10 Ways To Measure IT Security Program Effectiveness

original article

The right metrics can make or break a security program (or a budget meeting).

As CISOs try to find ways to prove ROI to higher ups and improve the overall effectiveness of security operations, the right metrics can make or break their efforts. Fortunately, infosec as an industry has matured to the point where many enterprising security leaders have found innovative and concrete measures to track performance and drive toward continual improvement. Dark Reading recently surveyed security practitioners and pundits to find out the best time-tested metrics to prove security effectiveness, ask for greater investment, and push security staff to improve their day-to-day work.

Average Time To Detect And Respond

Also referred to as mean time to know (MTTK), the average time to detect (ATD) measures the delta between an issue occurring—be it a compromise or a configuration gone wonky—and the security team figuring out there’s a problem. 

“By reducing ATD, Security Operations Center (SOC) personnel give themselves more time to assess the situation and decide upon the best course of action that will enable the enterprise to accomplish its mission while preventing damage to enterprise assets,” says Greg Boison, director of cyber and homeland security at Lockheed Martin.

Meanwhile, the mean time to resolution or average time to respond, will measure how long it takes for the security team to appropriately respond to an issue and mitigate its risk.

“Average Time to Respond (ATTR) is a metric that tells SOC management and personnel whether or not they are meeting objectives to quickly and correctly respond to identified violations of the security policy,” Boison says. “By reducing ATR, SOC personnel reduce the impact (including the cost) of security violations.”

Tracking these two metrics continuously over time can show how well a security program is improving or deteriorating. Ideally they should be growing smaller over time.

False Positive Reporting 

Tracking the False Positive Reporting Rate (FPRR) can help put the work of lower-level analysts under the microscope, making sure that the judgments they’re making on automatically filtered security event data is sifting out false positives from indicators of compromise before they escalate to others in the response team.

“Despite the implementation of automated filtering, the SOC team must make the final determination as to whether the events they are alerted to are real threats,” Boison of Lockheed Martin says. “The reporting of false positives to incident handlers and higher-level management increases their already heavy workload and, if excessive, can de-motivate and cause decreased vigilance.”

A high FPRR could indicate better training is needed from Level 1 Analysts or better tuning of analytics tools.

“All too often Level 1 analysts lack a good understanding and visibility to incidents cause and therefore escalate false alerts to Level 3 analysts,” says Lior Div, CEO of Cyberreason. “This causes waste of expensive resources.”

Mean Time To Fix Software Vulnerabilities

Whether for web, mobile, cloud-based, or internal applications, organizations that build custom software should be measuring how long it takes to remediate software vulnerabilities from the time they’re identified, says John Dickson, principal at Denim Group. 

“This measurement helps organizations understand the window of vulnerability in production software,” Dickson says. “Unfortunately, most organizations do not publish this metric internally and as a result, the most serious application vulnerabilities, like SQL injections, remain in production far too long.”

Realistically, this number may be skewed by fixes that don’t ever occur, particularly during the development process. Which is why organizations should also be tracking the number of critical defects fixed against those reported, which will show how effective static analysis is for the organization, says Caroline Wong, director of security initiatives for Cigital.

“To obtain this metric, the software security group must be performing static analysis, counting the number of defects initially found — by classification, during first scan — and counting the number of (critical) defects which are actually fixed by developers,” Wong says. “The quality of the code will not actually increase until the developer performs triage on the findings and fixes the actual software defects. The desired trend for this metric is to increase towards 100 percent.”

Patch Latency

In the same vein, patch latency can also show how effective the program is in reducing risk from the low hanging fruit.

“We need to demonstrate progress in the vulnerability patch process. For many organizations with thousands of devices, this can be a daunting task. Focus on critical vulnerabilities and report patching latency,” says Scott Shedd, security practice leader for consulting firm WGM Associates. “Report what we patched what remains unpatched and how many new vulnerabilities have been identified.”

Incident Response Volume

Tracking the total number of incident response cases opened against those closed and pending will help CISOs identify how well incidents are being found and addressed. 

“This shows that incidents are being identified along with remediation and root cause analysis,” says Shedd of WGM. “This is critical for continuous improvement of an information security program.”

Fully Revealed Incidents Rate 

This metric can also help get a bead on the effectiveness of the incident response and security analyst functions within a program. 

“What is the rate of incidents handled by security team into which they have a full understanding of the reason for the alert, the circumstances causing it, its implications, and effect?” says Div of Cybereason. 

The lower the rate compared to overall volume of opened cases will show gaps in visibility and could trigger an ask for more investment in human resources or tools.

