Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Administrivia #29691: TruSecure Global Risk Index Survey

from [Russ] Network Security [Permanent Link]
Subject: Re: Administrivia #29691: TruSecure Global Risk Index Survey
Date: Tue, 26 Oct 2004 16:03:02 -0400 
Firstly, thanks very much to those of you who completed this survey. I realize 
that the Zarca site has its limitations, and apologize for them (IE is required 
to view the survey results.)

We're a little short on responses, however. To date we have ~160 responses, and 
we were hoping for more than 200 (500 would be fantastic.) So, I'd like to 
encourage some more of you to respond.

Responses are confidential.

Here's the request we sent out last week.

Cheers,
Russ - NTBugtraq Editor

-----Original Message-----
From: Windows NTBugtraq Mailing List [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] 
On Behalf Of Russ Cooper
Sent: Tuesday, October 19, 2004 3:04 PM
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Administrivia #29691: TruSecure Global Risk Index Survey

This is going to come across as a bit salesy, but bear with me.

As I mentioned in my note on the 8th, TruSecure has created a "Global
Risk Index", more than four years of thousands of metrics and
significant events formulated in such a way as to demonstrate the
changing risks an organization faces. Data from network latency and
outages to vulnerability and then patch announcements. Significant
events like Blaster, and its calculated effects, plus every other
significant event. Imagine that risk was "1000" on 1/1/2000...we
calculate what has happened to that number since, to this date, and can
make predictions about what will happen in the future.

Now add to this the things you can do to mitigate risk. Best Practice
implementation, like blocking attachments at your email gateway or
default deny at your routers. With these factors added, its possible to
provide your organization with a number which can be compared to the
Global Risk Index value, showing how much better or worse you are, or to
other companies to determine the risks involved in cooperative
networking. This goes way beyond an insurance companies claim that using
Windows requires some premium on your insurance rates...

What we need now is real world results on what quality of controls are
implemented, and to what extent. Do you have comprehensive controls or
are they merely informal? Does a control apply to all events in its
category or only to specific and critical events? If a control is
comprehensive and applies to all events in its category, then that's
ideal. We're trying to gauge how far from ideal the world is today. Your
data will give us an excellent sampling.

Our survey has ~120 questions for you to answer. Many of the questions
are fairly specific and ask about certain classifications of devices or
periods of time.  Almost all use radio buttons indicating your current
implementation on a scale of 1-7. They go from "Comprehensive" to "Not
Implemented". We're not looking for your opinion on the effectiveness of
a control, merely where the level of your current implementation stands.
We also ask some questions about the cost and frequency of events in
your organization. 

Your responses will help us fine-tune the wording we will use when the
survey is offered to the general public. If it turns out that everyone
is doing something, then we don't ask if you do, instead we ask how well
you do it...that sort of thing.

We firmly believe in the Global Risk Index as a far more accurate
designation of where we stand, security-wise. What's the use of a Green,
Orange, Red indication when you can't see how your mitigators affect the
risk. Who cares if a new worm is out if you've so effectively mitigated
your risks that it can't affect you. The Global Risk Index will let you
know, and you can help make it happen.

In order to participate in this survey either click on this link, or
copy and paste it into your browser;
<http://research.zarca.com/clients/TruSecure_2/survey.aspx?sid=1>

We encourage you to learn more about the TruSecure Index with an
archived webinar available at;
<http://www112.placeware.com/cc/trusecure/view?id=TSGRI-25>  
Password: Global Index 

Cheers,
Russ and the TruSecure Global Index Team

--
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
--
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Most Oct 2004 patches for NT won't install on Workstation, Reed Darsey
Next by Date:  EEYE: RealPlayer Zipped Skin File Buffer Overflow, Marc Maiffret
Previous by Thread:  Administrivia #29691: TruSecure Global Risk Index Survey, Russ Cooper
Next by Thread:  Secunia Research: Multiple Browsers Tabbed Browsing Vulnerabilities, Jakob Balle
Indexes:  [Date] [Thread] [Top] [All Lists]