© copyright 2004, national security corporation1 spending smart: enforce security and achieve roi...
TRANSCRIPT
© Copyright 2004, National Security Corporation 1
Spending Smart: Enforce Security and Achieve ROI
G. Mark Hardy, CISSP, CISM, CISAPresident
National Security [email protected]
+1 410.933.9333
2© Copyright 2004, National Security Corporation
Initial thoughts
• The 80:20 rule: we can address 80% of the vulnerabilities for 20% of the cost.
• Does this keep us sleeping soundly at night, or just our CFOs?
• Industry standard End User License Agreement (EULA): absolves vendors of obligation to produce secure applications.
• Time-to-market is paramount; secure commercial code may be a long way off despite vendor promises.
• Similar to engineers in Apollo 13: Have to make do with what's available to us.
3© Copyright 2004, National Security Corporation
Agenda
Risk Management 101How to decide how much security you
needWhat are the most cost-effective
security enforcement techniques?When is the best time to validate
security?What does cumulative security really
look like?
© Copyright 2004, National Security Corporation 4
Risk Management 101
(or, “Just the facts, ma’am”)
5© Copyright 2004, National Security Corporation
Risk exposure
= probability of occurrence x consequence of occurrence
Example:• Earthquake in Chicago 0.00015 probability
• Earthquake in San Fran 0.075 probability
• Damage to building = $3 million
• Chicago exposure = $450
• San Francisco exposure = $225,000NOTE: These probabilities are fictitious!
6© Copyright 2004, National Security Corporation
Risk avoidance
Reduces probability of occurrenceExample:• Relocate office from San Francisco to
Chicago
• Reduces risk exposure 99.8%
7© Copyright 2004, National Security Corporation
Risk mitigation
Reduces consequence of occurrenceExample:• Building would incur $3M in damage from
earthquake
• $500,000 investment in building reinforcement would reduce likely damage to $100,000 in event of earthquake
• Reduces risk exposure (in SF) by 96.7%
8© Copyright 2004, National Security Corporation
Return on Investment (ROI)
= return / investmentExample:• Purchase larger aircraft for $200M – 20 year
service life
• Seats 100 more passengers 3 flights/day at $250 average profit
• $75,000/day equals $547M after 20 years
• ROI = $547M / $200M = 274%NOTE: This simple example ignores time-value of money.
9© Copyright 2004, National Security Corporation
Return on Security Investment (ROSI)
= reduction in risk exposure / investment in countermeasures
Example:• Invest $500,000 in building reinforcement
• Reduces building damage to $100K from $3M
• Annual loss exposure goes from $225K to $7.5K
• Investment “pays for itself” in 2.3 years
© Copyright 2004, National Security Corporation 10
How to Decide How Much Security You Need
(or, pay me now, or pay me later)
11© Copyright 2004, National Security Corporation
How much is enough security?
Perfect security is a mythEffective security is achievableFirst: need to know the value of what
you’re protecting• To yourself
• To an opponent
12© Copyright 2004, National Security Corporation
What is perfect security?
A computer with no floppy drive, no serial, parallel, or USB ports, unplugged, and buried under six feet of reinforced concrete.
This is a good start.Unfortunately, this doesn’t scale well to
an enterprise model.
13© Copyright 2004, National Security Corporation
What is effective security?
Time-based security model: P>E=D+R• P = protection
• E = exposure
• D = detection
• R = response
• Ref: Time-based Security, Winn Schwartau
14© Copyright 2004, National Security Corporation
Time-based security example
Jewelry store• Safe takes 30 minutes to crack or burn
through (P)
• Alarm detects intrusion attempts in 0.02 seconds (D)
• Police take 20 minutes to respond (R)
• Since P > D + R, security deemed effective
• To defeat, must lower P or increase D or R
15© Copyright 2004, National Security Corporation
Time-based security example
Network intrusion• Intruder takes 30 minutes to run attack suite
• Downloaded password file takes 6 hours to brute-force for most likely passwords (P)
• Network administrator reviews logs every morning at 8:00 (D)
• Administrator takes 30 minutes to find log entries (R)
• Since P < D+R, security deemed ineffective
16© Copyright 2004, National Security Corporation
Make the cost of achieving compromise unacceptable
“Unacceptable” criteria:• Cost of compromise exceeds monetary value
of information
• Time to compromise exceeds time value of information
Unfortunately, this metric doesn’t work with hackers and terrorists
17© Copyright 2004, National Security Corporation
Key is to know what information is worth, and in what order to protect itThis is basically risk assessment• FIPS PUB 65 Annualized Loss Expectancy
(ALE) quantitative assessment
• Kepner-Tregoe qualitative assessment
Is risk assessment institutionalized within your organization’s development, deployment, and operational strategies?
