CIS Guidelines for Security Metrics

Dark Reading seems to be an advertising site. Every time I read an article there it feels more like a vendor press release than anything insightful or balanced. That being said, I have not found mention of this anywhere else (yet):

The first set of metrics that the CIS will release tomorrow for download are: mean time between security incidents; mean time to recover from security incidents; percentage of systems configured to approved standards; percentage of systems patched to policy; percentage of systems with anti-virus; percentage of business applications that had a risk assessment; percentage of business applications that had a penetration or vulnerability assessment; and percentage of application code that had a security assessment, threat model analysis, or code review prior to production deployment.

This would be a very useful set of data, indeed. In fact, it mirrors a set of questions I proposed for the survey at the Protect ’08 conference in Washington DC. My questions were not chosen for the survey, unfortunately, or they would have coincided with this CIS press release. Oh well.

A universal grading system is a bit pie-in-the-sky for me. How many schools have how many interpretations of grading after how many years and yet CIS believes they will crack the code of a common security grading system?

Security and the UAL story debacle

A story on Forbes called Inside The UAL Story Debacle provides some insight to today’s information security disaster. In brief, an “investor information service” reporter used a search engine and uncovered an old story on UAL bankruptcy. The problem was that the story was over six years old but the reporter filed the story online as current events.

Ooops:

Minutes after the story was filed, Lehmann, a Forbes columnist, was alerted to a problem when non-subscribers jammed his switchboard with requests for the full text. “We’re not in the business of providing fresh news,” Lehmann says. “And consequently, we knew there was something wrong here.” Lehmann said his employee was not negligent in picking up the Sun-Sentinel story because it had no date on it and appeared current beside new content tracking Hurricane Ike in the Southeastern U.S.

This is a silly line of reasoning. It reminds me of the lawsuit against McDonald’s for hot beverage warning labels. Does a reporter really need warning signs on the page, within the article, or perhaps even blinking in order to figure out what time it is? The Forbes report suggests there were numerous references to 2002, including the URL, but the reporter clearly missed all of them. Unfortunately, once the bad data was filed it spread like a virus into markets and caused a melt-down for UAL shares.

This UAL disaster is similar to shouting “fire” in a crowded theater. It is an excellent example of how powerful information technology has become, especially in terms of magnifying human errors — the Internet is always crowded.

A simple solution, such as checking the official UAL site, could have averted the disaster in security and fact-oriented populations. However the reality is that facts fly out the window when everyone starts running for the door. A more likely focus will instead be on how to criminalize or at least dissuade speech that is directed and likely to incite a technology riot.

In related news, Google has announced it is expanding search to historic newspapers…

Palin-Gag

The Seattle Times has documented more on how Sarah Palin is unable to handle the truth:

Palin put in place what the local paper called a gag order, prohibiting top city employees from talking to reporters unless she cleared it first.

She did this because popular opinion was not kind to her. She was a puppet of money who wanted to get rid of people who took time to discuss and debate issues. It apparently was easy to buy her, but impossible to work with her.

After Stambaugh and the museum director were fired, two of the four remaining department heads quit. One, the public-works director, accused Palin of undermining him by meeting secretly with contractors and employees.

When three women who worked at the city’s museum were asked to decide among themselves which one should be let go, all three quit.

As I have mentioned before, executives tend to bring change. The wise ones do so without impacting services and quality. The inexperienced ones are unaware of consequences, so they sometimes foolishly fire with abandon. This creates turmoil and leads to higher costs, reduced efficiency and a decline in security:

Palin tried to fill two vacancies on the City Council herself, even though an ordinance said that wasn’t her prerogative. It was the council’s. After the city attorney stopped Palin, the mayor said she’d merely engaged in a ploy. “It was brilliant maneuvering I had to do to deal with the impasse,” she told the Frontiersman.

You do not have to be a rocket scientist to see that she is completely detached from reality. Why? In her world, negative thoughts are forbidden. She relabeled her mistakes as “brilliant maneuvering”.

This is a dangerous practice. A leader who forbids ANY negative thoughts or comments, in a clear attempt to hide negative data, will be ignorant of actual risk.

If Sarah Palin made automobile dashboards, she would allow no warning lights. If an engine ran low on oil or started to overheat, the Palin-board would only report positive information until too late — the engine explodes. What then? She surely would say the failure was divine. No fault from ignorance or negligence.

Step one: always look on the bright side of life
Step two: gag dissent, discredit critics
Step three: cook the books
Step four: declare any failures that can not be hidden to be a result of intelligent design

“Staff, I believe if we look for the positive, that is what we will ultimately find. Conversely, look for the negative and you’ll find that, too. … Wasilla has tremendous assets and opportunities and we can all choose to be a part of contributing to the improvement of our community … or not. I encourage you to choose the prior because the train is a’moving forward!”

“I realize this is an added chore, but at least it’s a positive one!” she wrote.

She would never be able to pass a Sarbanes-Oxley test, now required for executive leaders of public companies in many countries around the world.

In other words, she has told her staff to avoid looking for anything negative to avoid finding it and having to deal with it. Police should ignore crime (that would be looking for the negative), citizens should ignore faults. Just believe. And when things collapse, smile a lot.

The message from Palin’s pen was clear — either ignore risks and help cook the books to falsely report positive results, or prepare to be run-over by her “train”.

This woman represents the opposite of good governance. She is the epitome of fraud, bad management and insecurity. Under her, important data will be ignored, and any success will be based on false calculations.

It seems to me that her entire platform is a mirror of the Bush campaign. She was just a young politician copying from the big playbook. She probably thought Enron was actually really successful. Today, she offers little more than a continuation of Bush’s philosophy:

The Frontiersman ran blistering editorials, condemning Palin’s philosophy “that either we are with her or against her.” The newspaper accused Palin of mistaking the 616 votes she received as a “coronation.”

“Wasilla residents have been subjected to attempts to unlawfully appoint council members, statements that have been shown to be patently untrue, unrepentant backpedaling, and incessant whining that her only enemies are the press and a few disgruntled supporters of Mayor Stein. … Palin promised to change the status quo, but at every turn we find hints of cronyism and political maneuvering. We see a woman who has long since surrendered her ideals to a political machine.”

“Surrendered” is right. Palin is a true good-old-boy who has run on the same platform as Bush because she is the same as Bush. She is a white-flag Republican who will continue the status-quo that has made America less secure. The last thing America needs is another corporate crony who gags critics and is completely out of touch with the reality of security.