Embed Size (px)
DESCRIPTION
A false sense of security is the best cure for your conscious yet less effective against a real attack. Security is about risks and how you manage it, if you like to build good security you need to perform risk management and periodically measure risk against your security template. Attacks shift and so does your budget assignment. Simple questions can reveal more needs and address security in those areas of importance.
Citation preview
Sensible [email protected]
1. Abstract: Sensible defence .......................................................................................... 32. Introduction................................................................................................................. 43. How risk mitigation works.......................................................................................... 5
3.1. Detection ............................................................................................................. 53.2. Prevention ........................................................................................................... 53.3. Response ............................................................................................................. 5
4. Risk management concept today ................................................................................ 64.1. The process ......................................................................................................... 6
4.1.1. Governance ................................................................................................. 64.1.2. Context ........................................................................................................ 64.1.3. Identification ............................................................................................... 6
4.2. Risk analysis ....................................................................................................... 74.2.1. Key terms .................................................................................................... 74.2.2. Quantitative risk analysis ............................................................................ 84.2.3. Qualitative risk analysis .............................................................................. 8
4.3. Pitfalls ................................................................................................................. 85. Sensible defence.......................................................................................................... 9
5.1. Economic incentives and security failure ........................................................... 95.2. Liability, regulation and compliance ................................................................ 105.3. Due care and due diligence ............................................................................... 115.4. Technology ....................................................................................................... 115.5. Awareness campaign and training .................................................................... 12
6. Conclusion ................................................................................................................ 14
7. References ................................................................................................................. 15
1. Abstract: Sensible defenceSecurity is not product related only, improving your products and manage your risk is mandatory to keep up with the latest threats. However some basic tools do increase yoursecurity but it is debatable if all these tools enhance your security in the way you expect perhaps they just give you a false sense of security. A false sense of security is the best cure for your conscious yet less effective against a real attack.Security is about risks and how you manage it, if you like to build good security you needto perform risk management and periodically measure risk against your security template.Attacks shift and so does your budget assignment. Simple questions can reveal moreneeds and address security in those areas of importance.
Quote from Bruce Schneier• What are we trying to protect?• What risks to these assets?• How well is the solution in mitigating those risks?• What other risks does the solution cause?• What costs and trade-off does the solution impose?
Risk Management an excellent mediator to gain an objective view on your security strategy. However it consumes a lot of valuable time and resources. But wasn't it important to implement security in the beginning of a project? Exactly, when your projectis defined and you know more or less your destination risk management can be your guide to find the way.By starting to integrate your security request as early as possible in a project life cycleyou increase the security as such and you reduce costs on a long term perspective. Remember you have to sell your security, at the end it is politics. It comes down to theweight you have in the decision and the motivation you used in the selling process.To integrate successfully your risk management result you should define where what toinvest. Managing risks is more than just integrate technology controls. In security we protect the CIA triangle but to protect it you use 3 sometimes 4 different mechanisms.The four basic elements are prevention, detection, response and sometimes prediction, thelatter is probably the hardest one to achieve.Balancing out these four will give you a sensible security mechanism which align withbudget restraints and complies with your regulatory obligations.
2. Introduction
The security field undergoes a lot of changes at a rapid pace making technology old fashioned in a glimpse of time. Replacement and upgrades are deemed necessary if wemay believe consultants and product vendors. But on what are these statements based?
This paper shows how risk management is used today and what the pitfalls are. A lot of CISO's expressed their thoughts about it at the CISO 2003 that today's approach has gapsand is based on to much intangible facts.
This document outlines the problems security people encounter today. Over the recent years we can see an increased awareness about security issues however being aware thereis problem is not much of a value if countermeasures are not appropriate to the risk
In this paper you can find the basic concept of risk management used today, it will not explain in detail or how you should integrate it in your environment. It is included as reference to compare on how I and many others think it could be done instead. It is mypersonal belief that today’s concept is failing and more reasonable strategies should beapplied to get the necessary support from your management.The risk management process in its entirety has its limits; more specific is the analysisthat is insufficient to provide the required proof.
3. How risk mitigation worksSecurity is not about technology but about risks and how you manage them. Covering arisk in its entirety is not an easy thing and accepting the risk could at the end the only solution.Managing risk is based on different pillars; these pillars have each an important functionbut are rendered useless if they are not weaved in together.