Analytic Production Time

Is your security program suffering from information overload? Measuring the time it takes to collect data compared to when it is analyzed can help answer that question.

“Reducing the analytical timeline allows IT teams to recognize and act more quickly to prevent or detect and addresses breaches, thereby improving the organizations overall security posture,” says Christopher Morgan, president of IKANOW.

“Reducing the time it takes to analyze security data, from either internal firewall or SIEM information or outside threat intelligence feeds, requires giving data scientists the tools and time to focus on data analysis,” he says.

Percent Of Projects Completed On Time And On Budget 

CISOs can show accountability by offering the CEO, board, and CFO visibility into their spending process by offering metrics on the percent of strategic IT security projects completed on time and on budget, says Dan Lohrmann, chief strategist and chief security officer at Security Mentor. 

“This could be a project on encryption, new firewalls, or whatever the top security projects are,” Lohrmann says. “This metric ensures that security is accountable for delivering ever-increasing value and improvements to the executive team.”

Percentage Of Security Incidents Detected By An Automated Control

One way to justify spend on those shiny boxes is to start tracking just how many of the overall security incidents detected by the organizations are done through an automated tool.

“This is a good one because it not only encourages you to become familiar with how incidents are detected, it also focuses you on automation, which reduces the need for ‘humans paying attention’ as a core requirement,” says Dwayne Melancon, CTO of Tripwire. “It also makes it easier to lobby for funding from the business, since you can make the case that automation reduces the cost of security while lowering the risk of harm to the business from an unnoticed incident.”

Employee Behavior Metrics

Just how effective is all of that “soft” spending on security awareness training? Steve Santorelli of Team Cymru says there are ways to track and measure that, primarily through phishing and social engineering stress testing, where you test you staff for phishing awareness and social engineering awareness.

Basically, you run a fake phishing campaign and make a few hoax calls,” says Santorelli, director of analysis and outreach for the research firm. “Reward and publicize good results, help failures to learn from their errors, and you’ll have folks actively watching out for these attacks–for a few weeks at least.”

————–

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Advertisements

A Cybersecurity Threat That Could Be Lurking On Your Phone

A Cybersecurity Threat That Could Be Lurking On Your Phone

Gary Miliefsky, SnoopWall CEO, and founding member of the US Department of Homeland Security announces a privacy breach posed by smartphone flashlight apps. Miliefsky has advised two White House Administrations on Cybersecurity.

He was scheduled to join us on set for Special Report, but we had to make room for breaking news. We know you were all excited to hear this story and so we brought Gary in just for The Daily Bret. Share your thoughts with us on Twitter @BretBaier or here on the blog– after hearing this story will you delete your flashlight app?

Password Cracking Anyone? Here Are 10 Tools To Help You!

Password Cracking Anyone? Here Are 10 Tools To Help You!

20140629-102016-37216072.jpg

Thursday, April 24, 2014: While a great deal of time and effort is invested in designing and developing a software, it only takes a few seconds to bring it down on its knees via hacking. You might choose one of the most secure passwords (according to you, that is) for your online activities, but the fact is cracking the same is no big deal. With the right tools at hand, cracking a password can be a walk in the park. However, in all purposes, do remember the deed takes considerable risk. Do it at your own risk!

1.Brutus

Brutus is one of the fastest, most flexible remote password crackers you can get your hands on – it’s also free. It is available for Windows 9x, NT and 2000, there is no UNIX version available although it is a possibility at some point in the future. Brutus was first made publicly available in October 1998 and since that time there have been at least 70,000 downloads and over 175,000 visitors to this page.

2.Wfuzz

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

3.RainbowCrack

RainbowCrack is a general propose implementation of Philippe Oechslin’s faster time-memory trade-off technique. It crack hashes with rainbow tables. RainbowCrack uses time-memory tradeoff algorithm to crack hashes. It differs from brute force hash crackers.

4.SolarWinds

Transform the complexity of IT security and compliance management with SolarWinds Log & Event Manager (LEM) — powerful, easy-to-use Security Information & Event Management (SIEM) in an affordable, all-in-one virtual appliance.

5.L0phtCrack

L0phtCrack 6 is packed with powerful features such as scheduling, hash extraction from 64 bit Windows versions, multiprocessor algorithms, and networks monitoring and decoding. Yet it is still the easiest to use password auditing and recovery software available. Software runs On Windows XP and higher. Operates on networks with Windows NT, 2000, XP, Server 2003 R1/R2, Server 2008 R1/R2, on 32- and 64-bit environments, as well as most BSD and Linux variants with an SSH daemon.

6.Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible.

