© 2003 James P. Cavanagh, All Rights Reserved [email protected] Network Security:...

© 2003 James P. Cavanagh, All Rights Reserved [email protected]

Network Security:The Business Value Proposition

ISSA Sacramento Valley ChapterApril 29, 2003

The Consultant RegistryTelecom, Network & Security Consulting and Training Since 1994

Presents


Добро Добро пожаловать!пожаловать!


WelcomeWelcome

ROI

Liabilities

Due Diligence

FiduciaryResponsibilities

Budgets

Brand Value


Michael. Kelley@Kc-Ec. Com

Michael Kelley

Michael Kelley

NEEDKELLEYPHOTO

• VP of Sacramento ISSA• Sixteen Years in Industry• Areas of Expertise

• Independent Validation & Verification• CMM Configuration Management• Strategic & Operational Planning • Risk Management / Project Management• Quality and Performance Improvement• RUP Methodology Training• Business Systems Analysis• Budgeting and Performance Estimating• Business Continuity Planning / Disaster Recovery Planning• Requirements Management & Process Re-engineering

• USAF Special Acts and Services Award, 1998• The Consultant Registry - Member

• Security Consultancy• C-Level Security Briefing Team


Mission Statement

The Consultant Registry's mission is to applythe unique telecom, network and security expertise

of our member consultants for the benefitof our manufacturer, service provider,

government and end-user clients.

We have been doing this globally since 1994.


The Consultant Registry

• Consortium of Top Industry Consultants• All 7 Layers + Applications and O/S• World Recognized Experts• Average over 22 years experience each• Books, Articles, Patents, Firsts• Strong Security Focus

• ISS Strategic Partner• In Business since 1994• High Impact Teams• Certifications & Security Clearances• Global / Multilingual Support• Project History / Reputation

Highest Quality On Time On Budget

Bridging Gap Between Technology & Business


Business Model

• All Consultants Are Independent• No Salaries / Overhead• Consultants Have Individual Practices*• Pick of the Best on Project by Project Basis• Hand-Picked Experts• Broad Range of Skills

• Best of Breed Teams• Excellent “Cross Pollenization”• Single Source Opportunity

* which is how The Consultant Registry is ‘weathering the storm’


Global Coverage

The Consultant Registry is a Global Organization

Today’sFocus


Introduction 9:00 - 9:10

am

The Security Business Value Proposition 9:10 - 9:40

Citadel vs Insurance Model 9:40 - 9:50

Bang for the Buck Analysis (BBA) 9:50 – 10:20

Break 10:20 -

10:35

The Red Team / Tiger Team 10:35 -

10:50

Executive Security Awareness (ESA) 10:50 -

11:05

Questions & Answers 11:05 -

11:25

Conclusion 11:25 -

11:30

Network Security:The Business Value Proposition

Agenda


[email protected]

James P. Cavanagh

James P. Cavanagh

• Over 25 Years Experience (Not 1 year’s experience 25 times!)• Areas of Expertise

• Voice• Data• Video• Security

• Two Security Books• “Security Handbook” (1996)• Threats & Vulnerabilities (2003/2004)

• Dozens of Articles, Presentations• Free Security White Papers

• 9,500 + Global Distribution List• Recognized by San Jose Silicon Valley CC


A Scientific Survey^Quick


A Scientific Survey

My Security Budget is Big Enough T/F

I Understand Why/Why Not T/F

I Know my Boss’s Budgeting Criteria T/F

I Follow His/Her Guidelines T/F

I Have Tried to Put My Boss and I on the Same {Requesting} Team T/F

I Have a Funding/Budgeting Strategy T/F

My Strategy Works Consistently T/F

I Have Sought Alternative Resources T/F


A Scientific Survey

My Boss’s “Top 3” Hot Buttons Are:1) _______________2) _______________3) _______________

My Boss’s Security Awareness: 1 2 3 4 5 (best)

My predecessor left my job because:_________________________________________

If I could talk to my predecessor, the top 3 things I would like to know are:

1) _______________2) _______________3) _______________

Do you challenge your Boss’s “Need to Know”?


Network SecurityBusiness Value Proposition


Business Value Proposition

Network Security

The Business Value Proposition

Network security has long been the domain of the technologist, spy and hacker. Increasingly, however, management is realizing that network security has its own unique value within the business framework and that a successful security program is subject to the same evaluation criteria as any other part of the business.




