com/news/0-1003-201-4238214-0.html?tag=st.ne.1002.thed.sf
>
> By Robert Lemos
> Special to CNET News.com
> December 21, 2000, 4:50 p.m. PT
>
> Are your servers as secure as Fort Knox or as open as a revolving
> door?
>
> The newly formed Center for Internet Security hopes to answer that
> question by creating a suite of tests that would give computer owners
> a rating--on a scale of 1 to 10--of how good their security is.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".