1 / 41

Spending smart: Enforce Security and Achieve ROI

Spending smart: Enforce Security and Achieve ROI. G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333. Discussion. The 80:20 rule : address 80% vulnerabilities for 20% cost Keep us sleeping soundly at night or just our CFOs?

mardi
Download Presentation

Spending smart: Enforce Security and Achieve ROI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333

  2. Discussion • The 80:20 rule: address 80% vulnerabilities for 20% cost • Keep us sleeping soundly at night or just our CFOs? • Industry standard End User License Agreement (EULA): absolves vendors of obligation to produce secure applications • Time-to-market is paramount; secure commercial code may be a long way off despite vendor promises • Similar to engineers in Apollo 13: have to make do?

  3. Agenda • How to decide how much security you need • What are the most cost-effective techniques available to enforce security? • When is the best time to validate security? • What does cumulative security really look like? • How trustworthy is Microsoft's Trustworthy Computing Initiative?

  4. How to decide how much security you need (Or… pay me now, or pay me later)

  5. How much is enough security? • Perfect security is a myth • Effective security is achievable • First: Need to know the value of what you’re protecting • To yourself • To an opponent

  6. What is perfect security? • A computer with no floppy drive, no serial, parallel, or USB ports, unplugged, and buried under six feet of reinforced concrete. • This is a good start. • Unfortunately, this doesn’t scale well to an enterprise model.

  7. What is effective security? • Time-based security model: P>E=D+R • P = protection • E = exposure • D = detection • R = response • Ref: Time-based Security, Winn Schwartau

  8. Time-based security example • Jewelry store • Safe takes 30 minutes to crack or burn through (P) • Alarm detects intrusion attempts in 0.02 seconds (D) • Police take 20 minutes to respond (R) • Since P > D + R, security deemed effective • To defeat, must lower P or increase D or R

  9. Time-based security example • Network intrusion • Intruder takes 30 minutes to run attack suite • Downloaded password file takes 6 hours to brute-force for most likely passwords (P) • Network administrator reviews logs every morning at 8:00 (D) • Administrator takes 30 minutes to find log entries (R) • Since P < D+R, security deemed ineffective

  10. Make the cost of achieving compromise unacceptable • “Unacceptable” criteria: • Cost of compromise exceeds monetary value of information • Time to compromise exceeds time value of information • Unfortunately, this metric doesn’t work with hackers and terrorists.

  11. Key is to know what information is worth, and in what order to protect it • This is basically risk assessment • FIPS PUB 65 Annualized Loss Expectancy (ALE) quantitative assessment • Kepner-Tregoe qualitative assessment • Is risk assessment institutionalized within your organization’s development, deployment and operational strategies?

  12. Does your organization conduct formal risk assessment before implementing a new application, system or program? • Yes, it is an integral part of our planning • Yes, but only when required by law • Rarely • Never 0/0

  13. Risk assessment models are changing • Pre-9/11 model: protect against the most likely threats • Post-9/11 model: protect (also) against the most catastrophic results • Requires a change in mindset

  14. What are the most cost-effective techniques available to enforce security? (Or… how much can I get for free?)

  15. What makes security cost-effective? • If it’s free • If someone else pays for it • Problem is determining value • “We gave you $100K last year for security, and nothing happened. Why should we give you more this year?” • Recognize value of security only when something bad happens = ROSI

  16. Why is ROI such a problem? • ROI designed to demonstrate profitability of an investment • Security does not yield direct profitability. • Therefore, security is often viewed as an (undesirable and) unavoidable expense.

  17. Security provides a unique value-add • Provides assurance of return on OTHER investments • Most ROI calculations assume a “perfect” environment (and are rarely challenged) • What is your ROI with 98% uptime? • What about 95%?

