Put a quantitative measurement on information security threats - Information Security Magazine - Page 1

Researcher Puts Quantitative Measurement on Information Security Threats

A power company's security researchers shed new light on prioritizing threats though quantitative analysis.


Microsoft and Oracle are generous enough to regularly provide severity ratings on vulnerabilities. And automated vulnerability assessment, configuration and patch management tools have made flaw-fixing run of the mill.

That's a good thing.

But we're all resource-strapped, right? And we know those severity ratings aren't universal. My critical flaw is your moderate it-can-wait-until-next-month bug. Can you afford to solely rely on a generic vulnerability scanner to prioritize how your security organization patches systems?

Maybe it makes sense to concentrate more on the threat portion of the risk equation (you know the one: risk = asset value * vulnerability * threat). What if you could put a quantitative score on threats specific to your environment? What if those scores were based on relevant intelligence from law enforcement and some of the best minds in security?

Well, in another testament to the notion that some of the brightest security research is coming out of the nation's critical infrastructure operations, researchers at Pacific Gas and Electric Company in San Francisco have done just that.

Seth Bromberger, manager of information security at PG&E, and his team of security experts have fine-tuned a homegrown

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

methodology for quantitative threat analysis that enables them to prioritize and trend where threats are coming from--something most companies do informally today, mostly on a gut instinct.

Bromberger's motivation at the outset was a better understanding of the threat landscape for critical infrastructures, and a solid score on the NSA's INFOSEC Assurance Capability Maturity Model, or IA-CMM (PG&E earned the second highest rating ever given by NSA). Ultimately, he's developed a threat model that could apply to any organization.

PG&E's methodology begins with a standard definition of a threat agent--which aligns with that used by the DoD--as any person, process or entity that wants to do your organization harm. The secret sauce in this recipe is the proprietary and confidential intelligence from federal and local law enforcement and security experts feeding the methodology.

This was first published in March 2008

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top