Justifying IT Security-Managing Risk and Keeping Your Network
Transcript of Justifying IT Security-Managing Risk and Keeping Your Network
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
1/10
IraWinkler
2/1/2010
JustifyingITSecurityManagingRisk&KeepingYourNetworkSecure
Thegoalofasecurityprogramistochooseandimplementcosteffective
countermeasuresthatmitigatethevulnerabilitiesthatwillmostlikelyleadtoloss.
ThispaperdiscussesthemanagementofRiskandhowVulnerabilityManagement
isoneofthefewcountermeasureseasilyjustifiedbyitsabilitytooptimizerisk.
By
IRAWINKLER
2010Qualys,Inc.Allrightsreserved.
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
2/10
JustifyingITSecurity Page 1 of 9
2010Qualys,Inc.Allrightsreserved.
JustifyingITSecurityManaging Risk & Keeping Your Network Secure
by Ira Winkler Author, SpiesAmongUs
ExecutiveSummaryOneofthemostdifficultissuessecuritymanagershaveisjustifyinghowtheyspend
theirlimitedbudgets.Forthemostpart,informationsecuritybudgetsaredetermined
bypercentagesoftheoverallITbudget.Thisimpliesthatsecurityisbasicallyataxon
IT,asopposedtoprovidingvaluebacktotheorganization.Thefactisthatsecuritycan
providevaluetotheorganization,ifthereisadiscussionofriskwithregardtoIT,as
muchasthereisadiscussionofriskwithregardtoallotherbusinessprocesses.
Calculatingareturnoninvestmentforasecuritycountermeasureisextremelydifficult
asyourarelyhavetheabilitytocalculatethesavingsfromthelossesyouprevented.Itis
akintobeingabletopinpointautomobileaccidentsyouavoidedbydrivingsafelyversus
recklessly.Thereisnowaytoaccuratelydeterminethatinformation.
However,ifyoustarttoconsiderthatSecurityisactuallyRiskManagement,youcan
startdeterminingthebestcountermeasurestoproactivelyandcosteffectivelymitigate
yourlosses.Bydeterminingthevulnerabilitiesthataremostlikelytocreateloss,you
canthencomparethepotentiallossesagainstthecostofthecountermeasure.This
allowsyoutomakeanappropriatebusinessdecisionastojustifyingandallocatinga
securitybudget.
Moreimportantly,ifyoucanmakesuchabusinessdecision,youcanjustifyincreasing
securitybudgetsforadditionalcountermeasures.Thekeyistobeabletospecifically
identifyanareaofpotentialloss,andidentifyasecuritycountermeasurethatcost
effectivelymitigatesthatloss.
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
3/10
JustifyingITSecurity Page 2 of 9
2010Qualys,Inc.Allrightsreserved.
WhatisSecurity?Bydefinition,securityisthefreedomfromriskordanger.Securityisunattainable. You
canneverbecompletelysecure.Yourinformationandcomputersystemswillneverbe
totallyfree
of
risk
or
danger.
Anyone
who
tells
you
that
they
can
provide
you
with
perfectsecurityisafooloraliar.
Corporatesecurityprogramsareboundtofail,unlesstheyclearlydefinetheirmissionto
theirorganization.Securityisnotaboutachievingfreedomfromrisk,butaboutthe
managementofrisk.
ItisthereforeimportanttodefinewhatRiskis.
RISKRisk
is
the
potential
for
loss.
In
other
words,
whatdoyouhavetolose?
Whilethereisthedictionarydefinition,weneedapracticaldefinitionofrisk.Ipreferto
usethefollowingformulatoexpressrisk.
RiskitselfisbasicallythepotentiallossresultingfromthebalanceofThreat,
Vulnerabilities,Countermeasures,
and
Value.
UsuallyRiskisamonetaryloss.Sometimesriskcanbemeasuredinlives.Sadly,many
businessesputavaluetohumanlifetoturnitintoamonetaryloss.Fromacomputer
perspective,Riskispossiblythelikelihoodofbeinghacked.Moreimportantlythough,
Riskisthelossesexperiencedasaresultofahack.
ToquicklybreakdownthecomponentsofRisk:
Threatsarethepeopleorentitieswhocandoyouharm. VulnerabilitiesaretheweaknessesthatallowtheThreattoexploityou. Countermeasuresaretheprecautionsyoutake. Valueiswhatyouhavetolose.
