2012年1月31日火曜日

What Are External And Internal Security Audits

what are external and internal security audits

Leveraging Security Metrics To Protect Your Network

Maybe we should just give up trying to maintain secure enterprise networks; its just too hard.

When we surveyed practitioners, 71% of respondents admitted that their networks are exposed to external threats due to misconfiguration issues in their security device infrastructure. Verizon reports that 79% of organizations fail to maintain PCI compliance from their prior years assessment. More than 50 percent told us they had no idea how many of their organizations internal hosts were exposed to the Internet.

We know that even in this era of constrained budgets, enterprises are spending more on network securityand yet 75% of network and security pros agree that the advantage is still on the side of the attacker. Verizon reposts that security erosion over the course of the year between PCI audits is the norm with most enterprises, despite the fact that we know theres a correlation between slippage and data breaches.

Maybe its time to re-evaluate our priorities. As our CTO Dr. Mike points out, theres a general consensus to focus on the core controls. If youre already covering 90% of the basics, security pros agree its more wise to push for 100% versus expand the number of controls.

But if youre focused on the core controls, how do you know what percentage level youre at, and where the areas of exposure are? Thats where security metrics come in.


In this case, were referring to actionable security metrics those that provide proactive security intelligence, a direct incentive to act. Many metrics available to security pros: number of patches; number of vulnerabilities; and the number of firewall and router config changes, are without context, or simply measure worker hours. They dont characterize risk in a meaningful way, nor do they point towards a specific resolution.

Hitting The Books

In his seminal tome Security Metrics: Replacing Fear, Uncertainty and Doubt, Andrew Jaquith describes the value of security metrics by referencing other business disciplines. For example, freight companies know their freight cost per mile and loading factors , and those of their competitors. Management can set objectives and measure themselves against comparable companies. Choosing to be above, on, or below an industry average is a question of strategy as well as operational efficiency. For example, a freight company may be willing to have a lower load factor than its peers if that's the tradeoff required to offer faster delivery times (for which it presumably charges a premium).

Similarly, warehousing firms measure and compare their cost/square foot and inventory turns, and e-commerce companies measure site conversion rates. Financial metrics have established for many years. Companies can therefore compare relevant metrics to those of their peers in order to evaluate internal performance.


Could such a use of metrics apply to security? Yes, but only if consistently generated within the context of a security framework.

Building Blocks

The three pillars of security, as we see it here, are visualize, comply and protect. Logically then, if we build a framework on those pillars well be able to generate meaningful security metrics.

Visualize: There is wisdom in Requirement 1 of the PCI DSS, in the section entitled Build and Maintain a Secure Network: the requirement is to create a network diagram, and keep it current. Why? You cant secure what you cant see. And yet, according to Verizon Requirement 1 has the second-highest erosion factor out of the nine requirements not specific to planning and checking. When security pros can visualize the network topologyincluding groups that clearly identify zones (such as DMZ) and untrusted sourcesthey become much more effective in creating effective segmentation strategies and policies, and maintaining compliance.


Comply: Compliance refers to PCI, FINRA, FFIEC, SOX and other regulatory frameworks, of course, but also internal policies, and best practices from sources such as SANS 20 Critical Security Controls, Version 3.0. However, complying with regulatory and internal policies in most cases is open loop; we perform security measures in an effort to comply, but other than regulatory audits were mostly in the dark as to how effective our security controls remain over time. We need move from open loop security to closed loop, with feedback controls that allow us to make continuous adjustments to thwart erosion.

Protect: The fundamental security question is whether the network is protected. How can we know whats working, and where additional focus is required? By developing a security framework that provides security metrics feedback controls, from which effective remediation for erosion can be devised. Security metrics enable enterprise to answer questions such as:

1. Whats my overall risk; how does it compare to yesterday, last week, last month and last year?
2. How easily can attackers get in?
3. How big is my attack surface?
4. How much of my infrastructure is undocumented?
5. Are investments and actions paying off?
6. Where do we need to improve?
7. Are we ready for our next audit?


Note that the questions above relate to actual network security, unlike, say, how many hosts were patched in the last month (time check) or how many vulnerabilities are being scanned (no context).

Comparing Models

Are these good security metrics? Let's look at Andrew Jacquith's definition :

1. Consistently – measured, without subjective criteria;
2. Cheap – to gather, preferably in an automated way;
3. Expressed – as a cardinal number or percentage, not high, medium and low;
4. Expressed – using at least one unit of measure, such as "number of hosts directly exposed"; and
5. Contextually – specificrelevant enough so someone can read it and take action.

The security metrics provided in RedSeal 5 satisfy all of Jacquiths criteria for good metrics, empowering our customers to continuously monitor their network through a closed loop process and therefore address problem areasand in doing so protect their organizations network.

Behold, security metrics that actually work.



These are our most popular posts: what are external and internal security audits

Job - Network Engineer -Riyadh - Saudi Arabia - Saudi Arabia ...

Job Description, •Design a full Networking solutions using CISCO, HUAWEI, JUNIPPER, HP, 3COM platform. •Produce a consultant service for any Network issues. •Participate in external and internal Security Audit for Network related issues. read more

PCI, QSAs, and the Audit-Industrial Complex - The Falcons View

That said, the requirement may be shifting (e.g., see MasterCards statement here) that you would at least need an ISA (Internal Security Assessor) rather than just using a non-certified auditor. With me so far? So, if its really true that a ... In fact, discussions seem to be popping up again about the proper role of auditors (internal and external), auditor independence, and even whether multi-year contracts with a single audit firm are sensible. The simple fact is that these ... read more

Leveraging Security Metrics To Protect Your Network

When we surveyed practitioners, 71% of respondents admitted that their networks are exposed to external threats due to misconfiguration issues in their security device infrastructure. Verizon reports ... However, complying with regulatory and internal policies in most cases is open loop; we perform security measures in an effort to comply, but other than regulatory audits were mostly in the dark as to how effective our security controls remain over time. We need move ... read more

Malaysians Must Know the TRUTH: RELA – PM NAJIBS FINAL ...

What is he referring to, and what is the threat that the government is trying to defend……external or internal security threat or a political threat from the opposition. Please PM Najib, be weary with the kind of words and ... read more

Related Posts



0 コメント:

コメントを投稿