No-brainer security metrics
Security of servers can be expressed in terms of unaddressed vulnerabilities. These can be assessed with a vulnerability scanner. But, is a full-blown vulnerability scan needed to achieve adequate security? In this article, a simple, online security check is introduced that delivers cheap IT-security metrics.
Examples of the processes related to security are Patch Management and Key Management. An easy and cheap way of collecting their security metrics is called ‘no-brainer security metrics’. The idea behind it is that if you implement security well, you won’t end up with security blunders in your system.
In short, failing a security no-brainer is the worst thing that you can find during a security check. It’s important that these no-brainers can be measured easily and automated. After all, we live in an increasingly digitized world and we need to digitize security too if we want to stay in tune. Thus, a good security no-brainer is one that is easy to detect, that is undeniably a security issue, and that can be related back to a process that develops or supports the system.
Examples of security no-brainers are:
- If you do patch management properly, the system won’t run an Apache version that is End of Life.
- If you configure SSH properly, it won’t have a crypto key that is so small that it can be easily cracked.
- If you control your server properly, it won’t be on a blacklist for malware distribution.
- If a user is security aware, she won’t give her password to someone else.