Operational Security Metrics

Securing an organization against cyber-attacks has become a priority for most organizations over the past decade.  The world has witnessed a hype with regard to aspects of cybersecurity transforming into an alarming reality, a situation that government and corporate entities seem helpless to mitigate against. There is no need to give polls or statistics to try to indicate the threat levels anymore: cyber intrusions have become a daily occurrence on the news. There is therefore a need for such organizations to prioritize and delegate resources to provide protection to their computing resources. To realize this goal, administrators and network engineers must put in place measures to protect the organization from such attacks. This paper is designed to ignite the process of creating a prioritized information security controls and measures baseline. The paper highlights nine security metrics that are viewed as integral to guaranteeing information assurance within an organization.

Secure Hardware and Software Configurations on Desktops, Laptops, Workstations, and Servers.

For this metric, the computing systems settings of an organization must have their security settings documented and approved by the relevant agency. Default factory settings on both hardware and software must also be changed as well as tough network configurations implemented so as to do away with common login credentials that can be used by attackers to compromise security. Furthermore, system administrators should conduct regular vulnerability scanning exercises to ascertain their security. Enforcing this metric within the organization shall provide a significant amount of motivation to the organization to have some sense of information assurance as most systems shall have secure configurations baked in.

Analysis of Security Audit Logs

The organization should always validate audit log settings for every installed software and hardware as well as ensure that all such systems have adequate storage space for the generated logs. The organization’s security administrators should also create common events profiles so that they can easily detect anomalies and provide preliminary mitigation measures. This will allow security control teams to unearth hidden attacker locations as well as malicious software intended to compromise organization systems hence giving them the opportunity to devise a defense mechanism early enough before any real damages occur.

Application Software Security

The security team can determine the acceptable baseline for this metric by testing their applications for errors and bugs within the source code before deploying them to their systems. More focus should be on output encoding and input validation routines of application software. The test should also include web application vulnerabilities every time an update is enforced. Organizations should also deploy firewalls in terms of hardware and software for both web-based and stand-alone applications to deter common attacks such as SQL injection and cross-site scripting This will help security control teams against having to worry about the danger posed by attacks on organizations applications as any possible attack will be detected and averted early enough. It also prevents the dangers of attackers manipulating application source codes to infiltrate organizational sensitive systems.

Regulated Administrative Privileges Use

Acceptable baselines for this metric shall be determined through the inventory of all superuser passwords and all such users validated against the given privileges. Furthermore, all organizational system passwords must be kept in an encrypted or hashed format with administrator only access. Administrators should enforce some sort of password expiry mechanism such that users do not use similar passwords for long periods. This will assist the security control team in dealing with internal attacks resulting from the compromise of access credentials.

Regulated Access Founded On Need to Know

This metric baseline can be determined through the creation of a multi-layer data separation or identification framework with information categorized according to access levels. All crucial information such as hashed passwords and network devices configurations must be stored offline. The organization can also put in place a comprehensive audit logging for special authentication access. Lastly, the security administrators should carry out the regular test from standard accounts to ascertain if they can or cannot access privileged information not meant for users with such privileges. This will assist the security control team in reducing the amount of damage in case an attacker manages to penetrate a system since they will not gain access to all the information.

Persistent vulnerability scanning and remediation

This metric baseline can be determined through the verification that network, applications, and systems vulnerability testing is carried out at least on a weekly basis. It is also crucial to compare back to back vulnerability tests results to ascertain if vulnerabilities found in early scans have been patched. Unmitigated vulnerabilities should be documented and forwarded to senior management for a possible effective mitigation incentive. Employ different tools during vulnerability scanning to reveal the loopholes not revealed by other tools. This will assist the security control teams in knowing what to focus on in order to guarantee information assurance. It becomes very easy when the team knows the vulnerabilities they should provide solutions for as opposed to providing general solutions.

Wireless Device Control

This metric baseline can be determined by ensuring that all wireless devices connected to the organization’s network conforms to a security profile or authorized configuration. All wireless access points of the organization must be manageable through the available organizational tools. Home use access points must be avoided and the administrators should use wireless intrusion detection systems to detect unauthenticated devices seeking to compromise the organization’s network. Furthermore, all wireless access points must be secured. This will assist the team in charge of security control to safeguard the organization against attacks emanating from wireless access points.

Monitoring and control of Dormant User Accounts

Monitoring and control of dormant user accounts can be ascertained through the examination of the regularity of all system user accounts monitoring and automatic user log off after a given period of inactivity. The organization security team should on weekly basis monitor the usage of accounts to detect dormant accounts that are not used regularly and automatically disable them. Only existing organizations employees should have live user accounts, and audit logging could help discover any attempts to use deactivated or disabled user accounts. Monitoring such accounts will certainly help the security team prevent internal attacks or any attempts by previous employees to access the organization’s information which would in this case be illegal.

Data Recovery Capability

An acceptable baseline for this metric can be determined by looking at the system automatic backups, as well as the intervals for backup, would ideally be on a weekly basis. The application software, operating systems, and data should be integrated into the entire backup process. Furthermore, the system should be able to encrypt all locally stored backups as well as if they are transferred through the network. And lastly, every external back up media should be stored in a location that is physically secure. This will assist the security control team to ensure that they can restore the system to its normal previous operation in case of a disaster and that the information on the backup location is free from being compromised.

Anti-Malware defenses

The acceptable baselines for this metric can be determined by ensuring that every system has at least a malware detection and mitigation mechanism such as anti-spyware, anti-virus among others. The organization security control team should have at least two administrative features to scan the number of systems without the latest anti-malware signatures on a daily basis and enforcing automatic continuous updates. System administrators should either manually push updates to all computers and systems on a daily basis or employ auto-update features for the software.  All organizational workstations, laptops, and servers should not auto-run content from external storage media and should immediately carry out anti-malware scans the moment such storage media are plucked into any of the ports. This will assist the security control team to eliminate some of the common attacks through malware attacks as well as safeguard organization systems from being infected with malware from external storage media.

These metrics have been formulated with the view of diverse security considerations. Though there is no such term as absolute security, effective implementation of the metrics highlighted in this paper shall at least guarantee information assurance to an organization protecting against common significant attacks. However, as time goes by, attacks change and so to security considerations, therefore, this paper needs constant updates to incorporate the latest security threats. Some of these metrics can be implemented collectively to protect against a common threat while others need to be implemented distinctively to provide security against the given security threats. It is the view of the author that organizations shall adjust specific sections of this paper to fit their information assurance needs and implement it accordingly.

One Reply to “Operational Security Metrics”

  1. Pingback: Cyber Security 101: The Ultimate Guide To Protecting Your Business. | TrendingLeo

Leave a Reply

Your email address will not be published. Required fields are marked *