cancel
Showing results for 
Search instead for 
Did you mean: 

Ranking a system on security

dom kris
Frequent Advisor

Ranking a system on security

Hi,

this is not really a technical question but methodology question.
Is there a method to rank a system based upon the level of security?
Let me explain, we are going to implement new security measures/standard for all our Ux/NT systems. However, for the Managers, we would like to present something like 'this is state of the system before the implementations', 'this is that after the implementations', in order to prove that there was some progress.
I would therefore be nice too have some sort of security risk/level assesment with very simple output, e.g. system xxx has a 4/10 security quotation.
I have seen tools on solaris spitting out this kind of info and it is subjective to the creator of the script/tool, but it seems usefull to prove our project.

With kind regards,

Kris Dom
4 REPLIES
Ralf Puchner
Honored Contributor

Re: Ranking a system on security

there are tools available which tries to break into a system. Use google to find them.
Help() { FirstReadManual(urgently); Go_to_it;; }
dom kris
Frequent Advisor

Re: Ranking a system on security

I don't want to break into a system. I want to give the system a quotation on how secure it is.
I know that www.cis.com offers such tools but not for Tru64.
My boss here (used to work for Digital) talks about a tool (and VMS) called Polcycenter Inspect but I guess this tool cannot obtained anymore
Nicolas Dumeige
Esteemed Contributor

Re: Ranking a system on security

Hello Dom,

There are legal level of security for an OS like C2 for instance. I guess you can get each level requirement on internet. I don't know if it's an ISO / RFC / or USA state regulation.

Cheers,

Nicolas
All different, all Unix
dom kris
Frequent Advisor

Re: Ranking a system on security

I know what about the C2 level, but we are not ready to implement this for the moment.
What would we useful is a metric that would indicate how close we are to the e.g. C2 level.
Bascically, I am looking for a software where you can define what security topics you want to test, attribute a weight factor to each topic and calculate a global score.
Then we would like to implement our security standards, and recalculate the score.
This way we can show to our management that there was indeed an improvement.