Prediction #9 seems to have gotten at least some attention. I have had three separate requests (one in two parts so I am certain the author is interested) for expansion, and clarification.
I guess this is good. I obviously tapped into a healthy meme seed but I do have a bit of a dilemma.
I am not really sure what I meant.
Well I am sure what I meant but I am not really sure how to articulate it. (wow doesn't that leave me an easy out in 08)
Every attempt I have made turns out to just be a small part of the whole. It is like trying to draw a hypercube on a piece of paper. All I wind up with is a bunch of weird looking triangles, rectangles and squares.
The way I used to look at security was as a sort of modified OSI model. (way back when)
Control Physical Access
Locked TC and DC doors, Building Access, Wireless Access Controls
Control Switching/Electrical Access
More Wireless access controls, Mac Filtering, NAC (if it ever works), VLAN’s
Control Routed Access
ACL’s, Good Subnetting (Yes I know a subnet doesn’t stop anything by itself, but if you don’t get the routing right everything else is harder), Proper DMZ/Extranet/Segmentation
Control of Application Connectivity
Firewalls, Tunnels, Some Proxy Functions,
Control of Sessions and early SoD
Session Segregation, Basic SoD, Identity Controls
Control of Data access and Presentation
Db Controls, Site/share/page access, More Identity Controls, Middle SoD
Application Controls and Control of data manipulation and metadata
Business SoD, Application Design, Business use of Application, More Identity Controls
This approach actually still works in many cases but it lacks a lot of essentials. It is almost purely tactical and has no self awareness. It also focuses too much on access control/preventative controls and not enough on mitigation and prioritization.
A lot of people who talked about the OSI model used to jokingly add a few more layers.
Politics, Religion, and Money
I am not so sure that is a bad idea but I would probably add a few more layers and call them:
Process, Policy, Governance, Compliance, and Money
in that order.
If you do that combined with the other layers it looks a bit like ISO 17799 domains doesn’t it? Well perhaps with some CoBiT Control Objectives thrown in.
There are a few differences though. Instead of interrelated overlapping domains you have sequential (potentially superseding) layers in both directions. These are layers where (for a given threat) you can show a certain level of protection. Multiple layers can be stacked for increasing sequential protection versus a threat from a given vector.
So let’s add these into the mix. Do they overcome the shortcomings? Well not completely. There is one thing still missing, visibility.
So feed visibility as a subset requirement into each of the layers.
As a quick example of that meme:
A firewall is valuable because it stops some attacks
If you are able to see how many attacks occur “outside” the firewall and compare them with how many attacks make it “inside” the firewall you have added value. The value isn’t directly added to the control that is the firewall. The value is added at the Process layer where an evaluation of the effectiveness of the firewall occurs and other controls can be used to mitigate the identified weaknesses. It might also be added at the Compliance layer where an organization might have to meet PCI requirements on proof of effectiveness of controls (specifically the firewall as a Control).
So what I was trying to say when I wrote:
“Vendors that are able to encompass the concept of measurable layers in security will emerge (or in the case of the few that are already out there will do well financially)”
Is that vendors that are able to add or combine either automated or easy to implement means of measuring effectiveness of the controls they peddle will add value.
Also
Vendors that facilitate the process of not only tying controls to specific effectiveness but also representing the effect of overlapping controls on overall risk mitigation will add a great deal of value.
If you can demonstrably add value then you can make money.
That’s what I meant …
Sort of
So now I am circling around to tag the originator of the chain letter.
skip to main |
skip to sidebar
One of the reasons I am writing down these thoughts is so that people that have more information than I can correct me when I am wrong. Hopefully I will then learn.
Subscribe via email
Labels
- Control Systems (25)
- Music (24)
- Security Layers (20)
- Energy Environment (19)
- Risks and Metrics (19)
- Crazy Ideas (13)
- Singularity (12)
- Funny (11)
- Radiation and Polonium (11)
- Scanning SCADA (11)
- Wireless SCADA (11)
- Political (10)
- Nano Tech (9)
- Rant (8)
- Security Tools (8)
- Submarines (8)
- MPAA and RIAA (5)
- Sony Crappy (5)
- Quantum (4)
- Not So Random Quote (3)
- QotW (3)
- Security Politics (3)
- Vuln (3)
- Economy (1)
- FMEA (1)
- Health Care (1)
- Not as funny as it could be (1)
- Racism (1)
- Random Restart (1)
Contact Email
DCSSEC [at] gmail.com
Blogroll
Blog Archive
-
▼
2006
(232)
-
▼
December
(82)
- Gifter - Million Dollar blog Post - Recap
- Old Media Vs New Media
- Rest and family time
- Musings about Vista
- Rago's Rant, Part II
- Moneyball in Academia
- "Imbeciles eating poo flung by uncredentialed monk...
- Merry Christmas
- Measurable Layers
- Password Incentives
- Welcome
- Buckaroo Banzai
- NIST Draft SP 800-82
- Dangerous Toys
- Blogging From Space
- Symantec and SCADA
- Security Blog Chain Letter - Tagged
- Million Dollar Blog Post
- Invasion in the UK
- Sorry for the light blogging
- Tenable SCADA webcast
- Rapture for Nerds
- Microsoft in the game
- Agent based worm
- Two Manufacturers delaying results
- LOGIIC solves the Oil industry SCADA problem - Wel...
- UBS Insider Logic Bomb
- SOX Compliance and Crumpled 3x5's
- Some "Facts" that are fiction
- We don't need no stinkin CIA
- Snowcrash Gargoyles unite
- Less than Zero Day - Dead horse ... beat
- Security Blog with a Twist
- A visit to CORE
- Save the Users - or - Help Me Help You - CI4
- Put the big gun in the back
- Nessus - SCADA Plugins
- Wireless, RAS, PPP, Web Gateway and ... Modbus
- Byres Security Mentioned at Digitalbond
- Oh Yea - on Statcounter - Nano Tech
- Statcounter - Update your browsers
- Oh how I love Risk Formulas
- The many uses of Echelon
- Nano Tech
- What are the odds?
- Byres Security - Site Up
- DNA Computers - Look out Diffie Hellman
- More SCADA Expansion - UPS's - Caution
- More on RIAA, MPAA, and KAZAA
- RFID Guardian
- Baysean Math
- RIAA Class Action
- If your a real geek - SF
- Polonium - More on the Assassination
- SCADA It's not just about your power anymore
- Multi Fuel Rotary
- Some Sensor Descriptions
- Welcome to my Nightmare
- Brighter side of messing up - sort of
- Boneheaded Mistake
- Passive Vulnerability Scanning (PVS) - SCADA
- Mike is worried about the Terminator
- Cheapskate Customers
- The Race is on - SCADA Security PDF
- Malware Winning
- Google Data - Google Desktop - Scanning SCADA
- Bittorrent - and true virtualization - Crazy Idea?
- Amrit says
- MPAA - Commits Fraud to catch "petty theft"?
- Fact #4 - Bad Guys Know
- DRM and How Music Makes Money
- ATM Hack
- Why I'm glad I wasn't and ELT or in Agang
- The Speed of Meme
- ABB Paper
- Cell Phone bugging
- Blogger SNAFU's
- December Threats
- Snow Heat Transfer - Inherent Control
- Crazy Idea #2 - Biofuel X Challenge or VC Challenge
- VC's Giving away Money
- Radiation Reality
-
▼
December
(82)
No comments:
Post a Comment