Just How Secure is Your Organization?

You just deployed the latest and the most sophisticated protection system for your organization. It was hard work, expensive and taxing on the system, but finally managed to implement it and the security system is now working as per plan. You know that you are better off with this system, but how much better is still a mystery. Without knowing that, you can't determine how much further you have to go to secure your organization.

The above questions are not unique to any organization, but are a commonly debated topic everywhere. It is generally difficult to appoint a number to the degree of security you have achieved. In other words, you can't really say that your organization is say 75% secure, and you need to achieve 25% more to reach 100%. In this article, we attempt to help you do just that, so that you can quantify your enterprise security operations.

Developing a metrics measurement system is similar to setting up an information pyramid. On top of this pyramid lies the single number that determines your security health. We call it Enterprise Security Index. It's a single number, which is expressed in percentage, and displays your current security level. This number is an amalgamation of the following three pillars of measurement:

1. Compliance Index

2. Vulnerability Index

3. Security Operations Index

Compliance Index

This index determines the broad compliance of your organization to the following distinct exposures:

1. Enterprise Process Index: For every process that is documented and needs to be executed, there are control points. These control points spin off the measurement dashboards. And for each of these control points, based on the process adherence, it would be simple to derive a compliance ratio (in percentage) of each control point. Confused? Let's understand this with an example.

Let's assume that there are 10 processes being monitored in your organization. Each process will have 2-3 control points, “Employee separation process,” for instance is one. From an IT security point of view, this would have the following key control points:

* Control point 1 (CP1) - Receipt of information from HR that employee has left.

* Control point 2 (CP2) - Revoking of access rights for intranet/email within 24 hours of last working day.

* Control point 3 (CP3) - Reformatting of the disk in an agreed manner, so that the resource (laptop) can be re-deployed, within 7 days.

In a quarterly measurement cycle, lets say, you had 20 employees leaving your organization. If the process was working absolutely perfect, you would have 20 information receipts of employees leaving, from HR, 20 access rights would have been revoked, and 20 laptops reformatted. However, in our example, you received information for only 18 employees and you could not format 2 laptops, since the business was suffering and the IT team had to quickly provide one spare laptop. Thus your process index is defined as the sum of actual control points measured, divided by sum of expected control points. In this case would be:

Process Index P1 = (Actual CP1 + Actual CP2 + Actual CP3)

(Expected CP1+ Expected CP2 + Expected CP3)

P1 = (18 + 18 + 16) / (20 + 20 + 20) = 52/60 = 86.76%

A summation of all the processes would give us the enterprise process index. It is calculated as following:

Enterprise Process Index = Sum of all the process index (P1+P2.... Pn)

No. of processes (n)

In the above example, we demonstrated the process index for one of the processes only. In real life, you would have to prepare your list of processes, the control points for each, and their measurement criterion, to get your enterprise process index as per the above formula. It should be fair to assume that a matured process must yield close to 100% efficiency in large or even mid-sized organizations.

2. Licensing index: This is pretty much self explanatory and corporations aspire to be in the 100% compliance on this area. In a typical organization, you would start by defining the basic software required. E.g. you would plan 100% employees would need an office suite. 40% would require a project management suite, 30% would require let's say Adobe Writer, etc (see the illustrative table, with sample numbers for a 300 employee organization). In real life, this list will be typically about 20-30 applications long.

The next step to determine the exact index would be to establish how many licenses you actually use. This can be done through a manual check, or by using a freeware tool like SIW (http://www.gtopala.com/). Once run on a system, it throws up the actual licenses in use on each of the workstations. SIW is a very useful tool to determine not only licenses, but also system settings. We will learn more about this in the subsequent sections of this article.

License Index = (Number of active commercial license acquired)

(Number of commercial licenses in use)

In the above example, License index = 820 / 920 = 89.13%

3. Audit Index: Most audits that an enterprise undergoes, yield audit observations of varying degrees — Critical, Normal, Advisory are the typical notations used for providing such observations. The audit index is the weighed average of observations identified, divided by observations closed. Let us say the audit finds the following observations:

Audit Index =(Critical observation closed x 3) + (Normal observation closed x 2) + (Advisories closedx 1)

< (# of critical observations) x 3 + (# of normal observations) x 2 + (# of advisories) x 1>

So in the above example, the audit index would be:

Audit index = (21+ 26 + 22) / (27 + 30 + 32) = 69/89 = 77.5 %

Vulnerability Index

Existence of security vulnerabilities in an organization can never be ruled out. One can reduce the same, but not remove them from the system. Having said this, measurement and proximity to near zero is always an enterprise aspiration. In its simplest form, vulnerability assessment is divided into two parts:

Click on the image to enlarge

1. VA Index

2. System Index

Here, The VA index is defined as the number of open (High and medium) vulnerabilities per given machines.

VA Index = 100 — (# of exploits) — (# of false positives)

(# of systems)

Nessus is one of the most commonly used Open Source tools to identify and close known vulnerabilities. It runs its tests for literally thousands of vulnerabilities. We can use its results (see box for a sample report) to determine the VA index. Let us assume we have 350 systems (desktops and servers included). The VA index will be calculated as under

VA Index = 1 — 14 — 0 = 99.96%

350

If you check PART II of the scan report in the box, you would notice that it reports specific systems that have any vulnerability. In our case above, the vulnerability is limited to two systems, viz 192.168.1.0, in which there were 3 security warnings, and 192.168.1.21, in which 2 security holes have been found. The System Index is the number of systems in the environment that are clean and free of any exploits, thus if this was the complete report for 350 devices, the system index would be calculated as

System Index = (# of clean systems)

(# of total system)

In our case, the SI would be = 348/350 = 99.42%

Instead, or in addition to Nessus, you could also have used two very effective Open Source vulnerability assessment tools like Nmap (www.nmap.org) and Metasploit (www.metasploit.com). They provide some effective and strong alternate scanning abilities.

In our next article, we would delve deep into the security ops index. This index is a measure of current security status of security operational posture. Things like user ID, basic hygiene, log, backup, etc all have security implications and thus are measured and reported. We would also conclude the overall measure of enterprise security that is derived by averaging compliance index, vulnerability index and security ops index.