The Metric for Information Security
the Cold War, the US defended us poor, soon-to-be-nuked citizenry
the Soviets got it into their heads to send over a six-pack of MIRV,
the US had somewhere in the vicinity of 18-22 minutes to launch
our thermonuclear response over the pole. The point wasn't to defend
we the citizens; it was to kill as many of their comrades as we
could in response. The 18 minute window was how long we had to respond
before their nukes nuked our nukes. Yeah, a ton of people would
die and then there was that 10,000 year uninhabitable planet issue
to work out, but the real point was MAD: deterrence through Mutual
like it worked.
home and business protection is also measured in time and we see
it in a staple of cops and robbers movies: A crook breaks into a
jewelry store (or home). The alarm goes off. It dials the cops (20
seconds); the cops examine the call to make sure it looks real (20
seconds); the cops go to the scene of the crime, presumably not
across the street from the police station (1-5 minutes). To be on
the safe side, the robbers give themselves a maximum of two minutes
for the whole heist. The quantifiable question is, how much can
they steal in two minutes? At the office, time is often the first
tier of protection. You unlock the door, open it and then run like
heck to the supply closet so you can enter the security code into
the alarm system. You have 25 seconds to do that or, in theory,
the rent-a-cops come a running in a few minutes.
But There is No Protection
history of conflict has been based upon the military concept of
Risk Avoidance through Fortress Mentality. How high can we build
the walls to keep the marauding masses out of our wheat fields,
lakes and castles? Did that approach work? The Great Wall of China
was an historical insignificance. The Berlin Wall was purely symbolic
and the Maginot Line was ignored by the Germans. Hunkering down
in defense for an attacker's seven year siege hasn't worked (Troy,
Hussein, e.g.) and the same approach hasn't worked for the Internet-style
hunkering down we have attempted to defend against on-line punkersterism.
Just look at what's happening out there!
Fortress Mentality in computer and network technology as a defensive
method assumes that things will work as they should - but we all
know they don't and won't. Take a look:
Increasing complexity causes software and networks fail regularly
in undepredictable ways.
Networks grow and thus change every day, thus changing its security
posture no matter how hard we try.
Administrators do not know every single network ingress and egress
of their network. Modems, PC Anywhere, unknown phone lines and secret
subnets plague organizations.
Connecting enterprise networks to partner organizations with unknown
security can weaken a network's defensive strength. · Seemingly
harmless applications often innocently create security vulnerabilities.
New hacks appear daily against leading applications, operating systems
and security mechanisms. Organizations have a terribly difficult
time keeping up with every new one.
It takes time and effort to install new patches to enhance security,
and they don't always work.
Well-designed security mechanisms are all too often installed incorrectly
and/or completely misconfigured.
Administrators often turn off security controls during audits and
maintenance and forget to turn them back on.
You can't adequately test the protective value of a network with
any degree of assurance beyond the exact moment it was tested.
We cannot measure the efficacy of security products or protective
systems - yet. (Read on!)
that means is, not matter how many firewalls, passwords, policies
or O/S patches you apply, it's a sure bet that you won't be 100%
protected. There is no silver bullet, right?
about perfect firewalls that only keep the bad guys out?" I often
"Show me a good IP and a bad IP address."
you can put in the perfect security - an air gap - but that defeats
the whole purpose of networks in the first place; allow businesses
to seamlessly communicate and interact with as many other networks
and people as they can for whatever purpose they choose.
if the conventional protection mechanisms of Fortress Mentality
don't work, what will?
go back to the jewelry store.
owners know that the store's plate glass windows represent no defense
or protection at all to their millions of dollars in jewlery. It's
there for show and to keep the honest people out, not the criminals.
for a bit of math. Let's say that Protection, P, equals '0', where
P is measured in time. One hammer and it's all over; the bad guys
are inside in an instant.
our network analysis purposes, let's assume that all of our protective
security efforts are for naught for the reasons listed above; they
only serve to keep the good guys honest. Thus, as above, the Protection
value in time, P = 0. (That is, of course, unless your favorite
security vendor is giving you a written guarantee to the contrary.)
From a risk management standpoint, how can we say anything different?
Do we have any confidence or proof or trust that our security mechanisms
will hold up in light of new hacker attacks or glitch discovery?
And for how long can we feel secure with the latest O/S service
pack? One week? One minute? One microsecond?
jewelry store, though, probably has good detection mechanisms to
detect the bad guys doing bad guy things: taped windows, cameras,
heat, sound and motion detectors. This represents another piece
of the Time Based Security approach: Detection, where D is also
measured in time. In this case, a detection should occur in something
less than a second; after all, smashing though a plate glass window
is no small sonic event. So, let's say that in this case D = 1 second.
next and last component in the store's security is Reaction, or
R. The reaction has several steps:
Dial the cops (or security force): 20 seconds
2. The cops analyze the call: 20 seconds
The cops call a cop car to respond: 20 seconds
The cop car comes to the jewelry store: 1-4 minutes
the robbers are assuming R = 2 minutes - that they have 120 seconds
to commit the crime and hightail it out of the area.
we assume a value of P = 0, (no protection), the store's entire
defensive posture is then measured by D + R, the combined time it
takes the detection and reaction systems to work. In this case,
D + R = 121 seconds.