Impact of Bad Network Security

Financial LossDirect Financial Loss

Direct CostsLoss of Productivity

Indirect Financial LossLost Opportunities

Loss of Brand Value / Stock Price / Reputation

Other LossesLegal Liability / Risk

TrustNational Security Issues

National Reputation




Tip #1: Learn from CNN: Use‘sound bites’Bad: Computer viruses are bad, as you know. Many companies lose a lot of money because of them.

Better*: Every hour of down time costs us $x, and the average virus attack requires x.x hours to clean up.

Good: For every virus attack we are unable to process x driver’s license requests.

Best: By approving the expenditure of $x for virus prevention we have saved $y and z hours of staff time.

Tip #2: Share sound bites that work

* Less bad?




Business Security Objectives:

Confidentiality / PrivacyConfidentiality / PrivacyInformation IntegrityInformation Integrity

Non-RepudiationNon-RepudiationAccountabilityAccountability

AvailabilityAvailability



Business Security Objectives

Confidentiality / Privacy

Confidentiality / PrivacyInformation Integrity

Non-RepudiationAccountability

Availability

Keep Private Information PrivateAvoid Unauthorized Disclosure and/or UsePrivacy / Security Critical to Customer ConfidencePrivacy Often Mandated by Law (i.e. HIPAA)Protect Information

• In Transit on Network• Sitting on Disk




Tip #3: Talk liabilitiesBad: If our patient information were to be illegally disclosed we could be in real trouble, boss.

Better: Because we are a health care organization we are governed by the Federal HIPAA regulations.

Good: Because we are a health care organization we are governed by the Federal HIPAA regulations, and HIPAA has strict penalties for unauthorized disclosure of patient information, even accidental disclosure.

Best: Our HIPAA training program only costs an average of $650 per employee while a single HIPAA violation can cost thousands of dollars. That’s ROI!




Information Integrity



Availability

Assure Information is Unaltered

Protect Accuracy / Reliability of Information

Avoid Indirect Changes




Tip #4: Use “case studies”, not just factsBad: Without proper security someone could change our information. We need to protect against that.

Good: Think, for a moment, about the impact of something as simple as an unauthorized change to someone’s date of employment. That’s a change that might go unnoticed, and unchallenged, for years but could affect retirement eligibility, payments and other factors and could be almost impossible to fix later. A change of just five years for a k-12 teacher, as an example, could cost our retirement system an additional $x in payments.




Non-Repudiation



Availability

Assure Origin, Accuracy of TransactionsGuarantee Transactions Will Stand Up to ChallengesEnhance / Maintain Trust in Financial TransactionsAppropriate for:

eCommerce / mCommerce Transactions Contracts Records

Financial Medical Personal

eMail




Tip #5: Be the ‘teacher’, not just the ‘expert’Bad: A top security objective is non-repudiation, in other words, to assure that transactions can not be repudiated.

Good: One of the big concerns in security today, including one of our biggest issues, is non-repudiation. Non-repudiation means that if a transaction is challenged, its origin, accuracy and authenticity can be verified beyond any reasonable doubt. This is not just for electronic security, but our tools are different, and, if properly applied, better. Take for example a written signature, it is possible to claim that the signature is a forgery, but its origin can be established. A digital …




Accountability



Availability

Who Did What to Which Systems / ResourceWhen Did They Do It?Extension of Traditional Accounting Practices

Checks and Balances Back-Ups and Checkpoints

Invaluable for ForensicsImportant for Court / Evidence




Tip #6: Ask for opinions, engage in a dialog*Bad: We must have accountability for all transactions. It will be invaluable when we prosecute the bad guys.

Best: How important is accountability to our organ-ization? What is our policy regarding prosecution of hackers? Is our policy different for outside hackers and malicious insiders? Have we ever tested these policies and procedures? How much of our budget are we willing to devote to proactively gathering evidence and assuring that we have met all forensic rules?

* dialog means two-sided, monolog means one-sided




Availability



Availability

Assure that Systems are Available As Needed•For Employees•For Customers•For Suppliers

Avoid Loss of Productivity / Loss of SalesOften a Customer “Gauge” of Quality / Reliability




Tip #7: Openly discuss scenarios / alternativesBad: Availability is our #1 objective.

Best: I am working on our availability policy and I wanted to solicit your thoughts on a few points. Should availability be the #1 objective, or should we keep people out of the system who fail to meet certain criteria? For instance, if a person fails to enter the correct password three times, should they be given access to the system after a phone call to the SOC and having their password reset, or should they require an email and/or phone call from their supervisor? Or something else? Should the policy consider local, remote fixed and remote mobile users differently?