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
4/10
JustifyingITSecurity Page 3 of 9
2010Qualys,Inc.Allrightsreserved.
RISKCOMPONENTSFundamentally,Valuerepresentsthemostyoucanlose.Itisimportanttounderstand
Valuesothatyoucandeterminethepotentialreturnoninvestmentofanyproposed
securitycountermeasure.
There
are
several
different
types
of
value
to
consider,
including:Monetary,Nuisance,Competitor,andReputationalValue.
TheThreatisessentiallytheWhoorWhatthatcandoyouharmifgiventhe
opportunity.Theycannotdoyouharmontheirown.Theyrequirethatyouleave
yourselfvulnerable.Also,whilepeoplegenerallyassumethatThreatsaremaliciousin
nature,mostthreatsthatyoufacedonotintendtocauseyouanyharm.
VulnerabilitiesarebasicallytheweaknessesthatallowtheThreattoexploityou.Again,
threatsareentities.Bythemselves,theycancauseyounoharm. Therearefour
categories
of
Vulnerabilities:
Technical,
Physical,
Operational,
and
Personnel.
Technical
vulnerabilitiesareproblemsspecificallybuiltintotechnology.Allsoftwarehasbugsof
oneformoranother.Abugthatcreatesinformationleakageorelevatedprivilegesisa
securityvulnerability.Anytechnologyimplementedimproperlycancreatea
vulnerabilitythatcanbeexploited.
Countermeasures aretheprecautionsthatanorganizationtakestoreducerisk.
CountermeasurescanmitigateaThreatorVulnerability;butalmostalwaysa
Vulnerability.
ItisassumedthatthereaderofthiswhitepaperisreasonablyfamiliarwiththecomponentsofRisk.Foramoredetaileddiscussionofthissubject,pleaserefertomybook,SpiesAmongUs.
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
5/10
JustifyingITSecurity Page 4 of 9
2010Qualys,Inc.Allrightsreserved.
YouReallyCantCounterThreatWhenyoulookattheRiskformula,itwouldappear
thatCountermeasurescanaddressbothThreatsand
Vulnerabilities.In
theory,
that
is
correct.
In
the
real
world,itisreallydifficulttocounterThreat.The
goodnewsisthatitdoesntreallymatter.
First,letsexaminewhyyoucannotcounterThreat.
Fundamentally,youcannotstopahurricane,
earthquake,flood,orotherWhatthreats.Theywill
occurnomatterwhatyoudo.
Atthesametime,youcannotreallycounteraWho
threat.Maybe
abackground
check
can
weed
out
knowncriminals,howeverthisdoesntstop
unknowncriminals.WhilethereisaWaron
Terror,therearestillmorethanenough(known
andunknown)terroriststocreateaterrorthreat.
Maybeintheory,agovernmentcanattempttohunt
downaspecificgroupofpeopletoextinction,buta
nongovernmentorganizationclearlycannot. Itis
alsounlikelythatthegovernmentwillsucceed.
However,thegoodnewsisthatyoudonthaveto
addressthe
Threat.
If
you
counter
aVulnerability,
youareessentiallycounteringanyThreatthatmay
exploitit.Forexample,byusingVulnerability
Managementtools,youaremitigatingthe
opportunityforanyThreattoattemptto
compromisewidelyknownvulnerabilities.
Whileyoucannotstopascriptkiddiefromexisting,
youcancountertheunderlyingcomputer
vulnerabilitiesthatallowthehackertoexploityou.
Notonly
do
you
stop
the
script
kiddie
from
exploitingyou,youstopcompetitors,
cybercriminals,maliciousemployees,andallother
threatsfromexploitingknowncomputer
vulnerabilities.
The2WaystoHackaComputerFromaserver/computerperspective,thereare
twofundamentalwaystohackacomputer.
Youeither(1)takeadvantageofthewayusers
oradministratorsconfigureanduseasystem
or(2)compromisetheunderlyingsoftware.
Withregardtoconfigurationanduse,the
systemscanbesetupwithpoorpasswords,be
configuredtoimproperlysharesystems,orbe
otherwisesetupinawaythattakesan
otherwisesecuresystemandrendersit
insecure.Theunderlyinghardwareand
softwarecanbecompletelywithoutflaw,but
userscanfindanunlimitednumberofwaysto
renderallothersecurityeffortsmoot.