3.1. DetectionDetection is a passive security measure which is an outstanding solution to fraud detection for example, but less effective in protection of corporate networks. Detection iscommon and used in our every day life, the new radar system deployed in the UK to bill people going for work by car is a perfect example. It does not prevent your from driving in the city, it does not prevent you from not paying the bill especially for foreigner but it does detect you. No matter where you’re from and what type of vehicle you drive you will be noticed and receive a bill. The same goes for credit card companies; a lot of their security is based on detection.
Detection might not be your Swiss knife to solve security however it is less expensive and in some cases the most acceptable measure to enhance security in your environment.Logging (un)authorized connections on a preventative measure can be considered a way of detection, logging these events can be used afterwards to detect anomalies.
3.2. PreventionPrevention is an active security measure able to deny or allow access; decisions are madebased on an integrated policy. Prevention stops certain attacks immediately, one of the biggest advantages compared with detection or response which react once the event has
passed. Technologies providing prevention techniques are not waterproof either; prevention does what it says as long as the device, software or even the human being actsin a proper way. A flaw in the procedure or software can render it useless. Prevention technology is definitely the most expensive way to secure your environment. One shouldweight the benefits against the costs and explore other measures before putting the eggsin one basket. Firewalls were thought to be the answer for network security, however there are so many firewalls badly configured that it is sometimes better not to have any.False sense of security can be worse than no security at all.
3.3. Response
Incident response is important in many aspects. Response shows how the attack took place, how it has been detected and how it can be prevented in the future. Often response is put aside due to time and cost restrictions but many companies doing incident responserealise that it saves a lot of valuable time whenever a similar attack occurs. Incident response helps to recover quickly, efficiently and provides visibility on the events happening during a defined period of time.
4. Risk management concept todaySecurity relies on the management and the reduction of risk by assessing, reporting and controlling the risk. It encompasses a number of activities which constitutes a systematicprocess that aims to optimize the decision making process and improve the results.
The identification of risk to an organization entails defining the four following basicelements:
• The actual threat
• The possible consequences of the realized threat (impact)
• The probable frequency of the occurrence of a threat (frequency)
• The extent of how confident we are that the threat will happen (probability)
4.1. The processSome crucial steps are mandatory to enhance your risk management process. Thesesimple identifiers enable you to control the complete cycle of the risk you like to measure.
4.1.1. GovernanceGood governance establishes a repeatable and auditable methodology for integration ofthe risk management process across the enterprise. The governance process outlines what, how and by whom the risk management activities are performed.Clearly, a risk management team must aim to develop and establish commitment; supporta participation of top management to succeed in their mission.
4.1.2. ContextThe context determines the company's relationship with its environment. It consists oftwo important influencers which shape the design of your risk management strategy. External factors could be anything like cultural, commercial or regulatory influences. Internal factors would be governance, reporting, business structure etc...
4.1.3. IdentificationDetermine and identify the risks that your company is exposed to be perhaps the most important step in being successful at risk management. Focusing on tangible result only isa common mistake, clearly intangible values are harder to measure but therefore as important.Risk identification in your enterprise entails four basic principles:
• The actual threat• The possible consequences when a threat materializes• Probable frequency of occurrence of a threat• The probability a threat will occur
4.2. Risk analysisRisk analysis is a process to ensure that security measures for an environment are adequate to reduce the risks. By applying risk analysis you determine the risks and
develop a plan on how to deal with the risks. Analysing the identified risks gives you a better understanding of the likelihood and potential outcome of an event impacting yourcompany.The main purpose of risk analysis is to quantify the impact of a potential risk. The goal isto put a price or value on the loss.
The main results of risk analysis are• Identification of the current risks• The cost/benefit justification of the countermeasures• Influences the decision making process on hardware, etc?• Focus on security resources where they are needed most
This chapter provides you with a brief outline of how risk analysis works. These are notinvented by the author and are only here as reference.
4.2.1. Key terms
Scientifically a risk is defined as the product of the threat and vulnerability. But in risk management we identify the risk as the probability a threat will materialize. Risk can beconsidered potential harm or loss to a system.