7.Ophcrack

Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.

8.THC-Hydra

A very fast network logon cracker which support many different services.

9.John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

10.Aircrack

Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimisations like KoreK attacks, as well as the PTW attack, thus making the attack much faster compared to other WEP cracking tools.

Saurabh Singh, EFYTIMES News Network

Revealed: How governments can take control of smartphones

Revealed: How governments can take control of smartphones

“Our latest research has identified mobile modules that work on all well-known mobile platforms, including as Android and iOS”

RT.com
June 25, 2014

‘Legal malware’ produced by the Italian firm Hacking Team can take total control of your mobile phone. That’s according to Russian security firm Kaspersky Lab and University of Toronto’s Citizen Lab(which also obtained a user manual).

Operating since 2001, the Milan-based Hacking Team employs over 50 people and offers clients the ability to “take control of your targets and monitor them regardless of encryption and mobility,” while “keeping an eye on all your targets and manage them remotely, all from a single screen.”

It’s the first time Remote Control Systems (RCS) malware has been positively linked with mobile phones and it opens up a new privacy threat potential to mobile phone users.

“Our latest research has identified mobile modules that work on all well-known mobile platforms, including as Android and iOS,” wrote Kaspersky researcher Sergey Golovanov.

“These modules are installed using infectors – special executables for either Windows or Macs that run on already infected computers. They translate into complete control over the environment in and near a victim’s computer. Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target – which is much more powerful than traditional cloak and dagger operations.”

20140625-164404-60244101.jpg
Image from citizenlab.org

Police can install the spy malware directly into the phone if there is direct access to the device, or if the owner of the phone connects to an already infected computer, according to Wired.

Various softwares can also lure users to download targeted fake apps.

Once inside an iPhone, for instance, it can access and activate all of the following: control of Wi-Fi, GPS, GPRS, recording voice, e-mail, SMS, MMS, listing files, cookies, visited URLs, cached web pages, address book, call history, notes, calendar, clipboard, list of apps, SIM change, live microphone, camera shots, support chats, WhatsApp, Skype, and Viber.

20140625-164453-60293182.jpg
Image from citizenlab.org

While the malware can be spotted by some of the more sophisticated anti-virus software, it takes special measures to avoid detection – such as “scouting” a victim before installation, “obfuscating”its presence, and removing traces of its activity.

Hacking Team has maintained that its products are used for lawful governmental interceptions, adding that it does not sell items to countries blacklisted by NATO or repressive regimes.

Wired reported that there have been cases where the spying apps were used in illegal ways in Turkey, Morocco, and Saudi Arabia.

Citizen Lab discovered spying malware hiding in a legitimate news app for Qatif Today, an Arabic-language news and information service that reports on events in Saudi Arabia’s eastern Qatif region. It also argued that circumstantial evidence pointed to Saudi Arabia’s government using the spying malware against Shia protesters in the area.

“This type of exceptionally invasive toolkit, once a costly boutique capability deployed by intelligence communities and militaries, is now available to all but a handful of governments. An unstated assumption is that customers that can pay for these tools will use them correctly, and primarily for strictly overseen, legal purposes. As our research has shown, however, by dramatically lowering the entry cost on invasive and hard-to-trace monitoring, the equipment lowers the cost of targeting political threats for those with access to Hacking Team and Gamma Group toolkits,” Citizen Lab said in its report.

20140625-164550-60350694.jpg
Map showing the countries of the current HackingTeam servers’ locations (Image from securelist.com)

Hacking Team controls the spying malware remotely via command-and-control servers. Kaspersky has discovered more than 350 such servers in more than 40 countries. A total of 64 servers were found in the US – more than in any other country. Kazakhstan came in second, with a total of 49 servers found. Thirty-five were found in Ecuador and 32 in the UK.

Remove Malware Using These 8 Free Tools!

20140518-110421.jpg

Remove Malware Using These 8 Free Tools!

Malware is a menace, and it’s gaining prominence with each day.

Tuesday, May 13, 2014: Hackers today are not only becoming increasingly successful in finding new ways to break into computers, but achieving a one hundred per cent success rate at the same time. Cybersecurity firms are witnessing a rampant multiplication of cyberattacks categories that now range from malware and spyware to highly sophisticated breaches directed towards large businesses/enterprises. Today we bring you a list of 8 free tools to get rid of malware.

1.Ad-Aware

Anti-spyware and anti-virus program developed by Lavasoft that detects and removes malware, spyware and adware on a user’s computer.

2.Emsisoft Emergency Kit

The Emsisoft Emergency Kit contains a collection of programs that can be used without software installation to scan for malware and clean infected computers.