Business Value PropositionTip #8: Always have an opinion/solutionNever approach management without a defensible opinion and clear solution in mind. You are not asking for your boss to solve your problems – you are trying to clarify the acceptability of your desired solution and the likelihood that it will be accepted.You are also determining the amount of preparation and awareness training that will be needed to get your desired solution accepted. You know that it is better not to ask than to be turned down and are trying to determine your chances of success before making a formal request.BUT, always have an open mind, be ready to change or compromise, as needed, in light of new facts.




Tip #9: Learn from IBM: Always be ‘selling’ Always look for a chance to sell your solution: don’t let an opportunity go by. Deliver one clear message at a time, be successful and put another building block in place. Go for achievable ‘interim closes’ and build your program step-by-step. Have a long term vision.

Use internal communications, emails, newsletters and company events as vehicles for your selling program. Be relentless, but be subtle.




Tip #10: Involve your entire team.Be sure that your team shares your vision, satisfy naysayers or get rid of them and let your team help sell the vision within the organization. Train them, coach them and set them loose. Teach them the 10 tips and let them be your ambassadors.




Business Security Objectives:

Confidentiality / PrivacyConfidentiality / PrivacyInformation IntegrityInformation Integrity

Non-RepudiationNon-RepudiationAccountabilityAccountability

AvailabilityAvailability


Citadel vs InsuranceSecurity Models


Citadel vs Insurance

Citadel vs Insurance Security Models

Model originated by Bruce SchneierCitadel Approach

Traditional Security Model - Technology Driven Keep Out the “Bad Guys” - Let In the “Good Guys”

Insurance Approach Emerging Security Model - Business Driven Risk / Liability Assessment

CitadelModel

InsuranceModel




Insurance Model says Security is ...• Risk / Return Analysis• Subject to all ROI and Actuarial Analysis of

ANY other Business Process• Managed Risk




“Hacking Insurance”• May Directly or Indirectly Be Part of

Present Insurance Coverage• May Be Completely Separate Policy• Offered from a Growing List of Insurers

Should be Part of a Review Process May require Managed Security Monitoring (MSM) MSM May Reduce Premiums




Insurability Rating Process• Who is Doing It?

• Background• Who Are They Working With

• Process• Clear Process for Insurability Rating• “Veiled” Vulnerability Assessment

• Insurance Experience




Sample of Companies offering Hacking Insurance




Questions to AskDoes the organization carry any business insurance to cover:

… financial loss or business interruption due to network security problems?

… technology errors or omissions?

… Intellectual Property losses as a result of computer/network security breaches?

… computer fraud and extortion?

… improper disclosure or damage to digital assets?

… loss of business income (services or sales of hard goods)?

… additional cost of security or counter-measure consulting or products?




Bottom Line: Both Models are Still Needed Insurance Model Provides

Added Business Protection Companies Should Review Current Insurance

and Consider Additional Coverage Should Be Part of Vulnerability Assessment

CitadelModel

InsuranceModel



Insurance Security Model to Bang for the Buck Analysis

InsuranceModel

BBARisk

Analysis


Bang for the Buck (BBA)Analysis


Bang for the Buck Analysis

Mission StatementTo develop an objective budgeting strategy to

optimize impact of budget dollars spent

and assure maximum allocation and

utilization of budget resources.


From Inside Internet Security …What Hackers Don’t Want You to Know

by Jeff Crume (Chapter 4)


“Each company must strike an appropriate balancebetween risk and opportunity.”

Risk

Analysis

Post

Mortemvs



“… a few calculations that can help guide,(but not dictate) the decision making process.”


• Bang for the Buck Ratio (BBR)

• Vulnerability Index (VI)

• Relative Value (RV)

Calculated for each (potential) countermeasure Provides basis for budgeting strategy Will vary by organization, industry, etc.



Bang for the Buck RatioBBR = CC / CP

CC = Cost of CompromiseCP = Cost of Protection

Cost of Compromise rises vs Cost of Protection then BBR will be bigger

Cost of Protection rises vs Cost of Compromise then BBR will be smaller

CC and CP are from Your Budgetary Estimates



Vulnerability Index VI = CC x PC

CC = Cost of CompromisePC = Probability of Compromise

As Cost of Compromise rises relative to Probability of Compromise, VI Increases

VI highlights vulnerabilities



Relative Value

RV = VI x CPVI = Vulnerability IndexCP = Cost of Protection

Relative Value used to compare proposed countermeasures

Weighs Cost relative to Vulnerability



Sample Budgeting Scenario1. Perform Vulnerability Assessment / Poll2. List Vulnerabilities and Proposed Countermeasures3. For each Countermeasure assign:

a. Cost of Compromise (from peers, press, experience,scenarios, consultants, etc.)

b. Cost of Protection(from your budget estimates)c. Probability of Compromise (from consensus, poll, experience,

industry statistics, etc.)