18© Copyright 2004, National Security Corporation
Audience Response System
Please pick up your keypad.
19© Copyright 2004, National Security Corporation
0/0
30% 30%
20% 20%
1 2 3 4
Does your organization conduct formal risk assessment before implementing a new application, system or program?
1. Yes, it in an integral part of our planning
2. Yes, but only when required by law
3. Rarely4. Never
20© Copyright 2004, National Security Corporation
Risk assessment models are changing
Pre-9/11 model: protect against the most likely threats
Post-9/11 model: protect (also) against the most catastrophic results
Requires a change in mindset
© Copyright 2004, National Security Corporation 21
What are the most cost-effective security
enforcement techniques?
(or, how much can I get for free?)
22© Copyright 2004, National Security Corporation
What makes security cost-effective?
If it’s freeIf someone else pays for itProblem is determining value• “We gave you $100K last year for security,
and nothing happened. Why should we give you more this year?”
• Only recognize value of security when something bad happens = ROSI
23© Copyright 2004, National Security Corporation
Why is ROI such a problem?
ROI designed to demonstrate profitability of an investment
Security does not yield direct profitability
Therefore, security is often viewed as an (undesirable and) unavoidable expense
24© Copyright 2004, National Security Corporation
Security provides a unique value-add
Provides assurance of return on OTHER investments
Most ROI calculations assume a “perfect” environment (and are rarely challenged)• What is your ROI with 98% uptime?
• What about 95%
25© Copyright 2004, National Security Corporation
If you consider security events inevitable, the equation changes
Cannot be merely satisfied producing a positive ROI
Must prove you won’t take unnecessary losses that impact bottom line
ROSI (return on seatbelt investment) – only see benefit when bad things happen
“Security reduces the financial attrition inherent in modern business practice on the Internet”
26© Copyright 2004, National Security Corporation
Value of security
Can be prescribed by law, regulation, or business agreement
Usually sets a minimum standard of compliance
Often value to organization is not apparent
Physical examples: airbags, building codes, passenger screening
27© Copyright 2004, National Security Corporation
Audience Response System
Please pick up your keypad.
28© Copyright 2004, National Security Corporation
0/0
20% 20% 20% 20% 20%
1 2 3 4 5
What is the most valuable asset of your company?
1. People2. Plant, property,
equipment, technology3. Information4. Brand identity5. Financial position
29© Copyright 2004, National Security Corporation
What is the value of your brand?
How much did it cost to establish?Is it worth defending?On the Internet, brand can be destroyed
in an instantSecurity event analogous to an airline
crash
30© Copyright 2004, National Security Corporation
Enlightened business practices
Run business with knowledge of identified risks
Mitigate those that are cost-effective to do soAssign risks you can’t mitigateNot a question of avoiding lawsuits, but being
allowed to stay in businessHaven’t been major lawsuits (yet). Has been
establishment of duties: due care, protect assets.
Avoiding liabilities less important than doing right thing
31© Copyright 2004, National Security Corporation
Audience Response System
Please pick up your keypad.
32© Copyright 2004, National Security Corporation
0/0
20% 20% 20% 20% 20%
1 2 3 4 5
Who in your organization is responsible for information security?
