[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri May 5 16:41:31 2006
From: foofus at foofus.net (foofus@...fus.net)
Subject: Patterns and Security Measurement
On Fri, May 05, 2006 at 05:30:50PM +0200, Nguyen Pham wrote:
> Actually, I am trying to measure security (and then security assurance)
> level of a complex telecommunication network. I am looking for a
> method/approach/product using sets of predefined, standard entities
> (station, server, firewall, router, ...) and relations (forming
> "patterns" like pipe, cluster, bus, gateway, ..., architectures) which
> have already been measured to simplify the process of system security
> measurement. An aggregation algorithm is then needed to arrive at an
> overall system security value.
I've done some work along these lines, involving just servers
and workstations. My materials from ToorCon might contain some
items of interest for you:
http://www.toorcon.org/2005/slides/foofus-howbigisthatfootinthedoor.pdf
> Any recommendation of academic or industrial solutions would be welcome.
In my bibliography, you'll see a reference to "Archipelago," which
is a more general project. Their work is academic in nature, but
I think their software is freely downloadable.
> Other suggestions for solving the problem (security measurement of
> complex network) are also greatly appreciated.
See also NIST special publication 800-26; its a set of guidelines
for evaluating security maturity. Non-technical in nature, but
it provides a scale that can be nicely applied to more or less
any specific security objective.
--Foofus.
Powered by blists - more mailing lists