© copyright 2004, national security corporation1 spending smart: enforce security and achieve roi...

© Copyright 2004, National Security Corporation 1

Spending Smart: Enforce Security and Achieve ROI

G. Mark Hardy, CISSP, CISM, CISAPresident

National Security [email protected]

+1 410.933.9333

2© Copyright 2004, National Security Corporation

Initial thoughts

• The 80:20 rule: we can address 80% of the vulnerabilities for 20% of the cost.

• Does this keep us sleeping soundly at night, or just our CFOs?

• Industry standard End User License Agreement (EULA): absolves vendors of obligation to produce secure applications.

• Time-to-market is paramount; secure commercial code may be a long way off despite vendor promises.

• Similar to engineers in Apollo 13: Have to make do with what's available to us.


Agenda

Risk Management 101How to decide how much security you

needWhat are the most cost-effective

security enforcement techniques?When is the best time to validate

security?What does cumulative security really

look like?


Risk Management 101

(or, “Just the facts, ma’am”)


Risk exposure

= probability of occurrence x consequence of occurrence

Example:• Earthquake in Chicago 0.00015 probability

• Earthquake in San Fran 0.075 probability

• Damage to building = $3 million

• Chicago exposure = $450

• San Francisco exposure = $225,000NOTE: These probabilities are fictitious!


Risk avoidance

Reduces probability of occurrenceExample:• Relocate office from San Francisco to

Chicago

• Reduces risk exposure 99.8%


Risk mitigation

Reduces consequence of occurrenceExample:• Building would incur $3M in damage from

earthquake

• $500,000 investment in building reinforcement would reduce likely damage to $100,000 in event of earthquake

• Reduces risk exposure (in SF) by 96.7%


Return on Investment (ROI)

= return / investmentExample:• Purchase larger aircraft for $200M – 20 year

service life

• Seats 100 more passengers 3 flights/day at $250 average profit

• $75,000/day equals $547M after 20 years

• ROI = $547M / $200M = 274%NOTE: This simple example ignores time-value of money.


Return on Security Investment (ROSI)

= reduction in risk exposure / investment in countermeasures

Example:• Invest $500,000 in building reinforcement

• Reduces building damage to $100K from $3M

• Annual loss exposure goes from $225K to $7.5K

• Investment “pays for itself” in 2.3 years


How to Decide How Much Security You Need

(or, pay me now, or pay me later)


How much is enough security?

Perfect security is a mythEffective security is achievableFirst: need to know the value of what

you’re protecting• To yourself

• To an opponent


What is perfect security?

A computer with no floppy drive, no serial, parallel, or USB ports, unplugged, and buried under six feet of reinforced concrete.

This is a good start.Unfortunately, this doesn’t scale well to

an enterprise model.


What is effective security?

Time-based security model: P>E=D+R• P = protection

• E = exposure

• D = detection

• R = response

• Ref: Time-based Security, Winn Schwartau


Time-based security example

Jewelry store• Safe takes 30 minutes to crack or burn

through (P)

• Alarm detects intrusion attempts in 0.02 seconds (D)

• Police take 20 minutes to respond (R)

• Since P > D + R, security deemed effective

• To defeat, must lower P or increase D or R


Time-based security example

Network intrusion• Intruder takes 30 minutes to run attack suite

• Downloaded password file takes 6 hours to brute-force for most likely passwords (P)

• Network administrator reviews logs every morning at 8:00 (D)

• Administrator takes 30 minutes to find log entries (R)

• Since P < D+R, security deemed ineffective


Make the cost of achieving compromise unacceptable

“Unacceptable” criteria:• Cost of compromise exceeds monetary value

of information

• Time to compromise exceeds time value of information

Unfortunately, this metric doesn’t work with hackers and terrorists


Key is to know what information is worth, and in what order to protect itThis is basically risk assessment• FIPS PUB 65 Annualized Loss Expectancy

(ALE) quantitative assessment

• Kepner-Tregoe qualitative assessment

Is risk assessment institutionalized within your organization’s development, deployment, and operational strategies?


Audience Response System

Please pick up your keypad.


0/0

30% 30%

20% 20%

1 2 3 4

Does your organization conduct formal risk assessment before implementing a new application, system or program?

1. Yes, it in an integral part of our planning

2. Yes, but only when required by law

3. Rarely4. Never


Risk assessment models are changing

Pre-9/11 model: protect against the most likely threats

Post-9/11 model: protect (also) against the most catastrophic results

Requires a change in mindset


What are the most cost-effective security

enforcement techniques?

(or, how much can I get for free?)


What makes security cost-effective?

If it’s freeIf someone else pays for itProblem is determining value• “We gave you $100K last year for security,

and nothing happened. Why should we give you more this year?”

• Only recognize value of security when something bad happens = ROSI


Why is ROI such a problem?

