Aaron Brown is Security Consultant at the Institute for Security and Open Methodologies (ISECOM), adMERITia GmbH

A graduate of Georgetown University, Aaron has made significant contributions to the Open Source Security Testing Methodology Manual published by the ISECOM.

A professional security consultant, tester and analyst, he specializes in the examination of test results and application of security metrics for data networks, telecommunications and web applications.

Presentation

Making Security Measurable

Security has historically been difficult to measure. It is an area with many variables that are often rationalized by the beholder depending on his/her perception of the impact or level of difficulty of vulnerabilities. This human influenced guesswork has been the roadblock for many security metrics on the path to widespread acceptance. The Open Source Security Testing Methodology Manual (OSSTMM) does not only include a security metric based solely on tangible measurables but it is also uniformly applicable to calculate the level of exposition on the physical level (e.g. building security, personnel) as well as logical (e.g. data networks, telecommunications).
The presentation will provide a brief description of OSSTMM and the factors of the security metric, RAV. This will be followed by a walk-through of the testing standard in action with real-time RAV calculations to demonstrate the impacts on security using concrete examples.

OSSTMM is published by the not-for-profit organization ISECOM (Institute for Security and Open Methodologies) whose main office is located in Barcelona, Spain. The demonstration is not "live" and was performed on a test environment so no laws will be violated.

Audience:-
CISOs, CIOs, Network Administrators, Security Testers, CSOs, Internal Revision

Key takeaways:-
1. Measurement of security through the application of the metric Risk Assessment Value
2. OSSTMM security test process
3. Importance of IT-Business Alignment

return to program