Subcontrol 9.3

[adammontville]

Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.

Measures

M1 = Current time
M2 = time of last scan
M3 = max scan delay

Metrics

Enforcement quality = (M1 - M2) / M3

[adammontville]

NOTE: This seems more like a process/procedure discovery control.

Input:

• Enterprise security program policy and procedure

Operations:

• Review policy and procedure to discover whether periodic port scans are required and on what frequency
• Interview appropriate personnel to determine if port scans are performed on a regular basis

Measures:

• M1 - Process/procedure for periodic port scans exists
• M2 - Port scans are performed with a frequency aligned with policy

Metrics:

• M1 AND M2 - The process/procedure for periodic port scans exists and is performed regularly.

[wmunyan]

Inputs:

• t_i: the timestamp at which a port scan i has been performed
• N: the number of port scans (timestamps) taken so far
• M: the maximum possible irregularity (can be fixed as 30 day)
• T: (optional) target/desirable review interval threshold
• D: the number of port scan in which at least one anomaly was detected
• L: The total number of port scans
• UP: The number of alerts received due to unauthorized ports
• NP: The number of unauthorized ports

Operations:

• N/A

Measures:

• G (the average of log review) [0,X] = SUM_i=1_toN ( t(i+1) - t_i ) / N

Metrics: Calculate the variance of log reviews:

• Regularity Measure of Log Review V (measures the irregularity or variance of log reviews) [0, X] = (SUM_i=1_toN ((t(i+1) - t_i)-G)^2 / N ) / M (means if the maximum regularity if the variance is 0, and the higher the value the more irregularity)

If a threshold T for review is used, then calculate the variance according to the target interval:

• Threshold-based Regularity Measure of Log review V [0,X] = (SUM_i=1_toN ((t(i+1) - t_i)-T)^2 / N ) / M

P (The Probability of detecting an anomaly in log review) [0,1] = D / L

Quality of Log review [0,1] = (1-V) * P (means quality of review is high iff the review is highly regular and the potential is detecting anomalies (at least one per review) is also high)

Ratio of unauthorized ports reported: UP / NP

[adammontville]

Inputs:

• t(i): the timestamp at which a port scan i has been performed
• N: the number of port scans (timestamps) taken so far
• M: the maximum possible irregularity (can be fixed as 30 day)
• T: (optional) target/desirable review interval threshold
• D: the number of port scan in which at least one anomaly was detected
• L: The total number of port scans
• UP: The number of alerts received due to unauthorized ports
• NP: The number of unauthorized ports

Operations:

• N/A

Measures:

• G (the average of log review) [0,X] = SUM from i=1..N ( t(i+1) - t(i) ) / N

Metrics: Calculate the variance of log reviews:

• Regularity Measure of Log Review V (measures the irregularity or variance of log reviews) [0, X] = (SUM from i=1..N ( (t(i+1) - t(i) - G)^2 / N ) / M (means if the maximum regularity if the variance is 0, and the higher the value the more irregularity)

If a threshold T for review is used, then calculate the variance according to the target interval:

• Threshold-based Regularity Measure of Log review V [0,X] = (SUM from i=1..N ( ( t(i+1) - t(i) - T )^2 / N ) / M
• P (The Probability of detecting an anomaly in log review) [0,1] = D / L
• Quality of Log review [0,1] = (1-V) * P (means quality of review is high iff the review is highly regular and the potential is detecting anomalies (at least one per review) is also high)
• Ratio of unauthorized ports reported: UP / NP