320 likes | 798 Views
Return on Security Investment (ROSI): The effect of limited security on businesses and what we can do about it . Summers, Wayne , summers_wayne@colstate.edu Bhagyavati , bhagyavati@colstate.edu Columbus State University, Columbus, GA, USA. Introduction.
E N D
Return on Security Investment (ROSI): The effect of limited security on businesses and what we can do about it Summers, Wayne, summers_wayne@colstate.edu Bhagyavati, bhagyavati@colstate.edu Columbus State University, Columbus, GA, USA
Introduction • Viruses, worms, trojan horses, identify theft and other malware are rampant. It’s affecting our daily business. As reported in the CSI/FBI Computer Crime and Security Survey, ”Information security managers seem to be well-aware that the financial and management aspects of dealing with security are as critical to their missions as are the technical aspects of security” • ” A comparison with the 2004 results shows that there is essentially no change in the percentage of the IT budget allocated to security”
Introduction • As recently as last year, ChoicePoint, a company that stored a database containing sensitive information, admitted that data of 145,000 customers may have been stolen by hackers who pretended to be legitimate customers • Weekly, we hear of similar breaches
Introduction • As information security professionals, what can we do about it? • How do we convince our business leaders that we need to invest in solutions?
Problem • “You need fire sprinklers. Obvious advice, maybe, but once upon a time fire sprinklers were considered a waste of money. In fact, in 1882, sprinklers were considered to be as dubious an investment as information security is today” • “According to one study the American Society of Safety Engineers (ASSE) cites, the ROI of fire extinguishers is in fact about a $3 return for every $1 invested if you take fire extinguishers as part of a larger corporate health and safety initiative—which you should, since fire extinguishers (like IT security) rarely show up as a discrete security purchase”
Problem • What is the ROI for installing antivirus software? An email filter system? A firewall? • How much are we willing to invest to insure that these solutions work and to expand the solutions. • How much can we afford to spend on patch management solutions? • How many information security personnel can we afford to hire?
Problem • . “Information security is often called a ‘grudge spend.’ CEOs are reluctant to spill hard-earned ducats on security because it's not seen as a value-added expenditure. Yet CSOs fret that they're not spending enough to secure the enterprise – and nobody knows what ‘enough’ really means, anyway”
Problem • “Economist Frank Bernhard's research shows about six cents of every revenue dollar is at risk due to a lack of information security, whereas many companies spend barely a dime of their IT dollar on security”
Problem • How much security is enough? There are still many companies, that are not investing enough in security. According to one report, 41 percent are investing as little as 2 percent or less of their IT budget on security. • How much can we afford to spend? How much can we afford not to spend? “Think of this value as landing somewhere along a security consequences continuum. At one extreme of the continuum (‘no consequences‘) are those organizations that would get no value from network security. In this unlikely extreme, the organization would experience no costs in the event of a Web site being hacked, company information being stolen, or network resources being unavailable. At the other extreme (‘dire consequences‘) is a company in which the Web site is so critical that every 5 minutes of downtime can be directly correlated to revenue loss”
What’s out there: Vulnerabilities and threats • The CVE Report (http://cve.mitre.org/) lists over 7000 software vulnerabilities ranging from buffer overflows and denial of service attacks to bugs in software. • The Open Source Vulnerability Database (http://www.osvdb.org/) lists over 10,000 vulnerabilities. • The National Vulnerability Database (http://nvd.nist.gov/) lists nearly 17,000 vulnerabilities. There is an average of twenty vulnerabilities published daily.
What’s out there: Vulnerabilities and threats • Web applications vulnerabilities: Browser spoofing, identity theft, SQL injection and cross-site scripting are some of the common vulnerabilities associated with web applications. • Email threats: The execution of malicious code via phishing and pharming attempts has been given widespread attention in the popular press today. • Malicious software: Malware such as spyware, viruses and Trojan horses can harm a computer’s contents and guarantee lost productivity.
Common threats and vulnerabilities • Database loopholes: Since most sensitive data is held with a database, DBMS or database management systems are critical components in any organization. SQL injection is one of the popular database vulnerabilities. • Social engineering: As users become increasingly aware of risky behaviour online, phishing scams and other lures designed to obtain sensitive information from users have less chance to succeed. • Physical environment vulnerabilities: Often neglected in security infrastructures, the physical environment where computers and networks are placed are fraught with vulnerabilities.
Common threats and vulnerabilities • Wireless insecurities: Most organizations have some form of wireless networking enabled, whether it is a local area network or a personal area network. • Policy enforcement: Vulnerabilities in this area tend to lean on lack of training provided to employees, formulation of inconsistent and ill-defined policies, lax enforcement of penalties and lack of accountability of senior personnel. • Network issues: Having poor control over bandwidth and examining network logs infrequently can allow loopholes to remain and become exploited at a future date.
Common threats and vulnerabilities • Resource constraints: Although the lack of resources is not a direct threat, it poses an indirect and long-term threat in that security is always traded off against matters that are more “important”. • Software holes: Complex software built and deployed by cross-organizational teams may have been inadequately tested, thus resulting in future vulnerabilities. • Patch management: Updating patches frequently is probably the most cost-effective way to manage security. • Configuration problems: Some exploits can arise out of configuration issues such as unchanged default settings, poorly implemented and enforced password policies, choosing weak passwords, not implementing two- or three-factor authentication, unavailable hardened configurations, and no standardization of safe and known configurations.