The risk management triple:
• Asset: A resource, process, product, system etc… The value equals the cost ofthe creation, development, license, support, replacement, credibility, lost if IP is disclosed, ownership values. The asset the precious item you are trying to protect
• Threat: Any event that causes an undesirable impact on your organization• Vulnerability: Absence of a safeguard constitutes vulnerability. Vulnerability
is a threat that circumvents or makes use of weakness in your safeguard.
The terms
Safeguard: A control or countermeasure to reduce the risk associated with a threat. Exposure Factor (EF): EF represents the percentage of loss a realized threat event would have on a specific asset. EF differs from high to low percentage, catastrophic lossor just the loss of a single PC.Single Loss Expectancy (SLE): An SLE is the dollar figure that is assigned to a singleevent.Asset Value ($) x Exposure Factor (EF) = SLE
Annualized Rate of Occurrence (ARO): Represents the number on how many times anevent could happen on a per year basis.Annualized Loss Expectancy (ALE): The expected loss on a per year basis. The ALEcan be derived from the following. Single Loss Expectancy (SLE) x Annualized Rate ofOccurrence (ARO) = ALE
4.2.2. Quantitative risk analysisQuantitative risk analysis aim is to assign concrete probability percentages; for examplereal money values to the loss of an asset. As it might look fairly simple however the complete process should be considered as a major project within your organization.Be aware that you cannot apply quantitative analysis only because it relies on qualitativeanalysis data.
Process of quantitative risk analysis• Estimate potential losses to the assets by defining their losses• Analyze potential threats to the assets• Define the ALE
4.2.3. Qualitative risk analysisQualitative risk analysis is a scenario-oriented approach; in contrast to quantitative analysis a purely qualitative analysis is always possible. Instead of assigning pure dollar figures you rank threats on a scale to evaluate their risks, costs and outcome.
The seriousness of threats and the sensitivity of the assets are ranked or graded by using ascenario approach. For each scenario you need to create an exposure rating scale and match the various threats to the identified assets. Type of threat and the potential loss to the assets and selection of safeguards to reduce the risk should be included in the description of your scenario.
4.3. PitfallsThis model of risk management has its pro’s and con’s; the reliance on probability and impact factors is a mayor downfall for this concept. The foundation for your security isbased on guess work; it can be very effective by using only the worst case scenarios to cover all risks but will give you a budget outlook that looks grim. The contrary leaves your budget in the green zone but can make your security poor. Other approaches described in the next chapter could provide more realistic views on which security we need and to what level we need to bring it. Anticipating the unknown, providing an answer to vectors of attack we do not yet know about is impossible.
5. Sensible defence
Information security is hard to understand and even harder to successfully integrate. Insecurity is not caused by today’s risk management concept. Economic gain or loss, legislation, regulation and so on are also important vectors.1) Security is a trade-off. We need to make trade-offs, cost is one but there are moretrade-offs to make, convenience, liberty, functionality, time etc…
I think the previous chapter has strong and weak points, using the risk management tripleis extremely valuable but trying to transform risk into numbers by using hefty formulas and relying on to much intangible values is for sure not a reliable way to integrate sensible and well thought security.This chapter will outline some of the problems and how it could be improved. There is noclear cut solution to all the issues but improving the existing by relying more on measurable values do provide better end results.
5.1. Economic incentives and security failure
Economic incentives, profitability, market gain, etc… are important vectors in the decision process. Security risks and business risks are quite different; forecasting how theeconomic landscape evolves based on the investment of new resources to increase profitis completely different than forecasting probabilities of IT risks. Evaluating risks and how much risks are reduced by integrating new technology is as easy as playing the Russian roulette. Even if you have all those statistics and numbers, if there is no legislation and no direct economic consequence you will not succeed in your job. This isplain business logic; managers deal with risk every day and are used to accept certain levels of risk.
Example:In a distributed denial of service attack it is very expensive to use measures to protect your web servers from it. Your can spend thousands of euros to increase protection and itstill would fail in certain circumstances. However, home users who are being used as ZOMBIE do in general spend a few euros to buy an anti-virus to protect themselves fromthreats. But they rarely would spend the same amount to prevent their machines from being used.