3.Norman Malware Cleaner

This simple and user friendly tool not only detects malicious software but also removes them from your computer. By downloading and running the program it will clean an infected system completely.

4.SUPERAntiSpyware

Shareware which can detect and remove spyware, adware, trojan horses, rogue security software, computer worms, rootkits, parasites and other potentially harmful software applications. Although it can detect malware, SUPERAntiSpyware is not designed to replace antivirus software.

5.Spybot

Spybot Search & Destroy is a set of tools for finding and removing malicious software. The immunisation feature preemptively protects the browser against threats. System scans and file scans detect spyware and other malicious software and eradicates it.

6.Combofix

Executable software, intended for users with advanced computer skills to run it only on occasions where a regular antivirus would not detect certain malware, or where an antivirus cannot update or otherwise function.

7.Microsoft Security Scanner

Free downloadable security tool that provides on-demand scanning and helps remove viruses, spyware, and other malicious software. It works with your existing antivirus software.

8.Malwarebytes Anti-Malware

Made by Malwarebytes Corporation, it was first released in January 2008 and is available in a free version, which scans for and removes malware when started manually.

Saurabh Singh, EFYTIMES News Network

Looking To Replace Your XP? Here Are 30 Open Source Alternatives!

20140421-200302.jpg

Original article & links

Monday, April 21, 2014: With all the Windows XP end of life fiasco now well behind us, Linux is the preferred choice for individuals and organisations alike around the world. While Linux Mint has the same look and feel as XP, Ubuntu’s recent LTS release boasts of tremendous functionality and a seamless user interface. Likewise, the world of Linux and Open Source has a lot to offer when it comes to providing you with a good alternative to the famed XP. Here are 30 Linux Operating Systems making headlines.

1.Linux Mint

The purpose of Linux Mint is to produce a modern, elegant and comfortable operating system which is both powerful and easy to use. Started in 2006, Linux Mint is now the 4th most widely used home operating system behind Microsoft Windows, Apple Mac OS and Canonical’s Ubuntu.

2.Ubuntu

Ubuntu is a Debian-based Linux operating system, with Unity as its default desktop environment (GNOME was the previous desktop environment).

3.Zorin OS

Zorin OS is a multi-functional operating system designed specifically newcomers to Linux. It is based on Ubuntu which is the most popular desktop Linux operating system in the world.

4.MEPIS

MEPIS is a set of Linux distributions, distributed as Live CDs that can be installed onto a hard disk drive. The most popular MEPIS distribution is SimplyMEPIS, which is based primarily on Debian stable. It can either be installed onto a hard drive or used as a Live CD, which makes it externally bootable for troubleshooting and repairing many operating systems. It includes the KDE desktop environment.

5.Manjaro

Manjaro is a user-friendly Linux distribution based on the independently developed Arch operating system. Manjaro provides all the benefits of the Arch operating system combined with a focus on user-friendliness and accessibility. Available in both 32 and 64 bit versions, Manjaro is suitable for newcomers as well as experienced Linux users.

6.PCLinuxOS

PCLinuxOS is distributed as a LiveCD, and can also be installed to your computer. The LiveCD mode lets you try PCLInuxOS without making any changes to your computer. If you like it, you can install the operating system to your hard drive. Locally installed versions of PCLinuxOS utilise the Advanced Packaging Tool (or APT), a package management system (originally from the Debian distribution), together with Synaptic, a GUI frontend to APT for easy software installation.

7.Mageia

Mageia is a Linux computer operating system, distributed as free and open source software. It is forked from the Mandriva Linux distribution.

8.OpenMandriva

OpenMandriva Lx is an exciting free Desktop Operating System that aims to cater to and interest first time and advanced users alike. It has the breadth and depth of an advanced system but is designed to be simple and straightforward in use.

9.Kubuntu

Kubuntu is an operating system built by a worldwide team of expert developers. It contains all the applications you need: a web browser, an office suite, media apps, an instant messaging client and many more.

10.Netrunner

Netrunner is a KDE focused, complete OS. It comes in two variants, one is built on Kubuntu/Debian (Main/Standard Release), one is built on Manjaro/Arch (Rolling Release).

11.Point Linux

Point Linux is a GNU/Linux distribution that aims to combine the power of Debian GNU/Linux with the productivity of MATE, the Gnome 2 desktop environment fork. Point Linux provides an easy to set up and use distribution for users, looking for a fast, stable and predictable desktop.

12.Korara

Originally based on Gentoo Linux in 2005, Korora was re-born in 2010 as a Fedora Remix with tweaks and extras to make the system “just work” out of the box.