ROI designed to demonstrate profitability of an investment

Security does not yield direct profitability

Therefore, security is often viewed as an (undesirable and) unavoidable expense


Security provides a unique value-add

Provides assurance of return on OTHER investments

Most ROI calculations assume a “perfect” environment (and are rarely challenged)• What is your ROI with 98% uptime?

• What about 95%


If you consider security events inevitable, the equation changes

Cannot be merely satisfied producing a positive ROI

Must prove you won’t take unnecessary losses that impact bottom line

ROSI (return on seatbelt investment) – only see benefit when bad things happen

“Security reduces the financial attrition inherent in modern business practice on the Internet”


Value of security

Can be prescribed by law, regulation, or business agreement

Usually sets a minimum standard of compliance

Often value to organization is not apparent

Physical examples: airbags, building codes, passenger screening


0/0

20% 20% 20% 20% 20%

1 2 3 4 5

What is the most valuable asset of your company?

1. People2. Plant, property,

equipment, technology3. Information4. Brand identity5. Financial position


What is the value of your brand?

How much did it cost to establish?Is it worth defending?On the Internet, brand can be destroyed

in an instantSecurity event analogous to an airline

crash


Enlightened business practices

Run business with knowledge of identified risks

Mitigate those that are cost-effective to do soAssign risks you can’t mitigateNot a question of avoiding lawsuits, but being

allowed to stay in businessHaven’t been major lawsuits (yet). Has been

establishment of duties: due care, protect assets.

Avoiding liabilities less important than doing right thing


0/0

20% 20% 20% 20% 20%

1 2 3 4 5

Who in your organization is responsible for information security?

1. CISO or equivalent (no physical)

2. CISO/physical security (combined)

3. VP of info security4. Director of security5. Below director, or no

assignment


Allocating security costs throughout enterprise

Isolating security as stand-alone cost center sets up scapegoat – someone to blame

Require security in each project or initiative to receive approval

For each new project, require contribution to security (like a security “tax” or user fee)

Think of security like health insurance, not life insurance – incremental use, not binary


New security paradigm

Enhance viability of enterpriseReduce total cost of ownership (TCO)Provide insurance on ROI for projectsEnabler to do or get into new

businessesCompetitive advantageRetain customer baseResistance to lawsuits; legal liability


When is the best time to validate security?

(or, can I please have a 100-hour day?)


Rural mechanic’s rates

$30 per hour$40 per hour if you watch$75 per hour if you help


Security is not an event, it’s a process

To be effective, must be integrated throughout lifecycle

Cannot be a part-time thing• Screening passengers only in the afternoon

is not effective security

Momentary lapse can permit catastrophic loss


Build security into lifecycle

Software development lifecycleProcurement lifecycleSystems lifecycleMergers and acquisitions“Painted on” security will never be as

effective as “baked in” security


0/0

20% 20% 20% 20% 20%

1 2 3 4 5

What is the size of your written information security policy?

1. No written policy (or don’t know)

2. 1-3 pages3. 4-20 pages4. 21-50 pages5. Greater than 50 pages


How do I get there from here?

Foundational element: written information security policy

Must be short enough to capture management’s attention span

Must be general enough to stand the test of time (i.e., not technology specific)

Defines what needs to be protected


What does cumulative security really look like?

(or, how do I build a digital Fort Knox?)


Ext

ern

al c

om

mu

nic

atio

ns

Blending security defenses

Security policySecurity policyAwareness and training

Per

imet

er

Per

imet

er

Net

wo

rk

Net

wo

rk

Ho

st

Ho

st

Ap

plic

atio

n

Ap

plic

atio

n

Dat

a


Layered security reverse the security challenge

Traditionally, the good guy has to defend all vulnerabilities, the bad guy has to find only one

Ideally, the bad guy has to negotiate multiple layers of security, buying time for good guy to respond

May be a combination of vendor, custom or service provider


It’s a big challenge. (How big is it?)

Year Product Millions of lines of code

1993 Windows NT 3.1 6

1996 Windows NT 4.0 16.5

1999 Windows 2000 29

2001 Windows XP 45

2003 Windows 2003 50Source: http://bink.nu/files/Windows%20internals%20expert%20speaks%20on%20source%20code%20leak%20(updated).doc


Leadership 101

You cannot delegate the accountability of security your enterprise to any vendor, consultant, business partner or other entity.

You are responsible for effectively integrating all security elements, and planning for inevitable security holes


Summary

Aim for “effective” securityKnow what security costs, and what you

get in returnThink “total cost of ownership,” not ROI“Bake in” your securityMaintain an effective security policyLayer your defenses


Spending Smart: Enforce Security and Achieve ROI

G. Mark Hardy, CISSP, CISM, CISAPresident

National Security [email protected]

+1 410.933.9333


Thank you.

Questions, comments?

Mr. Hardy will be available at theAsk-the-Experts booth in the Exhibit Hall

Or e-mail questions and comments to:[email protected]

© copyright 2004, national security corporation1 spending smart: enforce security and achieve roi...

Documents