410 likes | 525 Views
Spending smart: Enforce Security and Achieve ROI. G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333. Discussion. The 80:20 rule : address 80% vulnerabilities for 20% cost Keep us sleeping soundly at night or just our CFOs?
E N D
Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333
Discussion • The 80:20 rule: address 80% vulnerabilities for 20% cost • Keep us sleeping soundly at night or just our CFOs? • Industry standard End User License Agreement (EULA): absolves vendors of obligation to produce secure applications • Time-to-market is paramount; secure commercial code may be a long way off despite vendor promises • Similar to engineers in Apollo 13: have to make do?
Agenda • How to decide how much security you need • What are the most cost-effective techniques available to enforce security? • When is the best time to validate security? • What does cumulative security really look like? • How trustworthy is Microsoft's Trustworthy Computing Initiative?
How to decide how much security you need (Or… pay me now, or pay me later)
How much is enough security? • Perfect security is a myth • Effective security is achievable • First: Need to know the value of what you’re protecting • To yourself • To an opponent
What is perfect security? • A computer with no floppy drive, no serial, parallel, or USB ports, unplugged, and buried under six feet of reinforced concrete. • This is a good start. • Unfortunately, this doesn’t scale well to an enterprise model.
What is effective security? • Time-based security model: P>E=D+R • P = protection • E = exposure • D = detection • R = response • Ref: Time-based Security, Winn Schwartau
Time-based security example • Jewelry store • Safe takes 30 minutes to crack or burn through (P) • Alarm detects intrusion attempts in 0.02 seconds (D) • Police take 20 minutes to respond (R) • Since P > D + R, security deemed effective • To defeat, must lower P or increase D or R
Time-based security example • Network intrusion • Intruder takes 30 minutes to run attack suite • Downloaded password file takes 6 hours to brute-force for most likely passwords (P) • Network administrator reviews logs every morning at 8:00 (D) • Administrator takes 30 minutes to find log entries (R) • Since P < D+R, security deemed ineffective
Make the cost of achieving compromise unacceptable • “Unacceptable” criteria: • Cost of compromise exceeds monetary value of information • Time to compromise exceeds time value of information • Unfortunately, this metric doesn’t work with hackers and terrorists.
Key is to know what information is worth, and in what order to protect it • This is basically risk assessment • FIPS PUB 65 Annualized Loss Expectancy (ALE) quantitative assessment • Kepner-Tregoe qualitative assessment • Is risk assessment institutionalized within your organization’s development, deployment and operational strategies?
Does your organization conduct formal risk assessment before implementing a new application, system or program? • Yes, it is an integral part of our planning • Yes, but only when required by law • Rarely • Never 0/0
Risk assessment models are changing • Pre-9/11 model: protect against the most likely threats • Post-9/11 model: protect (also) against the most catastrophic results • Requires a change in mindset
What are the most cost-effective techniques available to enforce security? (Or… how much can I get for free?)
What makes security cost-effective? • If it’s free • If someone else pays for it • Problem is determining value • “We gave you $100K last year for security, and nothing happened. Why should we give you more this year?” • Recognize value of security only when something bad happens = ROSI
Why is ROI such a problem? • ROI designed to demonstrate profitability of an investment • Security does not yield direct profitability. • Therefore, security is often viewed as an (undesirable and) unavoidable expense.
Security provides a unique value-add • Provides assurance of return on OTHER investments • Most ROI calculations assume a “perfect” environment (and are rarely challenged) • What is your ROI with 98% uptime? • What about 95%?
If you consider security events inevitable, the equation changes. • Cannot be merely satisfied producing a positive ROI • Must prove you won’t take unnecessary losses that impact bottom line • ROSI (return on seatbelt investment) -- see benefit only when bad things happen • “Security reduces financial attrition inherent in modern business practice on Internet”
Value of security • Can be prescribed by law, regulation or business agreement • Usually sets a minimum standard of compliance • Often value to organization is not apparent • Physical examples: airbags, building codes, passenger screening
What is the most valuable asset of your company? • People • Plant, property, equipment, technology • Information • Brand identity • Financial position 0/0
What is the value of your brand? • How much did it cost to establish? • Is it worth defending? • On the Internet, brand can be destroyed in an instant. • Security event analogous to an airline crash
Enlightened business practices • Run business with knowledge of identified risks. • Mitigate those that are cost-effective to do so. • Assign risks you can’t mitigate. • Not a question of avoiding lawsuits, but of being allowed to stay in business • Haven’t been major lawsuits (yet). Has been establishment of duties: due care, protect assets. • Avoiding liabilities less important than doing right thing
Who in your organization is responsible for info security? • CISO or equivalent (no physical) • CISO/physical security (combined) • VP of info security • Director of security • Below director, or no assignment 0/0
Allocating security costs throughout enterprise • Isolating security as stand-alone cost center sets up scapegoat -- someone to blame • Require security in each project or initiative to receive approval • For each new project, require contribution to security (like a security “tax” or user fee) • Think of security like health insurance, not life insurance -- incremental use, not binary
New security paradigm • Enhance viability of enterprise • Reduce total cost of ownership (TCO) • Provide insurance on ROI for projects • Enabler to do or get into new businesses • Competitive advantage • Retain customer base • Resistance to lawsuits; legal liability
When is the best time to validate security? (Or… Can I please have a 100-hour day?)
Rural mechanic’s rates • $30 per hour • $40 per hour if you watch • $75 per hour if you help
Security is not an event; it’s a process. • To be effective, must be integrated throughout lifecycle • Cannot be a part-time thing • Screening passengers only in the afternoon is not effective security • Momentary lapse can permit catastrophic loss
Build Security into Lifecycle • Software development lifecycle • Procurement lifecycle • Systems lifecycle • Mergers and acquisitions • “Painted on” security will never be as effective as “baked in” security.
What is the size of your written information security policy? • No written policy (or don’t know) • 1-3 pages • 4-20 pages • 21-50 pages • Greater than 50 pages 0/0
How do I get there from here? • Foundational element: written information security policy • Must be short enough to capture management’s attention span • Must be general enough to stand the test of time (i.e., not technology specific) • Defines what needs to be protected
What does cumulative security really look like? (Or… How do I build a digital Fort Knox?)
Blending Security Defenses Perimeter Perimeter External Communications Network Network Host Host Application Application Data Awareness and Training Security Policy
Layered security reverses the security challenge • Traditionally, the good guy has to defend all vulnerabilities; the bad guy has to find only one. • Ideally, the bad guy has to negotiate multiple layers of security, buying time for good guy to respond. • May be a combination of vendor, custom or service provider
How trustworthy is Microsoft's Trustworthy Computing Initiative? (Or… Do you really believe that $#!^ ?)
Bottom line… • I don’t care.
How big is it? Source: http://bink.nu/files/Windows%20internals%20expert%20speaks%20on%20source%20code%20leak%20(updated).doc
Leadership 101 • Responsibility • Authority • Accountability • What does each term mean? • What can you delegate?
Security 101 • You cannot delegate the accountability of securing your enterprise to any vendor, consultant, business partner or other entity. • You are responsible for effectively integrating all security elements and planning for inevitable security holes.
Summary • Aim for “effective” security. • Know what security costs and what you get in return. • Think “total cost of ownership,” not ROI. • “Bake in” your security. • Maintain an effective security policy. • Layer your defenses.
Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333