In the economics world this would be a “Tragedy of commons”, these situations shouldrather be solved on a legislative way to put pressure on those who can fix the issue instead of investing too much money in a solution that is not providing the necessary protection. Over the years we have been witness of the fact that often bad security winsover good security, it can be explained rationally; popularity of system or service is related to other factors than security. If people use the less secure system more, your good system is doomed to failure. If you do not have a good economic reason whysecurity should be a priority you do not have a good chance in succeeding. Unfortunatelytoday business looks at security as a cost enabler instead of looking at it as cost reduction.
But an economic drive or market reaction sometimes forces a company to tackle security issues. When this happens management does not have the burden to deal with any type ofrisk assessment. Today companies are often confronted with reactions as such from customers, auditors and other regulatory bodies.
5.2. Liability, regulation and complianceThis is an ongoing debate and a very hard one.Imposing laws to make better products, provide secure services, conduct audits, carry responsibility etc… will definitely improve security in some way. All of this sound easyand achievable but the pitfalls are numerous and peopled against plenary.
Security has technological components but business regards to security, in terms of riskmanagement, as they do with any other risk. Business aims to reduce costs and improveproduction. Why bother with improving the network security if business survives after defacement, denial of service, reputation damage, and network downtime.
The point is that if your force companies to make their products secure their economicalgain could decline. And what about the brakes you put on the creative mind and development of new ideas. A company making a new product has its focus on gaining money and reply to unanswered issue in the market which does not necessarily require advanced security in the initial stage.
If your government provides services on the internet you better be sure it is secure, if there are no regulatory incentives why shouldn’t they opt for the cheaper less secure option? By enforcing rules via laws, regulation or company policies we impose liability and make sure people are responsible for their deeds. I agree, regulation is not the all-in-one helping you out in difficult times but it can push industry to improve security. Sometypes of industry start with security and build their services inside the security boundaries.
We have different compliance bodies that are well developed and pushing managers, companies and even governmental organizations to a better and more secure environment. SOX, HIPAA, BASEL II, etc… do push to create a better and safer environment by motivating managers to pay attention to issues that were ignored before.As time goes by and maturity develops legislation will improve and regulatory bodies canimpose penalties to keep the motivation alive.
Example:Power plants for example live up to high security standards regarding their personnel. Wecan be delighted that they did not use the same approach as often used in the computer industry. Such approach makes managers aware that risks cannot be accepted because of the high costs involved with it.
5.3. Due care and due diligence
2) Due care means that a company did all that it could have reasonably done to try and prevent security breaches, and also took the necessary steps to ensure that if a security breach did take place, the damages were reduced because of the controls or countermeasures that existed. Due care means that a company practiced common senseand prudent management practices with responsible actions.
Due diligence means that a company properly investigated all of their possibleweaknesses and vulnerabilities before carrying out due care practices.
Due care and due diligence, both require to be present to successfully integrate a certain level of security in your environment. To convince management we should take distanceof examples and results (from threat and vulnerability assessment) that are based on hypothetical values. It is almost impossible to convince people on a subject that has not yet materialised. Replacing those intangible values can be achieved by using real life examples of the existence of vulnerability and what solutions are available and who integrated them already. Remember the approach, we are protecting against known threats and not trying to increase budgets based on the unknown.If management still decides to accept the risk, which is completely normal in certain cases, we document it and motivate with the business reasons; this is done to limit liability. The ultimate goal is to achieve good due diligence practise this reduces ignorance and negligence. Due diligence result are not subject to be proven valid, the result itself shows the good or bad experience. Whereas solutions never come directly from an assessment but are chosen regarding the assessment results by means of due diligence. One can argue if fortune telling is a better strategy compared to await resultsfrom what actually is achieved.
5.4. Technology
The problem we have today with technology is that at a certain point it does provide a protection but can create numerous other problems. Integrating additional tools software or hardware does not imply that you improve security. An entire process of mechanisms that interact is needed to provide robust security. As shown in chapter 3 you need to rely on different techniques to create a secure environment. None of those concepts survives an attack without the support of the others. Over the years we have been overwhelmed byconstructors providing us with the market leading product and still our networks are at stake.Does it mean that the products are bad?Honestly, I don’t think products are bad, the way they interact is perhaps not ideal. For years we have been focusing on prevention and less on detection and response. A good prevention tool is worthless without detection, and detection has no value if there is no response process involved; most of the time these functions are included in a good prevention product. During my career I had often discussions on what to log and what not; logging everything does not increase your detection. It increases data you gather butdecreases the accuracy.
