Spending smart: Enforce Security and Achieve ROI
G. Mark Hardy, CISSP, CISMPresident, National Security [email protected]+1 410.933.9333
Discussion
• The 80:20 rule: address 80% vulnerabilities for 20%
cost
• Keep us sleeping soundly at night or just our CFOs?
• Industry standard End User License Agreement
(EULA): absolves vendors of obligation to produce
secure applications
• Time-to-market is paramount; secure commercial
code may be a long way off despite vendor promises
• Similar to engineers in Apollo 13: have to make do?
Agenda
How to decide how much security you need
What are the most cost-effective techniques available
to enforce security?
When is the best time to validate security?
What does cumulative security really look like?
How trustworthy is Microsoft's Trustworthy Computing
Initiative?
How to decide how much security you need
(Or… pay me now, or pay me later)
How much is enough security?
Perfect security is a myth
Effective security is achievable
First: Need to know the value of what you’re
protecting
• To yourself
• To an opponent
What is perfect security?
A computer with no floppy drive, no serial,
parallel, or USB ports, unplugged, and buried
under six feet of reinforced concrete.
This is a good start.
Unfortunately, this doesn’t scale well to an
enterprise model.
What is effective security?
Time-based security model: P>E=D+R
• P = protection
• E = exposure
• D = detection
• R = response
• Ref: Time-based Security, Winn Schwartau
Time-based security example
Jewelry store
• Safe takes 30 minutes to crack or burn through (P)
• Alarm detects intrusion attempts in 0.02 seconds (D)
• Police take 20 minutes to respond (R)
• Since P > D + R, security deemed effective
• To defeat, must lower P or increase D or R
Time-based security example
Network intrusion• Intruder takes 30 minutes to run attack suite• Downloaded password file takes 6 hours to brute-
force for most likely passwords (P)• Network administrator reviews logs every morning
at 8:00 (D)• Administrator takes 30 minutes to find log entries
(R)• Since P < D+R, security deemed ineffective
Make the cost of achieving compromise unacceptable
“Unacceptable” criteria:
• Cost of compromise exceeds monetary value of
information
• Time to compromise exceeds time value of
information
Unfortunately, this metric doesn’t work with
hackers and terrorists.
Key is to know what information is worth, and in what order to protect it
This is basically risk assessment
• FIPS PUB 65 Annualized Loss Expectancy (ALE)
quantitative assessment
• Kepner-Tregoe qualitative assessment
Is risk assessment institutionalized
within your organization’s development,
deployment and operational strategies?
30% 30%
20% 20%
1 2 3 4
Does your organization conduct formal risk assessment before implementing a new application, system or program?
1. Yes, it is an integral part of
our planning
2. Yes, but only when
required by law
3. Rarely
4. Never
Risk assessment models are changing
Pre-9/11 model: protect against the most
likely threats
Post-9/11 model: protect (also) against the
most catastrophic results
Requires a change in mindset
What are the most cost-effective techniques available to enforce security?
(Or… how much can I get for free?)
What makes security cost-effective?
If it’s free
If someone else pays for it
Problem is determining value
• “We gave you $100K last year for security, and
nothing happened. Why should we give you more this
year?”
• Recognize value of security only when something bad
happens = ROSI
Why is ROI such a problem?
ROI designed to demonstrate profitability of
an investment
Security does not yield direct profitability.
Therefore, security is often viewed as an
(undesirable and) unavoidable expense.
Security provides a unique value-add
Provides assurance of return on OTHER
investments
Most ROI calculations assume a
“perfect” environment (and are rarely
challenged)
• What is your ROI with 98% uptime?
• What about 95%?
If you consider security events inevitable, the equation changes.
Cannot be merely satisfied producing a positive ROI
Must prove you won’t take unnecessary losses that
impact bottom line
ROSI (return on seatbelt investment) -- see benefit only
when bad things happen
“Security reduces financial attrition inherent in modern
business practice on Internet”
Value of security
Can be prescribed by law, regulation or business agreement
Usually sets a minimum standard of compliance
Often value to organization is not apparent
Physical examples: airbags, building codes, passenger screening
20% 20% 20% 20% 20%
1 2 3 4 5
What is the most valuable asset of your company?