13.Sabayon

Sabayon Linux or Sabayon (formerly RR4 Linux and RR64 Linux), is a Gentoo-based Linux distribution created by Fabio Erculiani and the Sabayon development team. Sabayon follows the “out of the box” philosophy, aiming to give the user a wide number of applications ready to use and a self-configured operating system.

14.Trisquel

Trisquel (officially known as Trisquel GNU/Linux) is a Linux operating system based on the Ubuntu Linux distribution. The project aims for a fully free software system without proprietary software or firmware and uses Linux-libre – a version of the Linux kernel with the non-free code (binary blobs) removed.

15.KNOPPIX

Knoppix, or KNOPPIX is an operating system based on Debian designed to be run directly from a CD / DVD (Live CD) or a USB flash drive (Live USB), one of the first of its kind for any operating system. Knoppix was developed by Linux consultant Klaus Knopper.

16.Lubuntu

Lubuntu is a fast and lightweight operating system developed by a community of Free and Open Source enthusiasts. The core of the system is based on Linux and Ubuntu . Lubuntu uses the minimal desktop LXDE, and a selection of light applications.

17.Peppermint

Peppermint Linux OS is a cloud-centric OS based on Lubuntu, a derivative of the Ubuntu Linux operating system that uses the LXDE desktop environment.

18.Xubuntu

Xubuntu is an elegant and easy-to-use operating system. Xubuntu comes with Xfce, which is a stable, light and configurable desktop environment.

19.Elementary OS

Elementary OS is a Linux distribution based on Ubuntu. It makes use of a desktop with its own shell named Pantheon, and is deeply integrated with other elementary OS applications like Plank (a dock based on Docky), Midori (the default web browser) and Scratch (a simple text editor).

20.Puppy

Puppy Linux operating system is a lightweight Linux distribution that focuses on ease of use and minimal memory footprint. The entire system can be run from RAM with current versions generally taking up about 130 MB, allowing the boot medium to be removed after the operating system has started.

21.Bodhi Linux

Bodhi Linux is a Linux Distribution leveraging the fast, customisable, and beautiful Enlightenment Desktop. Enlightenment coupled with a minimal set of utilities such as a browser, text editor, and package management tools form the solid foundation of Bodhi Linux.

22.Linux Lite

Linux Lite is free for everyone to use and share, and is suitable for people who are new to Linux or for people who want a lightweight environment that is also fully functional. Linux Lite is also great for reviving that old laptop or desktop you gave up on a few years back.

23.AntiX

AntiX is a fast, lightweight and easy to install linux live CD distribution based on Debian Testing for Intel-AMD x86 compatible systems. It offers users the “antiX Magic” in an environment suitable for old computers.

24.Damn Small Linux (DSL)

DSL was originally developed as an experiment to see how many usable desktop applications can fit inside a 50MB live CD. It was at first just a personal tool/toy. But over time Damn Small Linux grew into a community project with thousands of development hours put into refinements including a fully automated remote and local application installation system and a very versatile backup and restore system which may be used with any writable media including a USB device, floppy disk, or a hard drive.

25.CrunchBang

CrunchBang is a Debian GNU/Linux based distribution offering a great blend of speed, style and substance. Using the nimble Openbox window manager, it is highly customisable and provides a modern, full-featured GNU/Linux system without sacrificing performance.

26.Fedora

Fedora is a Linux-based operating system, a collection of software that makes your computer run. You can use Fedora in addition to, or instead of, other operating systems such as Microsoft Windows or Mac OS X.

27.CentOS

The CentOS Linux distribution is a stable, predictable, manageable and reproduceable platform derived from the sources of Red Hat Enterprise Linux (RHEL).

28.SUSE

SUSE is the original provider of the enterprise Linux distribution and the most interoperable platform for mission-critical computing. It’s the only Linux recommended by VMware, Microsoft and SAP. And it’s supported on more hardware and software than any other enterprise Linux distribution.

29.openSUSE

openSUSE is a general purpose operating system built on top of the Linux kernel, developed by the community-supported openSUSE Project and sponsored by SUSE and a number of other companies.

30.Edubuntu

Edubuntu, also previously known as Ubuntu Education Edition, is an official derivative of the Ubuntu operating system designed for use in classrooms inside schools, homes and communities. Edubuntu has been developed in collaboration with teachers and technologists in multiple countries. Edubuntu is built on top of the Ubuntu base, incorporates the LTSP thin client architecture and several education-specific applications, and is aimed at users aged 6 to 18.

Source: Datamation

Saurabh Singh, EFYTIMES News Network