In small business networks, we have rules of thumb for security.
- Use passwords
- Update virus protection
- Deploy perimeter firewalls
I understand these things are important, and you probably do too. We call these controls. They are things that we agree are worth doing to secure business networks.
But what happens if we can't agree about the importance of a control? We need some way to measure the importance of a control. As much as I am sure my opinion is right, that's not much of a way to secure a network. We want a way to measure the value of the controls. We need a metric.
Hal Pomeranz at Righteous IT wrote an article last year describing a method to assign a numeric value representing relative importance of a security control. He called this method Calabrese's Razor to honor Chris Calabrese who initially proposed this metric.
Evaluating five component factors of any control, and doing simple arithmetic, we can easily come up with a measured answer to "Is that security control really important?"
I am not going ot rehash Pomeranz's excelllent and clear explanation of the method. If you have to make these decisions and you don't use a metric now, I think the 5 minutes it will take you to read is well worth it. I will give this quick demonstration which I used recently when evaluating a control for a client who is rolling out mobile access to their Windows Small Business Server.
Case in point
Exchange 2007 improves on previous versions in that it adds several security policy controls that can be activated on mailboxes that are allowed to sync with mobile devices. One of these controls will lock user mobile devices after a period of inactivity. (Small Business Server sets this time to 5 minutes by default.)
A user asked a question to the effect of "Is this control really necessary?" I don't use mobile devices personally, so this was something that I COULDN'T answer with an "expert" opinion. So I remembered Pomeranz and Calabrese, and I used Calabrese's Razor to answer the question.
The impact is a 2. Depending on the user account compromised by loss of mobile device, this may be privileged access but is probably unprivileged. Radius is a 3. Mobile phone is remote by definition. Effectiveness is a 3. The attack would succeed without this control in place. Administrative impact of implementing the control is a 1. There is currently no use of mobile devices. Requiring users to have device passwords might impact personal use of the devices, but not business. Frequency of impact is a 3. Using voice or email communication in business is a regular or frequent practice. ( 2 * 3 * 3 ) - ( 1 * 3 ) = 15
The relative importance metric of this control, using Calabrese's Razor, is 15, clearly a very important control. Even when we look at this, and allow for different interpretations, I think it still comes out pretty clearly on the side of being a control I want to deploy.
( 2 * 3 * 3 ) - ( 2 * 3) = 12
Math tells us to implement the control, however, as is usually the case, there are other factors we can adjust to make lessen the impact. We are currently discussing how many minutes before the lockout occurs, because even a guy who doesn't use wireless knows 5 minutes seems pretty short.