To make a safeguard valuable it requires interaction with other processes, systems or people. A good interaction occurs on different layers, logging the issue is the first but informing there as an issue is mandatory to make the logging useful. After the alert a manual interference might be required, again this should be logged in a sensible way tohave good change management.All these features are available on the market; unfortunately interaction between them isstill on a low level.
Example:Wiretapping the mass public didn’t proof to be useful yet, data mining or correlation on the data is even harder. It does work once there is a lead or a clue; unless you have somepredefined known information your correlation will not have much of a value and could miss those parts of data crucial to identify the attack. Using detection only to prevent issues is just not the right way to solve a security issue.Security budgets for government issues do increase however people tend to feel less safe.In Belgium the police force is increased significantly but reducing crime is harder as everbefore. Prevention and detection capabilities are sufficient but response (court) is not at the same pace.
Another big debate is functionality vs. security. Frankly I think this is bad trade-off. Testing functionality is fairly easy. Functionality is whether or not something works when it is being used as planned. But if you test security you are trying to find out how asystem behaves when placed under unanticipated circumstances with an adversary tryingto subvert the system. It will be very hard to test security like you do with functionality ifnot impossible.
5.5. Awareness campaign and trainingAwareness and training are mandatory to enhance your security. A good distinctionbetween training and awareness should be made.Awareness campaign: A campaign for awareness explains you the “what is it”, it showsyou what are the dangers or benefits of certain tool, system or environment.Training: A training informs you about the “how does it work”, how do I use it, how do Iintegrate it, how do I get the most out of it.
Awareness increases security on a human level, human intelligence is irreplaceable bytechnology. But equal to technology we need to make our staff aware about risks involved in their job. Today many companies understood they need awareness, some because of regulation some because of campaigns launched by governmental organisation. As risks and technology evolve at a rapid pace, we need to conduct awareness on a regular basis to make it effective. Any means are good to make peopleaware about the risks. In our daily life we are confronted with several awareness campaigns which are time or event specific.Example:The 9/11 attacks provoked awareness in the UK, people were aware about risks and knew
how to respond in case of emergency. The results of the campaign were clear, panic wasreduced to a minimum and casualties could be rescued with a respectable time frame.
Training is equally important; knowing that there is risk is just one part of the solution. How do you protect and how do you use the provided tools is an important step and might be more difficult to achieve. It is clear that in certain cases and on certain subjectsthose two aspects are weaved together. Explaining why one needs a password is one thing but might be useless without explaining how to make a strong password.
6. Conclusion
Regardless which model of risk management one uses, you are still using hypothetical data. Today there are no valid frequency and impact data available to provide you with valid and sensible results. It might be possible to guess the impact or frequency of an unusual incident. An unknown event or enemy can have an important effect on the risk which makes the current security solution obsolete. I doubt that this will have a positivechange in the future due to the rapid changing technology of today.Managing risk by tangible values like outlined in the previous chapter is maybe an answer to this complex subject. Continuing with intangible risk assessment result is expensive and does not necessarily improve your current security; this does not mean youdo not have to integrate it. Regulation and legislation can be met by doing high level risk assessment outlining the dangers and the caveats of the unknown.
This is not a plea to abandon the current way of handling risk; I just share my and other security professionals’ view on the topic. As a consultant I have been confronted with many aspects of security and saw that some try to protect to things that are not yet realized. FUD (fear, uncertainty and doubt) and hypes are still provoking the integrationof security measures, often these are not the solution to the problem.
Without Donn B. Parker’s help I would not have been able to make this document. I gotthe authorisation to quote his article but I tried to write some of his ideas in my own words.
7. References1 Bruce Schneier : Beyond Fear2 Shon Harris : CISSP certification All-in-one Exam guide
Books & articles:Bruce Schneier: Beyond Fear
Economics and information securityRegulation, liability and computer security
Donn Parker: Making the case for replacing risk-based securityRoss Anderson: Why information security is hard –an economic perspective-Shon Harris: CISSP certification All-in-one Exam guide
