## Saturday, August 20, 2011

### LIFE IN INFORMATION SECURITY- PART 1

Information security is one career that a lot of Techis out there have mistaken what it entails a lot. I have seen some people think that because they can run nmap on an MS box they can do VA assessments for an organization. Others think coz they can develop code they can actually hack. Others come straight from college and join a security company, handed in some company questionnaires and shown how to scare clients when they need to do an audit, only to find they are asking for SAM files from a unix admin, LULZ. Am not hating but I think I need to talk about this.

Personally my skill-set is penetration testing, but how I got here was nasty. I started with repairing computers and mobile devices back in 1999/2000, then went into structured cabling, later I was administering domains and huge networks and I had to script code and I ended up indulging into development. As I went on, security became a huge interest and there was no guys in Nairobi I could get advice from, so I had to do research and heavy studies by myself.

With 11 years in this career am still learning new things everyday.

So here are some aspects to those who want to do security at higher level. By higher level I mean, working in those institutions where Security is taken seriously:

a) IT Background, Research and studies

b) Health and fitness

c) Personal Security

d) Patience

e) Independence

f) Intelligence

g) Confidentiality

As days go by, I will write on these aspects above.

With all regards,

./Chucks

## Wednesday, August 10, 2011

### Calculating PSR and the Reason to

So what is PSR, what does it stand for? In short P means Probability, S is Severity and R is relevance. This metric looks at the probability of the vulnerabilities found and how they can be exploited, with ease or with loads of trial and error. Its also looks at the severity of the impact they will cause to the organization in case exploited and then the relevance of the asset to the organization.

Below is a table we can calculate the P = Probability with.

So for the auditor to estimate the probability he has to consider several factors,

a) The knowledge requires to have a working exploit on the specified flaw. So the more the knowledge required the higher the probability.

b) The resource required to attack and exploit the flaw will also major out on the probability, the fewer the resource the higher the probability.

c) The duration required to exploit the flaw, if the intruder would take a short time, then the probability goes higher.

d) Also how important the target is, e.g a Banking server, where most attackers would wont to fully exploit flaws makes the P vary alot. The more attractive the system is the higher the probability

e) How well the asset is protected, physical and operation wise, if lower the protection the higher the probability.

f) Environmental, political, weather also affects the probability variations

So probability is a way of looking at a view of the like hood a risk might happen, while severity will evaluate the level of impact on the asset and organization if it takes place.

So for the auditor to estimate the severity he has to consider several factors,

a) The degree of impairment of the reliability of the process results or information as well as the systems or related environment supported by the asset.

b) Degree of impairment of the assets performance.

c) The impairment of the quality of services, systems and information.

Thirdly is the relevance of the asset, where the importance of it is valued and what it supports to the business/organization.

So now we can multiply the values to calculate the PSR of an asset after we have defined them.

Below is a table we can calculate the P = Probability with.

| |

So for the auditor to estimate the probability he has to consider several factors,

a) The knowledge requires to have a working exploit on the specified flaw. So the more the knowledge required the higher the probability.

b) The resource required to attack and exploit the flaw will also major out on the probability, the fewer the resource the higher the probability.

c) The duration required to exploit the flaw, if the intruder would take a short time, then the probability goes higher.

d) Also how important the target is, e.g a Banking server, where most attackers would wont to fully exploit flaws makes the P vary alot. The more attractive the system is the higher the probability

e) How well the asset is protected, physical and operation wise, if lower the protection the higher the probability.

f) Environmental, political, weather also affects the probability variations

So probability is a way of looking at a view of the like hood a risk might happen, while severity will evaluate the level of impact on the asset and organization if it takes place.

| |

So for the auditor to estimate the severity he has to consider several factors,

a) The degree of impairment of the reliability of the process results or information as well as the systems or related environment supported by the asset.

b) Degree of impairment of the assets performance.

c) The impairment of the quality of services, systems and information.

Thirdly is the relevance of the asset, where the importance of it is valued and what it supports to the business/organization.

So now we can multiply the values to calculate the PSR of an asset after we have defined them.

1, 2, 3, 4, 5, 6 | |

Low | 8, 9, 10, 12, 15, 16 |

Medium | 18, 20, 24, 25, 27, 30 |

High | 32, 36, 40, 45, 48, 50 |

60, 64, 75, 80, 100, 125 |

So all the PSR calculation sum up to 125.

./Chucks
Subscribe to:
Posts (Atom)