BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Benchmarks as a Point of Reference

Post by Morey Haber November 3, 2010

I have been reading Stephen Hawking’s new book, “The Grand Design” and am completely stunned by the analogies he uses to simplify perception, measurements, and even quantum physics. This book is not light reading and has had me looking up terms using old college textbooks and Google multiple times. The one thing that fascinates me about all of the concepts he presents is perception. We use perception every day for driving our cars to work, cooking dinner, and even comprehending the computer systems in our environment. As we comprehend how network traffic flows, we always need a frame of reference for measuring speed, quantity of data, and desired results. The analogy Dr. Hawking uses in his book relies on the concept of living in a fish bowl and looking out at the universe. From inside the fishbowl, straight lines would be curved and the shortest distance between any two points is not a straight line, but rather a curve as well. The perception then leads to measurements and ultimately theories and standards. When a set of observations and comparisons leads to standards, laws, and theories we form baselines and benchmarks to guide us through the process and have a frame of reference.

Simply, benchmarks are a set of standards that you can reference observations from and determine deviations. Benchmarks allow us to say that something deviates by some order of units. In the case of computer security, benchmarks allow us to judge how secure a system is based on best practice theory for preventing unwanted threats from compromising a host. They outline all the proper settings and run time parameters for securing a host, provide guidance on how to implement them, and finally a vehicle for testing hosts against these parameters (OVAL). IT Security benchmarks are available from a wide variety of sources such as CIS, NIST, Microsoft, and DISA. All of these can be implemented by SCAP compliant scanning solutions to benchmark how well the IT infrastructure is secured within your organization. This provides a straight line form of reference for gauging how secure you are from the latest security threats using tools created by the most brilliant minds in the industry.

IT Security benchmarks have been around for a long time. Only recently however, have the processes for implementing them and measuring them matured using automated scanning techniques in an open and standardized (non-proprietary) format. Retina CS 2.0 contains a new module called Configuration Compliance Module that allows users to load their own SCAP benchmarks for measuring the security standards within their environment. Benchmarks provide a uniform method for reporting and measuring that is well understood and uniform across businesses. It removes any assumptions or bias based on interpretation or testing criteria. The scan engine and benchmark complier are integrated into the complete multi-tier Retina management solution for a seamless perception for all the assets on the network.

Determining the state of security threats and even understanding the universe requires both standards and benchmarks. Dr. Hawking’s book simplifies this for readers. eEye has simplified both IT Security and benchmarks so that everyone can benefit from IT Security lessons learned and best practices.

Tags:
, , , , , , , ,

Leave a Reply

Additional articles

insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,

Vulnerability Expert Forum Highlights: April 2014

We had a great turnout for last week’s April 2014 Vulnerability Expert Forum (VEF) webcast. BeyondTrust Research experts, Carter and DJ, provided in-depth knowledge about the latest vulnerabilities and their potential impacts on network environments. Below are highlights from the Forum, plus an on-demand video of the presentation. Latest critical vulnerabilities, vendor patches, and zero-day…

Post by Chris Burd April 16, 2014
Tags:
, , , , ,