Thursday, March 6, 2014

Elizabeth Martin System Hardening Rant.......

Interesting rant from Elizabeth Martin. I'm a new fan!

[EM]: "I went off on a bit of a rant today about hardening. In the interest of disclaimers, I would like to make it abundantly clear that I was raised in a world where *hardening is king*. If you didn't harden you were compromised very quickly. Unfortunately it is now at least 10 years later if not more and still very few, if any, systems are hardened.

Of course I asked the twitters and frankly they did not give me the answers I sought. I was looking for answers such as "Of course we harden our systems." or, "Naturally most of the clients I work with harden their external systems." Well I didn't get those answers. The best I got was "I am just happy if they patch." .... [ouch.]

Awesome Comparison of Risk Methodologies

Absolutely love this research from Gartner. Fantastic job guys.
You Care Because: There are several viable risk management frameworks our customers can use for assessing and building security into Vblock Systems. The program is far less important than the execution. There are several similar sports, business, and personal analogies.  

Gartner For Technical Professionals - Comparing Methodologies for IT Risk Assessment and Analysis       

Authors: Ben Tomhave, Erik T. Heidt & Anne Elizabeth Robins

To access this research, visit

In-Scope Methods:

  • FAIR
  • ISO/IEC 31000:2009 and 27005:2011
  • NIST Special Publication 800-30
  • OCTAVE Allegro
  • RiskSafe 

Summary of Findings (page 3)

Bottom Line: Which method you choose for IT risk assessment and risk analysis is far less important than ensuring that the selected methodology is operationalized and a good fit for the corporate culture. It is more important to start somewhere, getting a process in place that integrates with existing or emerging risk management processes, and then scaling and evolving practices over time. The selected approach must be able to produce output that is meaningful to management, and supporting processes must account for assumptions, documentation and potential gaming of the system. Tools should be leveraged, where possible, to ease method adoption.