Consequences of poor security practices • Employees – They are affected by customer concerns. They are also unsure about their daily actions in the absence of consistent policies governing acceptable use of computing resources. Poor or non-existent security practices provide an adverse effect on morale because employees bear the brunt of customers’ ire; the lack of consistent policies leads to frustration and a feeling of loss of control. • Customers – They are concerned about the loss of their personal and sensitive data in the absence of clear assurances regarding the safety of their data. They are also concerned with the lack of strict policies by the organization about safeguarding their data, that, if leaked, causes them financial loss and material hardship. The cleaning up after identity theft and fraud committed in their names has resulted in increasing frustration and intolerance on the part of customers. • Enterprise – The organization’s reputation suffers as a result of bad publicity from the press and from affected customers. The corporation may also be legally liable for compensating the victims of its negligent security practices. Future business could suffer as a result of opportunity costs (McGee, 2006). Lax data protection measures will ultimately affect businesses because of the decline in customer confidence.
Consequences of poor security practices • Regulation – Regulatory agencies may create and enforce new laws that may prove burdensome to businesses and customers. These costs are ultimately borne by customers. For example, the recent HIPAA guidelines for storage and release of healthcare data have placed a burden of compliance on healthcare business. The cost of compliance is passed on to customers. • E-commerce – Online business activities such as banking and shopping will be curtailed by customers as incidents of data leaks increase. Phishing and online fraud combine to form a powerful deterrent to online activity.
ROSI approach to prioritizing security investments • Assess the risks • Determine the vulnerabilities and possible threats to the company’s data and infrastructure by conducting a security assessment or audit. • Examine the risks of non-compliance with the laws and regulations for security and privacy. • Examine the security risks directly affecting the employees.
ROSI approach to prioritizing security investments • Determine the costs • Determine the opportunity costs associated with exposures to the vulnerabilities including business interruptions and the reputation of the organization. • Determine the direct costs of purchasing the security solutions. • Determine the indirect costs incurred by using the organization’s resources including employees’ time and periodic retraining costs.
ROSI approach to prioritizing security investments • Create a ROSI analysis • Suppose spam and other junk email is projected to cost a company $100,000 per year due to exposure and the maintenance needed to remove it. • Suppose that a spam/junk email filter that costs $50,000 will reduce the unwanted email by 80%, thus saving the company $80,000. • Then the savings realized by implementing the email filter is $30,000 ($80,000 - $50,000).
ROSI approach to prioritizing security investments • Implement the solutions justified by the ROSI report • Ensure that there is adequate training for employees. • Include an awareness program to reinforce the implementation. Policies must be clearly defined and the rationale behind them explained. • Retrain and conduct orientation periodically to update employees on new threats and to maintain awareness levels.
ROSI approach to prioritizing security investments • Monitor and measure the solution to ensure that the security goals are being met. • Conduct a periodic evaluation. • Perform a regular security audit and compare it to the baseline assessment report to check for inconsistencies and improvements.
Challenges • E.g. spam and unwanted email, • How do we calculate the actual cost to the company? • How do we measure the loss of employee productivity in dealing with unwanted email? • We can estimate some of the cost by calculating the amount of time it takes to delete the unwanted email. • not all spam is alike. A cleverly designed phishing attack may pass the scrutiny of the employee and result in ramifications that are more serious. • What is also difficult to factor are instances where the unwanted email contains malware that may compromise the integrity of the computer system. • This may require rebuilding the computer system and hopefully restoring the employees work.
Challenges • calculating the savings can be a challenge. • Stopping spam and unwanted email is a moving target. • The 80% success rate claimed by the email filter vendor in stopping unwanted email varies during this battle. This in turn affects the calculation of the savings realized by the vendor.
Challenges • What are also often ignored in these calculations are the costs incurred by the company in installing and maintaining the email filtering software. • As the software developers release new versions of the email filtering software in response to changes in the spam, the company’s IT department must install these upgrades to the software.
Planning for the future • “Software security attacks are on the rise. Globe-spanning worms like Code Red and Nimda cause billions in damages. • 90% of incidents could have been prevented by applying patches that were already available from vendors at the time of an attack. • 70% of data security breaches are launched from within a company, rather than from the Internet. • An effective security policy must ensure that patches are installed in a timely manner across all computers in an enterprise. • As new vulnerabilities are discovered, they must be addressed, and the most common way to address a vulnerability is to install a vendor patch. • The timely installation of vendor-provided, locally-verified security patches is a practical necessity, but without an automation methodology the job is next to impossible and not cost effective”
Planning for the future • “CSO's should stop looking for absolute ROSI values, and start looking at choices among alternatives. Sort your losses by magnitude and criticality, and prioritize your work on countermeasures to address the worst ones first. Then keep track of your progress and adjust priorities as the threats and results change” • Corporate management must be shown that there is a problem and that it must be addressed. The Return On Security Investment method must be used effectively to show to management the cost of not investing in security measures to secure the company and its all-important data.