Spending smart: Enforce Security and Achieve ROI

G. Mark Hardy, CISSP, CISMPresident, National Security Corporationgmhardy@nationalsecurity.com+1 410.933.9333

Discussion

• The 80:20 rule: address 80% vulnerabilities for 20%

cost

• Keep us sleeping soundly at night or just our CFOs?

• Industry standard End User License Agreement

(EULA): absolves vendors of obligation to produce

secure applications

• Time-to-market is paramount; secure commercial

code may be a long way off despite vendor promises

• Similar to engineers in Apollo 13: have to make do?

Agenda

How to decide how much security you need

What are the most cost-effective techniques available

to enforce security?

When is the best time to validate security?

What does cumulative security really look like?

How trustworthy is Microsoft's Trustworthy Computing

Initiative?

How to decide how much security you need

(Or… pay me now, or pay me later)

How much is enough security?

Perfect security is a myth

Effective security is achievable

First: Need to know the value of what you’re

protecting

• To yourself

• To an opponent

What is perfect security?

A computer with no floppy drive, no serial,

parallel, or USB ports, unplugged, and buried

under six feet of reinforced concrete.

This is a good start.

Unfortunately, this doesn’t scale well to an

enterprise model.

What is effective security?

Time-based security model: P>E=D+R

• P = protection

• E = exposure

• D = detection

• R = response

• Ref: Time-based Security, Winn Schwartau

Time-based security example

Jewelry store

• Safe takes 30 minutes to crack or burn through (P)

• Alarm detects intrusion attempts in 0.02 seconds (D)

• Police take 20 minutes to respond (R)

• Since P > D + R, security deemed effective

• To defeat, must lower P or increase D or R

Time-based security example

Network intrusion• Intruder takes 30 minutes to run attack suite• Downloaded password file takes 6 hours to brute-

force for most likely passwords (P)• Network administrator reviews logs every morning

at 8:00 (D)• Administrator takes 30 minutes to find log entries

(R)• Since P < D+R, security deemed ineffective

Make the cost of achieving compromise unacceptable

“Unacceptable” criteria:

• Cost of compromise exceeds monetary value of

information

• Time to compromise exceeds time value of

information

Unfortunately, this metric doesn’t work with

hackers and terrorists.

Key is to know what information is worth, and in what order to protect it

This is basically risk assessment

• FIPS PUB 65 Annualized Loss Expectancy (ALE)

quantitative assessment

• Kepner-Tregoe qualitative assessment

Is risk assessment institutionalized

within your organization’s development,

deployment and operational strategies?

30% 30%

20% 20%

1 2 3 4

Does your organization conduct formal risk assessment before implementing a new application, system or program?

1. Yes, it is an integral part of

our planning

2. Yes, but only when

required by law

3. Rarely

4. Never

Risk assessment models are changing

Pre-9/11 model: protect against the most

likely threats

Post-9/11 model: protect (also) against the

most catastrophic results

Requires a change in mindset

What are the most cost-effective techniques available to enforce security?

(Or… how much can I get for free?)

What makes security cost-effective?

If it’s free

If someone else pays for it

Problem is determining value

• “We gave you $100K last year for security, and

nothing happened. Why should we give you more this

year?”

• Recognize value of security only when something bad

happens = ROSI

Why is ROI such a problem?

ROI designed to demonstrate profitability of

an investment

Security does not yield direct profitability.

Therefore, security is often viewed as an

(undesirable and) unavoidable expense.

Security provides a unique value-add

Provides assurance of return on OTHER

investments

Most ROI calculations assume a

“perfect” environment (and are rarely

challenged)

• What is your ROI with 98% uptime?

• What about 95%?

If you consider security events inevitable, the equation changes.

Cannot be merely satisfied producing a positive ROI

Must prove you won’t take unnecessary losses that

impact bottom line

ROSI (return on seatbelt investment) -- see benefit only

when bad things happen

“Security reduces financial attrition inherent in modern

business practice on Internet”

Value of security

Can be prescribed by law, regulation or business agreement

Usually sets a minimum standard of compliance

Often value to organization is not apparent

Physical examples: airbags, building codes, passenger screening

20% 20% 20% 20% 20%

1 2 3 4 5

What is the most valuable asset of your company?