1. People
2. Plant, property,
equipment, technology
3. Information
4. Brand identity
5. Financial position
What is the value of your brand?
How much did it cost to establish?
Is it worth defending?
On the Internet, brand can be destroyed in an
instant.
Security event analogous to an airline crash
Enlightened business practices
Run business with knowledge of identified risks.
Mitigate those that are cost-effective to do so.
Assign risks you can’t mitigate.
Not a question of avoiding lawsuits, but of being allowed to stay in business
Haven’t been major lawsuits (yet). Has been establishment of duties: due care, protect assets.
Avoiding liabilities less important than doing right thing
20% 20% 20% 20% 20%
1 2 3 4 5
Who in your organization is responsible for info security?
1. CISO or equivalent (no physical)
2. CISO/physical security
(combined)
3. VP of info security
4. Director of security
5. Below director, or no
assignment
Allocating security costs throughout enterprise
Isolating security as stand-alone cost center sets up
scapegoat -- someone to blame
Require security in each project or initiative to receive
approval
For each new project, require contribution to security
(like a security “tax” or user fee)
Think of security like health insurance, not life
insurance -- incremental use, not binary
New security paradigm
Enhance viability of enterprise
Reduce total cost of ownership (TCO)
Provide insurance on ROI for projects
Enabler to do or get into new businesses
Competitive advantage
Retain customer base
Resistance to lawsuits; legal liability
When is the best time to validate security?
(Or… Can I please have a 100-hour day?)
Rural mechanic’s rates
$30 per hour
$40 per hour if you watch
$75 per hour if you help
Security is not an event; it’s a process.
To be effective, must be integrated
throughout lifecycle
Cannot be a part-time thing
• Screening passengers only in the afternoon is not
effective security
Momentary lapse can permit
catastrophic loss
Build Security into Lifecycle
Software development lifecycle
Procurement lifecycle
Systems lifecycle
Mergers and acquisitions
“Painted on” security will never be as
effective as “baked in” security.
20% 20% 20% 20% 20%
1 2 3 4 5
What is the size of your written information security policy?
1. No written policy (or don’t
know)
2. 1-3 pages
3. 4-20 pages
4. 21-50 pages
5. Greater than 50 pages
How do I get there from here?
Foundational element: written information security policy
Must be short enough to capture management’s attention span
Must be general enough to stand the test of time (i.e., not technology specific)
Defines what needs to be protected
What does cumulative security really look like?
(Or… How do I build a digital Fort Knox?)
Ext
ern
al C
om
mu
nic
atio
ns
Blending Security Defenses
Security PolicySecurity PolicyAwareness and Training
Per
imet
er
Per
imet
er
Net
wo
rk
Net
wo
rk
Ho
st
Ho
st
Ap
plic
atio
n
Ap
plic
atio
n
Dat
a
Layered security reverses the security challenge
Traditionally, the good guy has to defend all vulnerabilities; the bad guy has to find only one.
Ideally, the bad guy has to negotiate multiple layers of security, buying time for good guy to respond.
May be a combination of vendor, custom or service provider
How trustworthy is Microsoft's Trustworthy Computing Initiative?
(Or… Do you really believe that $#!^ ?)
Bottom line…
I don’t care.
How big is it?
Year Product Millions of lines of code
1993 Windows NT 3.1 6
1996 Windows NT 4.0 16.5
1999 Windows 2000 29
2001 Windows XP 45
2003 Windows 2003 50
Source: http://bink.nu/files/Windows%20internals%20expert%20speaks%20on%20source%20code%20leak%20(updated).doc
Leadership 101
Responsibility
Authority
Accountability
What does each term mean?
What can you delegate?
Security 101
You cannot delegate the accountability of
securing your enterprise to any vendor,
consultant, business partner or other entity.
You are responsible for effectively integrating
all security elements and planning for
inevitable security holes.
Summary
Aim for “effective” security.
Know what security costs and what you get in
return.
Think “total cost of ownership,” not ROI.
“Bake in” your security.
Maintain an effective security policy.
Layer your defenses.
Spending smart: Enforce Security and Achieve ROIG. Mark Hardy, CISSP, CISMPresident, National Security [email protected]+1 410.933.9333
Top Related