1. CISO or equivalent (no physical)
2. CISO/physical security (combined)
3. VP of info security4. Director of security5. Below director, or no
assignment
33© Copyright 2004, National Security Corporation
Allocating security costs throughout enterprise
Isolating security as stand-alone cost center sets up scapegoat – someone to blame
Require security in each project or initiative to receive approval
For each new project, require contribution to security (like a security “tax” or user fee)
Think of security like health insurance, not life insurance – incremental use, not binary
34© Copyright 2004, National Security Corporation
New security paradigm
Enhance viability of enterpriseReduce total cost of ownership (TCO)Provide insurance on ROI for projectsEnabler to do or get into new
businessesCompetitive advantageRetain customer baseResistance to lawsuits; legal liability
© Copyright 2004, National Security Corporation 35
When is the best time to validate security?
(or, can I please have a 100-hour day?)
36© Copyright 2004, National Security Corporation
Rural mechanic’s rates
$30 per hour$40 per hour if you watch$75 per hour if you help
37© Copyright 2004, National Security Corporation
Security is not an event, it’s a process
To be effective, must be integrated throughout lifecycle
Cannot be a part-time thing• Screening passengers only in the afternoon
is not effective security
Momentary lapse can permit catastrophic loss
38© Copyright 2004, National Security Corporation
Build security into lifecycle
Software development lifecycleProcurement lifecycleSystems lifecycleMergers and acquisitions“Painted on” security will never be as
effective as “baked in” security
39© Copyright 2004, National Security Corporation
Audience Response System
Please pick up your keypad.
40© Copyright 2004, National Security Corporation
0/0
20% 20% 20% 20% 20%
1 2 3 4 5
What is the size of your written information security policy?
1. No written policy (or don’t know)
2. 1-3 pages3. 4-20 pages4. 21-50 pages5. Greater than 50 pages
41© Copyright 2004, National Security Corporation
How do I get there from here?
Foundational element: written information security policy
Must be short enough to capture management’s attention span
Must be general enough to stand the test of time (i.e., not technology specific)
Defines what needs to be protected
© Copyright 2004, National Security Corporation 42
What does cumulative security really look like?
(or, how do I build a digital Fort Knox?)
43© Copyright 2004, National Security Corporation
Ext
ern
al c
om
mu
nic
atio
ns
Blending security defenses
Security policySecurity policyAwareness and training
Per
imet
er
Per
imet
er
Net
wo
rk
Net
wo
rk
Ho
st
Ho
st
Ap
plic
atio
n
Ap
plic
atio
n
Dat
a
44© Copyright 2004, National Security Corporation
Layered security reverse the security challenge
Traditionally, the good guy has to defend all vulnerabilities, the bad guy has to find only one
Ideally, the bad guy has to negotiate multiple layers of security, buying time for good guy to respond
May be a combination of vendor, custom or service provider
45© Copyright 2004, National Security Corporation
It’s a big challenge. (How big is it?)
Year Product Millions of lines of code
1993 Windows NT 3.1 6
1996 Windows NT 4.0 16.5
1999 Windows 2000 29
2001 Windows XP 45
2003 Windows 2003 50Source: http://bink.nu/files/Windows%20internals%20expert%20speaks%20on%20source%20code%20leak%20(updated).doc
46© Copyright 2004, National Security Corporation
Leadership 101
You cannot delegate the accountability of security your enterprise to any vendor, consultant, business partner or other entity.
You are responsible for effectively integrating all security elements, and planning for inevitable security holes
47© Copyright 2004, National Security Corporation
Summary
Aim for “effective” securityKnow what security costs, and what you
get in returnThink “total cost of ownership,” not ROI“Bake in” your securityMaintain an effective security policyLayer your defenses
© Copyright 2004, National Security Corporation 48
Spending Smart: Enforce Security and Achieve ROI
G. Mark Hardy, CISSP, CISM, CISAPresident
National Security [email protected]
+1 410.933.9333
49© Copyright 2004, National Security Corporation
Thank you.
Questions, comments?
Mr. Hardy will be available at theAsk-the-Experts booth in the Exhibit Hall
Or e-mail questions and comments to:[email protected]