HOME ABOUT US NEWS TEAM PARTNERING TRAINING EVENTS MEDIA KIT CONTACT
  TEAM ACCESS
     Silver Access
     Gold Access
     Researcher Access
  ASSOCIATIONS 
     Affiliates
     Auditors
     Training Partners
  RESEARCH
     Business Integrity (BIT)
     Home Security (HSM)
     Networking Protocols (OPRP)
     Security Auditing (OSSTMM)
     Security Metrics (ravs)
     Child Security Awareness
     Teen Security Awareness
     Trusted Computing (AVIT)
     Security Models (SOMA)
     Code Analysis (SCARE)
     Security Tools
     Secure Programming
  CERTIFICATION 
     Security Analyst
     Security Expert
     Security Tester
     Wireless Security Expert
     Trust Analyst
     Security Awareness Instructor
     Certified People
     Companies & Products


SECURITY METRICS - Attack Surface Metrics

Operational security metrics are the metrics we are most familiar with in our lives. When we measure the height, width, or length of an object we are using an operational metric. When we write the date, have a birthday, or ask the score of a game we are using operational metrics. An operational metric is a constant measurement that informs us of a factual count in relation to the physical world we live in. They are operational because they are numbers we can work with consistently from day to day and person to person. It is difficult to work with relative or inconsistent measurements like choosing a specific hue of yellow to paint a room, starting work at sunrise, having the right flavor of strawberry for a milkshake, or preparing for the next threat to affect your organization’s profits because the factors have many variables which are biased or frequently changing between people, regions, customs, and locations. For this reason, many professions attempt to standardize such things like flavors, colors, and work hours. This is done through reductionism, a process of finding the elements of such things and building them up from there by quantifying those elements. This way, colors become frequencies, work hours become hours and minutes, flavors become chemical compounds, and an attack surface becomes porosity, controls, and limitations. So we can now quantify the attack surface as "ravs".

The rav is a scale measurement of the attack surface, the amount of uncontrolled interactions with a target, which is calculated by the quantitative balance between operations, limitations, and controls. Having the ravs is to understand how much of the attack surface is exposed. In this scale, 100 rav (also shown as 100% rav for simplicity of understanding although not precisely a percentage) is perfect balance and anything less is too few controls and therefore a greater attack surface. More than 100 rav shows more controls than are necessary which itself may be a problem as controls often add interactions within a scope as well as complexity and maintenance issues.

The rav does not measure risk for an attack surface, rather it enables the measurement of it. It cannot say if a particular target will be attacked however it can say where on a target it will be attacked, what types of attacks the target can successfully defend against, how deep an attacker can get, and how much damage can be done. With that information it is then possible to assess the trusts (and risks) much more accurately.




The Attack Surface metrics are developed as part of the OSSTMM and are licensed the same, Creative Commons 3.0 Attribution-NoDerivs. You may use them commercially and you may distribute them.


Why use the ravs?

 


T
OOLS & SOFTWARE

 PRICE

DESCRIPTION

rav Spreadsheet
(.xls or .ods)

FREE

A calculation sheet to simplify making ravs and for completing the STAR.

rav Formula

FREE

The algorithms and formula for calculating Actual Security and all parts of the Attack Surface metrics.

STAR (the Security Testing Audit Report)

FREE

The STAR is the Security Test Audit Report. Its purpose is to serve as an executive summary of precise calculation stating the Attack Surface of the targets tested within a particular scope. This precision is made through the requirement of specifically noting what was NOT tested in addition to what has been tested in accordance to the OSSTMM. Use this report to have ISECOM certify the security of an organization.

 

Join the ISECOM page on Facebook  Follow us on Twitter  

SUBSCRIBE TO ISECOM NEWS
 
VIEW ALL MAILING LISTS

Join the ISECOM PLATINUM, GOLD or SILVER TEAM


 

ISECOM is an open, collaborative, non-profit, scientific, security research organization registered in Catalunya, Spain.  All research here has been performed without commercial or partisan influence.  Contact us directly to be a security researcher on the ISECOM team.

Disclaimer:  While all documents on this site are available under Copyleft and the Open Methodology License, do check the licenses within each tool or document prior to copying, modifying, or distribution for any individually stated requirements.  Additionally, all research is provided here for information purposes only and ISECOM is not responsible for any misuse.


www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
www.opse.org - www.opst.org - www.opsa.org - www.owse.org
 If you have any comments, questions, or to note broken links on this website contact the Webmaster.