  18. If you consider security events inevitable, the equation changes. • Cannot be merely satisfied producing a positive ROI • Must prove you won’t take unnecessary losses that impact bottom line • ROSI (return on seatbelt investment) -- see benefit only when bad things happen • “Security reduces financial attrition inherent in modern business practice on Internet”

  19. Value of security • Can be prescribed by law, regulation or business agreement • Usually sets a minimum standard of compliance • Often value to organization is not apparent • Physical examples: airbags, building codes, passenger screening

  20. What is the most valuable asset of your company? • People • Plant, property, equipment, technology • Information • Brand identity • Financial position 0/0

  21. What is the value of your brand? • How much did it cost to establish? • Is it worth defending? • On the Internet, brand can be destroyed in an instant. • Security event analogous to an airline crash

  22. Enlightened business practices • Run business with knowledge of identified risks. • Mitigate those that are cost-effective to do so. • Assign risks you can’t mitigate. • Not a question of avoiding lawsuits, but of being allowed to stay in business • Haven’t been major lawsuits (yet). Has been establishment of duties: due care, protect assets. • Avoiding liabilities less important than doing right thing

  23. Who in your organization is responsible for info security? • CISO or equivalent (no physical) • CISO/physical security (combined) • VP of info security • Director of security • Below director, or no assignment 0/0

  24. Allocating security costs throughout enterprise • Isolating security as stand-alone cost center sets up scapegoat -- someone to blame • Require security in each project or initiative to receive approval • For each new project, require contribution to security (like a security “tax” or user fee) • Think of security like health insurance, not life insurance -- incremental use, not binary

  25. New security paradigm • Enhance viability of enterprise • Reduce total cost of ownership (TCO) • Provide insurance on ROI for projects • Enabler to do or get into new businesses • Competitive advantage • Retain customer base • Resistance to lawsuits; legal liability

  26. When is the best time to validate security? (Or… Can I please have a 100-hour day?)

  27. Rural mechanic’s rates • $30 per hour • $40 per hour if you watch • $75 per hour if you help

  28. Security is not an event; it’s a process. • To be effective, must be integrated throughout lifecycle • Cannot be a part-time thing • Screening passengers only in the afternoon is not effective security • Momentary lapse can permit catastrophic loss

  29. Build Security into Lifecycle • Software development lifecycle • Procurement lifecycle • Systems lifecycle • Mergers and acquisitions • “Painted on” security will never be as effective as “baked in” security.

  30. What is the size of your written information security policy? • No written policy (or don’t know) • 1-3 pages • 4-20 pages • 21-50 pages • Greater than 50 pages 0/0

  31. How do I get there from here? • Foundational element: written information security policy • Must be short enough to capture management’s attention span • Must be general enough to stand the test of time (i.e., not technology specific) • Defines what needs to be protected

  32. What does cumulative security really look like? (Or… How do I build a digital Fort Knox?)

  33. Blending Security Defenses Perimeter Perimeter External Communications Network Network Host Host Application Application Data Awareness and Training Security Policy

  34. Layered security reverses the security challenge • Traditionally, the good guy has to defend all vulnerabilities; the bad guy has to find only one. • Ideally, the bad guy has to negotiate multiple layers of security, buying time for good guy to respond. • May be a combination of vendor, custom or service provider

  35. How trustworthy is Microsoft's Trustworthy Computing Initiative? (Or… Do you really believe that $#!^ ?)

  36. Bottom line… • I don’t care.

  37. How big is it? Source: http://bink.nu/files/Windows%20internals%20expert%20speaks%20on%20source%20code%20leak%20(updated).doc

  38. Leadership 101 • Responsibility • Authority • Accountability • What does each term mean? • What can you delegate?

  39. Security 101 • You cannot delegate the accountability of securing your enterprise to any vendor, consultant, business partner or other entity. • You are responsible for effectively integrating all security elements and planning for inevitable security holes.

  40. Summary • Aim for “effective” security. • Know what security costs and what you get in return. • Think “total cost of ownership,” not ROI. • “Bake in” your security. • Maintain an effective security policy. • Layer your defenses.

  41. Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333

More Related