A tool released today will help organizations move beyond general best-security practices to discern exactly how...
many systems are actually protected.
The new version of the Open Source Security Testing Methodology Manual (OSSTMM), an open standard methodology for performing security tests, gives organizations a bias-free way to assess their information security effectiveness. A number of public, private and government organizations worldwide already use the previous version of the OSSTMM, released by the Institute for Security and Open Methodologies (ISECOM).
"The OSSTMM is the bible of security testing," said Scott C. McCready, president of CIOview Corp., based in Maynard, Mass., which helps organizations assess the financial impact of changes in IT investments.
For the methodology's new version, its creator -- Pete Herzog, managing director of ISECOM -- wanted to move beyond the questions and answers common to risk-assessment tests, since he thinks most respondents fudge their responses. The goal: a bias-free security assessment.
To run the assessment, which takes four to eight hours, a security tester counts: the number of systems (scope); visibility, trust and access for each system (operational security); and all loss controls, such as authentication. For example, "for every system that's open to another, that's trust, and all you do is count these things. There's no opinion," said Herzog. Similarly, "if you have 250 Microsoft boxes in a DMZ providing IIS Web servers and they're not hardened, well then we have a problem with trust. We don't care if you have a firewall. What we care about is what's accessible."
Using simple mathematics, the tester finds the actual security level, which, to be relevant, must then be multiplied by the number of daily interactions on the network. For example, when comparing a home system averaging 50 interactions per day to a company with a million interactions per day, being 91.4% secure means something different. For the latter, there are 10,941 incidents daily that could be malicious.
The results give companies a quick way to create baselines of actual security. "The only secret to this is no one thought about counting in this way before. All security metrics were based on how many firewalls, antivirus and systems you have, but really that doesn't mean squat if they're not configured right," said Herzog.
How can companies apply the results? Herzog said Gedas Iberia S.A., the Spanish IT subsidiary of Volkswagen Group, is already using the new OSSTMM baselines to direct its security spending. Coupled with an assets assessment -- such as BS7799 -- it can, for example, decide whether a $10,000 firewall is worth $1,000 of protection value.
"We think this is going to fundamentally change security spending in the sense that people will be driven by financial implications, rather than being driven by thinking that one technology or approach is the best," said McCready.
Herzog added that the U.S. Department of Justice IT security guidelines have also been added to the OSSTMM audit report to assure proper verification for government offices.
The new tool is available at http://www.osstmm.org.