1. People

2. Plant, property,

equipment, technology

3. Information

4. Brand identity

5. Financial position

What is the value of your brand?

How much did it cost to establish?

Is it worth defending?

On the Internet, brand can be destroyed in an

instant.

Security event analogous to an airline crash

Enlightened business practices

Run business with knowledge of identified risks.

Mitigate those that are cost-effective to do so.

Assign risks you can’t mitigate.

Not a question of avoiding lawsuits, but of being allowed to stay in business

Haven’t been major lawsuits (yet). Has been establishment of duties: due care, protect assets.

Avoiding liabilities less important than doing right thing

20% 20% 20% 20% 20%

1 2 3 4 5

Who in your organization is responsible for info security?

1. CISO or equivalent (no physical)

2. CISO/physical security

(combined)

3. VP of info security

4. Director of security

5. Below director, or no

assignment

Allocating security costs throughout enterprise

Isolating security as stand-alone cost center sets up

scapegoat -- someone to blame

Require security in each project or initiative to receive

approval

For each new project, require contribution to security

(like a security “tax” or user fee)

Think of security like health insurance, not life

insurance -- incremental use, not binary

New security paradigm

Enhance viability of enterprise

Reduce total cost of ownership (TCO)

Provide insurance on ROI for projects

Enabler to do or get into new businesses

Competitive advantage

Retain customer base

Resistance to lawsuits; legal liability

When is the best time to validate security?

(Or… Can I please have a 100-hour day?)

Rural mechanic’s rates

$30 per hour

$40 per hour if you watch

$75 per hour if you help

Security is not an event; it’s a process.

To be effective, must be integrated

throughout lifecycle

Cannot be a part-time thing

• Screening passengers only in the afternoon is not

effective security

Momentary lapse can permit

catastrophic loss

Build Security into Lifecycle

Software development lifecycle

Procurement lifecycle

Systems lifecycle

Mergers and acquisitions

“Painted on” security will never be as

effective as “baked in” security.

20% 20% 20% 20% 20%

1 2 3 4 5

What is the size of your written information security policy?

1. No written policy (or don’t

know)

2. 1-3 pages

3. 4-20 pages

4. 21-50 pages

5. Greater than 50 pages

How do I get there from here?

Foundational element: written information security policy

Must be short enough to capture management’s attention span

Must be general enough to stand the test of time (i.e., not technology specific)

Defines what needs to be protected

What does cumulative security really look like?

(Or… How do I build a digital Fort Knox?)

Ext

ern

al C

om

mu

nic

atio

ns

Blending Security Defenses

Security PolicySecurity PolicyAwareness and Training

Per

imet

er

Per

imet

er

Net

wo

rk

Net

wo

rk

Ho

st

Ho

st

Ap

plic

atio

n

Ap

plic

atio

n

Dat

a

Layered security reverses the security challenge

Traditionally, the good guy has to defend all vulnerabilities; the bad guy has to find only one.

Ideally, the bad guy has to negotiate multiple layers of security, buying time for good guy to respond.

May be a combination of vendor, custom or service provider

How trustworthy is Microsoft's Trustworthy Computing Initiative?

(Or… Do you really believe that $#!^ ?)

Bottom line…

I don’t care.

How big is it?

Year Product Millions of lines of code

1993 Windows NT 3.1 6

1996 Windows NT 4.0 16.5

1999 Windows 2000 29

2001 Windows XP 45

2003 Windows 2003 50

Source: http://bink.nu/files/Windows%20internals%20expert%20speaks%20on%20source%20code%20leak%20(updated).doc

Leadership 101

Responsibility

Authority

Accountability

What does each term mean?

What can you delegate?

Security 101

You cannot delegate the accountability of

securing your enterprise to any vendor,

consultant, business partner or other entity.

You are responsible for effectively integrating

all security elements and planning for

inevitable security holes.

Summary

Aim for “effective” security.

Know what security costs and what you get in

return.

Think “total cost of ownership,” not ROI.

“Bake in” your security.

Maintain an effective security policy.

Layer your defenses.

Spending smart: Enforce Security and Achieve ROIG. Mark Hardy, CISSP, CISMPresident, National Security Corporationgmhardy@nationalsecurity.com+1 410.933.9333