How Much Security Is Too Much?
Information security discussions today are often dominated by vendors' speeds and feeds, and consulting firms' top-secret security assessment methodologies. Enter the Institute for Security and Open Methodologies (ISECOM). Founded in January 2001, the organization's goal is to instill practical, vendor-neutral security by promoting open-source security methodologies and the training and support needed to use them.
ISECOM's chief weapon is the Open Source Security Testing Methodology Manual (OSSTMM), a rational, repeatable way to measure an organization's security posture. The security methodology is developed with two precepts stressed:
"Focus on quantifying security, rather than qualifying it," says Pete Herzog, managing director of ISECOM. Simply put, a tester counts potential vulnerabilities, and then mechanisms for securing or ameliorating those vulnerabilities. A test can be completed in as little as four hours. "Using a security test, even a simple port scan, you can get reasonable results, although the better the quality of the test, the more accurate the results." The important point here is eliminating opinion or bias from the process, which aids repeatability and neutrality.
The second axiom is to tailor security expenditure to the value of what's being protected. "Is it worth spending $10,000 on a firewall that will only bring $1,000 worth of protection value?" asks Herzog. For organizations with budgets, the answer is always no. Yet, for many organizations, the ability to quantify the value of assets and the optimal expenditure to secure those assets is a radical concept.
Open Source Origins
The need to quantify rather than qualify security assets via security testing is what originally drove Herzog to create the OSSTMM, now at version 3.0. Herzog also wanted to create a methodology to teach others to help him perform security tests. After creating such a methodology, he posted it online in January 2001, dubbing the fledging project the Ideahamster project.
For Herzog, it was a decisive foray into information security. While he'd always been "your typical noncomputer science student who ran the computer lab, kind of a geek," he says, creating a security methodology hadn't been in the cards—at least, not at first. After wandering between computers and biology, first working with the Centers for Disease Control in Atlanta, at Intel, and then in the SUNY-Buffalo Medical School, Herzog was asked to join IBM's newly formed "ethical hacking" team in Germany in 1997—a make-or-break opportunity for deciding what to pursue. "It's one thing to know about security; it's another to do it as a service," he notes. Later, he landed in Barcelona, Spain, as a security consultant and information security professor at Barcelona's La Salle University; he also teaches at ESADE, the second highest-ranked business school in Europe.
In that dual guise, he posted the OSSTMM looking for feedback, only to see interest grow beyond that. "The feedback was phenomenal, a lot of people got involved off the bat," he says. "Now it's to the point where we have a lot of volunteers to review and criticize" the security methodology. Herzog maintains quality control of the methodology, however; the thinking revolves around independence from vendors, for starters. "I don't have to care what anyone says, I only have to do what's right," he comments.
What constitutes doing things the right way? "There's a right way to do security, then there's the vendor way," notes Herzog, who says companies will hire him to provide outside perspective on vendors' security pitches. "We tell people the truth, and we call people liars, when they throw fear in others' faces for vending purposes or whatever they're doing." In short, doing security the right way starts with not sowing fear, uncertainty, and doubt.
So far, so good, but as interest in the OSSTMM grew, another problem manifested. To wit: After speaking engagements for Herzog at Federal Deposit Insurance Corp. and U.S. Treasury Department conferences, interested parties advised him that when it came to selling the security-testing ideas to their higher-ups, everything was great except for one thing. Despite the New Economy irrational exuberance and radical brand names, they said "hamster" didn't really fly. Hence, Herzog rebranded the organization as ISECOM, and also filed for nonprofit status in both the United States and Spain. Not coincidentally, most of the ISECOM site and its downloadable materials are also available in Spanish; it's a requirement of Spain's nonprofit laws.