Add to collection(s) Add to saved
  1. Business
  2. Management

Time-based Security

advertisement 
Spending smart:
Enforce Security and
Achieve ROI
G. Mark Hardy, CISSP, CISM
President, National Security
Corporation
gmhardy@nationalsecurity.com
+1 410.933.9333
Discussion
•
The 80:20 rule: address 80% vulnerabilities for 20%
cost
•
•
Keep us sleeping soundly at night or just our CFOs?
•
Time-to-market is paramount; secure commercial
code may be a long way off despite vendor promises
•
Similar to engineers in Apollo 13: have to make do?
Industry standard End User License Agreement
(EULA): absolves vendors of obligation to produce
secure applications
Agenda
 How to decide how much security you need
 What are the most cost-effective techniques available
to enforce security?
 When is the best time to validate security?
 What does cumulative security really look like?
 How trustworthy is Microsoft's Trustworthy Computing
Initiative?
How to decide how
much security you need
(Or… pay me now, or pay me later)
How much is enough security?
 Perfect security is a myth
 Effective security is achievable
 First: Need to know the value of what you’re
protecting
•
•
To yourself
To an opponent
What is perfect security?
 A computer with no floppy drive, no serial,
parallel, or USB ports, unplugged, and buried
under six feet of reinforced concrete.
 This is a good start.
 Unfortunately, this doesn’t scale well to an
enterprise model.
What is effective security?
 Time-based security model: P>E=D+R
•
•
•
•
•
P = protection
E = exposure
D = detection
R = response
Ref: Time-based Security, Winn Schwartau
Time-based security example
 Jewelry store
•
•
Safe takes 30 minutes to crack or burn through (P)
•
•
•
Police take 20 minutes to respond (R)
Alarm detects intrusion attempts in 0.02 seconds
(D)
Since P > D + R, security deemed effective
To defeat, must lower P or increase D or R
Time-based security example
 Network intrusion
•
•
•
•
•
Intruder takes 30 minutes to run attack suite
Downloaded password file takes 6 hours to bruteforce for most likely passwords (P)
Network administrator reviews logs every morning
at 8:00 (D)
Administrator takes 30 minutes to find log entries
(R)
Since P < D+R, security deemed ineffective
Make the cost of achieving
compromise unacceptable
 “Unacceptable” criteria:
•
Cost of compromise exceeds monetary value of
information
•
Time to compromise exceeds time value of
information
 Unfortunately, this metric doesn’t work with
hackers and terrorists.
Key is to know what information is worth,
and in what order to protect it
 This is basically risk assessment
•
FIPS PUB 65 Annualized Loss Expectancy (ALE)
quantitative assessment
•
Kepner-Tregoe qualitative assessment
 Is risk assessment institutionalized
within your organization’s development,
deployment and operational strategies?
Does your organization conduct formal risk
assessment before implementing a new
application, system or program?
30%
1.
30%
Yes, it is an integral part of
our planning
2.
Yes, but only when
required by law
3.
Rarely
4.
Never
1
2
20%
20%
3
4
Risk assessment models are
changing
 Pre-9/11 model: protect against the most
likely threats
 Post-9/11 model: protect (also) against the
most catastrophic results
 Requires a change in mindset
What are the most
cost-effective
techniques available to
enforce security?
(Or… how much can I get for free?)
What makes security cost-effective?
 If it’s free
 If someone else pays for it
 Problem is determining value
•
“We gave you $100K last year for security, and
nothing happened. Why should we give you more
this year?”
•
Recognize value of security only when something
bad happens = ROSI
Why is ROI such a problem?
 ROI designed to demonstrate profitability of
an investment
 Security does not yield direct profitability.
 Therefore, security is often viewed as an
(undesirable and) unavoidable expense.
Security provides a unique value-add
 Provides assurance of return on OTHER
investments
 Most ROI calculations assume a “perfect”
environment (and are rarely challenged)
•
•
What is your ROI with 98% uptime?
What about 95%?
If you consider security events
inevitable, the equation changes.
 Cannot be merely satisfied producing a positive ROI
 Must prove you won’t take unnecessary losses that
impact bottom line
 ROSI (return on seatbelt investment) -- see benefit
only when bad things happen
 “Security reduces financial attrition inherent in modern
business practice on Internet”
Value of security
 Can be prescribed by law, regulation or
business agreement
 Usually sets a minimum standard of
compliance
 Often value to organization is not apparent
 Physical examples: airbags, building codes,
passenger screening
What is the most valuable asset of your
company?
20% 20% 20% 20% 20%
1.
People
2.
Plant, property,
equipment, technology
3.
Information
4.
Brand identity
5.
Financial position
1
2
3
4
5
What is the value of your brand?
 How much did it cost to establish?
 Is it worth defending?
 On the Internet, brand can be destroyed in an
instant.
 Security event analogous to an airline crash
Enlightened business practices
 Run business with knowledge of identified risks.
 Mitigate those that are cost-effective to do so.
 Assign risks you can’t mitigate.
 Not a question of avoiding lawsuits, but of being
allowed to stay in business
 Haven’t been major lawsuits (yet). Has been
establishment of duties: due care, protect assets.
 Avoiding liabilities less important than doing right thing
Who in your organization is responsible
for info security?
20% 20% 20% 20% 20%
1.
CISO or equivalent (no physical)
2.
CISO/physical security
(combined)
3.
VP of info security
4.
Director of security
5.
Below director, or no
assignment
1
2
3
4
5
Allocating security costs
throughout enterprise
 Isolating security as stand-alone cost center sets up
scapegoat -- someone to blame
 Require security in each project or initiative to receive
approval
 For each new project, require contribution to security
(like a security “tax” or user fee)
 Think of security like health insurance, not life
insurance -- incremental use, not binary
New security paradigm
 Enhance viability of enterprise
 Reduce total cost of ownership (TCO)
 Provide insurance on ROI for projects
 Enabler to do or get into new businesses
 Competitive advantage
 Retain customer base
 Resistance to lawsuits; legal liability
When is the best time
to validate security?
(Or… Can I please have a 100-hour
day?)
Rural mechanic’s rates
 $30 per hour
 $40 per hour if you watch
 $75 per hour if you help
Security is not an event;
it’s a process.
 To be effective, must be integrated
throughout lifecycle
 Cannot be a part-time thing
•
Screening passengers only in the afternoon is not
effective security
 Momentary lapse can permit catastrophic
loss
Build Security into Lifecycle
 Software development lifecycle
 Procurement lifecycle
 Systems lifecycle
 Mergers and acquisitions
 “Painted on” security will never be as effective
as “baked in” security.
What is the size of your written
information security policy?
20% 20% 20% 20% 20%
1.
No written policy (or don’t
know)
2.
1-3 pages
3.
4-20 pages
4.
21-50 pages
5.
Greater than 50 pages
1
2
3
4
5
How do I get there from here?
 Foundational element: written information
security policy
 Must be short enough to capture
management’s attention span
 Must be general enough to stand the test of
time (i.e., not technology specific)
 Defines what needs to be protected
What does cumulative
security really look like?
(Or… How do I build a digital Fort
Knox?)
Awareness and Training
Security Policy
Perimeter
Network
Host
Application
Application
Data
Host
Network
Perimeter
External Communications
Blending Security Defenses
Layered security reverses the
security challenge
 Traditionally, the good guy has to defend all
vulnerabilities; the bad guy has to find only
one.
 Ideally, the bad guy has to negotiate multiple
layers of security, buying time for good guy to
respond.
 May be a combination of vendor, custom or
service provider
How trustworthy is
Microsoft's Trustworthy
Computing Initiative?
(Or… Do you really believe that $#!^ ?)
Bottom line…
 I don’t care.
How big is it?
Year
Product
Millions of lines of code
1993
Windows NT 3.1
6
1996
Windows NT 4.0
16.5
1999
Windows 2000
29
2001
Windows XP
45
2003
Windows 2003
50
Source: http://bink.nu/files/Windows%20internals%20expert%20speaks%20on%20source%20code%20leak%20(updated).doc
Leadership 101
 Responsibility
 Authority
 Accountability
 What does each term mean?
 What can you delegate?
Security 101
 You cannot delegate the accountability of
securing your enterprise to any vendor,
consultant, business partner or other entity.
 You are responsible for effectively integrating
all security elements and planning for
inevitable security holes.
Summary
 Aim for “effective” security.
 Know what security costs and what you get in
return.
 Think “total cost of ownership,” not ROI.
 “Bake in” your security.
 Maintain an effective security policy.
 Layer your defenses.
Spending smart:
Enforce Security and
Achieve ROI
G. Mark Hardy, CISSP, CISM
President, National Security
Corporation
gmhardy@nationalsecurity.com
+1 410.933.9333
Related documents
2011 Marketing ROI and Measurement Study
2011 Marketing ROI and Measurement Study
Three Simple Secrets to B2B Lead Gen Success in 2015 It's no
Three Simple Secrets to B2B Lead Gen Success in 2015 It's no
Marketing ROI - GrowthPhases
Marketing ROI - GrowthPhases
presentation_5 - Communication on Top
presentation_5 - Communication on Top
Here
Here
Practice Set 2
Practice Set 2
Tracking the return on investment (ROI) for each marketing activity in
Tracking the return on investment (ROI) for each marketing activity in
Download
advertisement