search

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 12.1 #109

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Maintain an up-to-date inventory of all of the organization's network boundaries.

Measures


M1 = # of boundary devices based on the product-under-test (PUT) (input).
M2 = # of boundary devices based on the ground truth using our algorithm.
M3 = Time network boundary discovered (input).
M4 = Time network boundary connected to the network.
M5 = Max time for discovery

Metrics

1) Discovery Coverage = M1 / M2

2) freshness(time to discover) = (M4 - M3) / M5
adammontville commented 5 years ago

What does it even mean to have an inventory of network boundaries? Does this include VLAN boundaries (are those even used anymore?), the boundaries between network segments? I found this in the v7.1 document: Setting up even a basic level of security segmentation across the network and protecting each segment with a proxy and a firewall will greatly reduce an intruder’s access to the other parts of the network. The language of the control also speaks to DMZs (i.e. boundaries between internal and external networks).

Interpretation: This sub-control is asking for an inventory of boundaries enforced by specific categories of network devices, which requires an inventory of the network devices and an inventory of the boundaries those devices implement.

I feel like UNCC's approach covers part of what we need, but not all of it - they seem to lack the inventory piece.

wmunyan commented 5 years ago

Basically this metric intends to compare what's supposed to be a boundary device, to what is actually discovered as a boundary device. It's that discovery that's the hard part.

Inputs:

Operations:

Measures:

Metrics:

adammontville commented 5 years ago

Inputs:

Operations:

Measures:

Metrics: