Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Security Metrics

from [Chad Miller] Network Security [Permanent Link]
Subject: RE: Security Metrics
Date: Fri, 15 Apr 2005 08:19:17 -0700 
John,

There is a methodology for baselining that was presented in the NSA IAM &
IEM courses that is about the best I've seen yet. It is still not perfect
but makes good standardized and baselined assessments that are fairly
comparable from one assessment period to the next.

In the IAM & IEM classes, they centered around the CVE. However, your
criteria may be pretty much anything you want it to be, including ISO17799.

I'm sorry, in all my readings, I have not seen this methodology in print nor
on the web.

However, basically what they did was prioritize everything up front, utilize
NIST's risk assessment strategy, and then present a report in which the
weighted (by priority) risks are summarized to include a single overall risk
exposure number.

Hope this helps.

Respectfully Submitted,

Chad E. Miller, CISSP, CISA, CBCP, CISM, IAM, IEM


-----Original Message-----
From: John Blackley [mailto:jblackley@sysmatrix.net] 
Sent: Thursday, April 14, 2005 8:24 AM
To: security-management@securityfocus.com
Subject: Security Metrics



Folks,

a little guidance here please. I'm looking for work already done on building
security metrics for an organization. Let's say an organization wants to
measure its security performance against a baseline (perhaps ISO17799?). Do
you know of any works that have been published showing how it was done or
tools that were used in the effort.

Any help will be appreciated.

John A Blackley
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Security Metrics, Dan Duplito
Next by Date:  Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?, G P
Previous by Thread:  Security Metrics, John Blackley
Next by Thread:  RE: Security Metrics, Skander Ben Mansour
Indexes:  [Date] [Thread] [Top] [All Lists]