however, we had any confidence in the protection value of the plate
glass window (bullet proof, hammerproof), we might use the following
Time Based Security formula:
> D + R
says, "if the time value afforded me by a protection device is greater
than the amount of time it takes to detect and respond (repair,
halt) to an attack, then I have a secure environment."
time value of P is the common metric in many physical examples of
protection. In banks or for home security, the amount of security
that vaults offer is measured in time: how long will it take a given
oxyacetylene torch of a given temperature to burn through the metal
wall? These numbers provide a good metric base for choosing what
kind of P-products, D-products and R-products to use in a complete
since we do not know the measured protective strength (P) of systems
in the networking world, we conservatively assign P a value of 0,
thus giving us a new formula: If P = 0, then D + R = E where E represents
Exposure, measured in time.
the jewelry store their E, or exposure time, means that their greatest
risk is how much can be stolen in 2 minutes. That value is no longer
an information security number but one to be used by the bean counters,
risk analysts and actuarial management who assess insurance rates.
Assuming the D + R systems work, E becomes a quantifiable risk-measuring
tool. The goal of course, is to make good business decisions which
do not eliminate risk, but lower it to acceptable limits. Thus,
in TBS, we want E Þ 0, or Exposure time to approach zero.
use Time Based Security in our world, then, we merely have to apply
the same logic. Let's say that your network is using really a whiz-bang
Intrusion Detection System and that it can detect any known attack
in the universe in 10 seconds. D = 10 seconds.
for reaction , R, which consist of three parts:
Notification: The IDS has to do something. Based upon more than
30,000 live audience members, that is generally to notify the administrator
in charge either via page, email or telephone. The average time
value for this step is 2 minutes, or 120 seconds. This assumes someone
on duty, of course. In some cases this value is as high as 64 hours.
Transit: The person notified has to get to a place where he can
do something about the problem. Nominally I allow audiences about
five minutes so as not to embarrass them. But think about the real
world; corporate campuses, lunch hours, on the highway/airplane,
midnight at home, weekends. How long does it really take?
Rectification: Fixing most problems appears to be the easiest for
the common ones, and is often less than a couple of two minutes
according to hundreds of administrators.
the R (reaction) component now equals 2 minutes + 5 minutes + 2
minutes = 9 minutes, for a total of D + R = 9 minutes, 10 seconds
question the systems administrator in combination with his risk
management equivalents, legal staff and auditors need to ask - and
answer - is: "How much damage can occur to our networks and our
company in 9 minutes and 10 seconds of unlimited access by a bad
guy." (We're not looking at the insider problem yet.)
you can come up with that answer, but the groans are physically
evident when I put audiences to this very test.
Time Based Security technique creates a new view of networks and
their vulnerabilities by providing a common metric - time - to be
used to gauge both risk and security under the same umbrella. We
know (or should know) how fast our existing Detection and Reaction
process is, even if we have no earthly idea how strong or weak our
protective products and processes are.
quantification of time to lost revenues, profits and image is not
an exact science, but the DDOS attacks of February 2000 demonstrated
that big e-commerce sites are already looking at time=money in web
the acute reader will have already thought that Time Based Security
does not equally apply across the CIA infosec triad, and he is right.
TBS does work in each case, but each one needs to be thought through
and measured separately as breaches occur in different ways and
over different time periods. There are charts and processes to apply
TBS to each security fundamental.
the most critical component of Time Based Security is reaction,
a completely overlooked component of security.
as companies need to have a policy to implement security, they need
to develop and be prepared to use a policy for reactions. Developing
a reaction matrix is crucial for solving real-time security problems,
but also for follow-up forensics, legal involvement, law enforcement
investigation and prosecution.
administrator needs to get the buy-off from management that under
detected condition 'A' it is corporate policy for him to take reaction
'B', and then call management, the lawyers, police of aliens if
necessary. I have seen companies come to a virtual halt because
of a hacking incident because they had no policies or procedures
in place to respond. Ideally, someone will always be on duty or
available in a short period to manage security events.
people unfortunately think that buying the strongest firewall or
other security device is the answer to their problems. Wrong. Using
TBS, we find that the first steps are measure existing detection
and reaction systems, then determine if they are acceptable. Getting
several values to approach 0 is core to TBS. We want:
= (D + R) > 0
once we understand how the detection/response systems work with
respect to our time metric can we realistically begin to choose
the appropriate, risk managed choice, or protective systems.
are many more Time Based Security formulas which really help make
the information security process quantitative rather than mere guess
work, but are outside the scope of this short article.
How to determine exactly which files in a network are vulnerable
How to protect those files with non-traditional security techniques
that require next to no products.
Solving Denial of Service
4. Applying Defense in Depth to Time Based Security
Extreme Intrusion Detection
Protecting against the insider
Tracking down the culprits For the offensive information warrior
who cares, we have also developed a set of equations for methods
of safe attacks against target networks which use similar methods
Based Security is not a panacea to solve all security problems,
but it does offer tools to rethink the traditional view of security,
and adds the necessary dynamics to reflect defense in ever-changing
environments. But perhaps most importantly, TBS adds a common metric
to security, where we can each measure aspects of our security environment,
quantify them, replicate them and use them as benchmarks for performance
today in the future.
you have any comments or thoughts on how TBS can be expanded or
improved, I look forward to hearing from you.
© 2000-2001 Interpact, Inc. All Rights Reserved
For comments about this page, contact: Kelley
Walker, Interpact, Inc.