4. For each Countermeasure calculate:a. Bang for the Buck Ration (BBR)b. Vulnerability Index (VI)c. Relative Value (RV)

5. Sort Based on BBR6. Determine Budget Coverage, OK? DONE 7. Work through Acceptable Scenarios / Options / Alternatives8. Adjust Assumptions



Sample Budgeting ScenarioPerform Vulnerability Assessment / Poll

Past Experience “Scenarios” Security Report Card or similar tools Staff Consultants Law Enforcement Press / Research



Sample Budgeting ScenarioList Vulnerabilities and Proposed Countermeasures



Sample Budgeting ScenarioFor each Countermeasure assign:

Cost of Compromise (from peers, press, experience,scenarios, consultants, etc.)

Cost of Protection(from your budget estimates)Probability of Compromise (from consensus, poll, experience,




Sample Budgeting ScenarioFor each Countermeasure calculate:

Bang for the Buck Ration (BBR)Vulnerability Index (VI)Relative Value (RV)



Sample Budgeting ScenarioSort Based on BBR



Sample Budgeting ScenarioDetermine Budget Coverage



Sample Budgeting ScenarioWork through Acceptable Scenarios / Options / Alternatives



Sample Budgeting ScenarioAdjust Assumptions

Return to Step 3



Sample Budgeting ScenarioFor each Countermeasure assign:

Cost of Compromise (from peers, press, experience,scenarios, consultants, etc.)

Cost of Protection(from your budget estimates)Probability of Compromise (from consensus, poll, experience,




Sample Budgeting ScenarioFor each Countermeasure calculate:

Bang for the Buck Ration (BBR)Vulnerability Index (VI)Relative Value (RV)



Sample Budgeting ScenarioSort Based on BBR



Sample Budgeting ScenarioDetermine Budget Coverage



Sample Budgeting ScenarioWork through Acceptable Scenarios / Options / Alternatives



Sample Budgeting ScenarioAdjust Assumptions

Return to Step 3



Keys to Success Get Management “Buy In” on Process Use “Security Report Card*” or Similar Tool

for Vulnerability Assessment Workshop / Training on Process Keep all Parties informed of Progress Document Basis of CP, CC and PC Do NOT Change Process After Start

* Described in Executive Security Awareness Section

Side benefits are getting you and your management on thesame budget team and having a defensible budget strategy.


Break15 Minutes!


Red Team /Tiger Team


Executive Security Awareness™


Questions & Answers


Questions & Answers

Questions & Answers


Conclusion


Conclusion

Bring Security to The Board RoomBring Security to The Board Room

1. Use “Sound Bites”2. Share “Sound Bites” That Work3. Talk Liabilities4. Use Case Studies, not just facts5. Be the teacher, not just the expert6. Ask for opinions, engage in dialog7. Openly discuss scenarios, alternatives8. Always have an opinion / solution9. Always be selling10. Involve your entire team


Conclusion

Help Make “The Shift” …Help Make “The Shift” …

… … From Citadel to Insurance ModelsFrom Citadel to Insurance Models

CitadelModel

InsuranceModel


Conclusion

Adopt the BBA as the OfficialAdopt the BBA as the OfficialSecurity Budgeting StrategySecurity Budgeting Strategy

Get Management “Buy In” on Process Use “Security Report Card*” or Similar Tool

for Vulnerability Assessment Workshop / Training on Process Keep all Parties informed of Progress Document Basis of CP, CC and PC Do NOT Change Process After Start


Conclusion

Use Red Teams / Tiger TeamsUse Red Teams / Tiger TeamsTo Increase Budget SuccessTo Increase Budget Success

A


Conclusion

Work to IncreaseWork to IncreaseExecutive Security AwarenessExecutive Security Awareness

A


Conclusion

Take Take CONTROLCONTROL of your of yourSecurity BudgetSecurity Budget

BEFORE ITBEFORE ITTAKES CONTROL OF YOUTAKES CONTROL OF YOU


Thanks for Coming

Thanks forComing

James P. [email protected]

© 2003 James P. Cavanagh, All Rights Reserved [email protected] Network Security:...

Documents

Transcript of © 2003 James P. Cavanagh, All Rights Reserved [email protected] Network Security:...