Thenwehavethesoftwarevulnerabilities.All
softwarehasbugs.Someofthemare
functional,whilesomecreateelevated
privileges,causeinformationleakage,and/or
causeadenialofservice.Thelatterbugsare
whatwerefertoassecurityvulnerabilities.
Thesevulnerabilitiesarewrittenintothe
softwareasacodingerror.Whilethevendors
hopefullydont
intend
to
release
software
with
securityvulnerabilities,afterthesoftwareis
releaseforwidespreaduse,theyareeventually
found.
Whenvendorslearnofvulnerabilities,theycan
releasepatches.Unfortunately,usersand
administratorsfrequentlydonotimplement
thepatches,leavingthesystemsvulnerableto
anyonewhocanaccessthesystemwiththe
appropriateattack.Forexample,theConficker
wormhasinfectedcloseto7,000,000
computersaroundtheworld,yetthepatchto
preventinfectionhasbeenwidelyavailableforclosetoayear.
BottomLine:Vulnerabilitymanagementtoolscanensurethatsystemsareproperlypatchedagainstwidelyknownattacks.
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
6/10
JustifyingITSecurity Page 5 of 9
2010Qualys,Inc.Allrightsreserved.
WhatisaSecurityProgram?NowthatRiskisfundamentallydefined,wecanaddresswhatsecurityprogramsare
supposed
to
do
in
theory.
First,
it
is
important
to
remember
that
you
cannot
stop
all
loss,ifyoufunctionintherealworld.Nomatterwhatyoudo,youmustacknowledge
thatyouwillexperiencesometypeofloss.Actually,
youwillexperiencemanylosses.
Inbusinessterms,Iwouldcontendthatthegoalofa
securityprogramistoidentifytheVulnerabilitiesthat
canbeexploitedbyanyoftheThreatsthatyouface.
OnceyouidentifythoseVulnerabilities,youthen
associatetheValueofthelossthatislikelytoresult
fromthegivenVulnerabilities.
Theintermediatestepofasecurityprogramistochooseandimplementcosteffective
CountermeasuresthatmitigatetheVulnerabilitiesthatwillmostlikelyleadtoloss.
Thepreviousparagraphispossiblythemostimportantparagraphinthispaper.Sadly,I
findthatmanyprofessionalsdonotgraspthisconceptandfailtounderstandtheirrole
inquantifiablebusinessterms.
OptimizingRiskItisextremelyimportanttopointoutthatyouarenottryingtoremoveallrisk.Again
youcanneverbecompletelysecure,anditisfoolishtotry.Thisiswhyyourgoalisto
optimize,notminimize,risk.
Letsfirstdiscusstheconceptofoptimizationversusminimizationofrisk.Minimization
ofriskimpliesthatyouwanttoremoveasmuchrisk,akaloss,aspossible.Usinga
typicalhomeasanexample,firstexaminewhatthereistolose.Assumingyouhavethe
typicalhouseholdgoods,variousinsurancecompaniesmightsaythatahousehasfrom
$20,000$50,000worthofvalue,andthehousehasavalueof$200,000.Thereisalso
theintangiblevalueofthesafetyofyourfamilyandgeneralwellbeing.
Thenconsiderthepotentialthingsthatcouldhappentocompromisethehome.
Obviously,youhavephysicalthefts.Thereisalsothepotentialforafire.Therehave
actuallybeencasesofacarcrashingintoahome.Youcanalsonotignorethatobjects,
includingairplanes,havefallenontohomes,destroyingthemandalloftheiroccupants.
Youhavetornados,earthquakes,floods,etc.Ifyouwanttominimizerisk,youmust
accountforallpossiblelosses,includingsomeofthemostbizarreones.
ThegoalofasecurityprogramistochooseandimplementcosteffectiveCountermeasuresthatmitigatetheVulnerabilitiesthatwillmostlikelyleadtoloss.
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
7/10
JustifyingITSecurity Page 6 of 9
2010Qualys,Inc.Allrightsreserved.
Maybeifyouarenotinanearthquakepronearea,youmightthinkaboutignoringthat.
Howeverevenifyouwanttojustlimityourcountermeasurestoaccountfortheft,while
youmightthinkofimprovinglocksonalldoors,youthenhavetothinkofthewindows.
Areyougoingtomakeallglassshatterproof?Thenconsiderthatmosthomesaremade
ofwood.Thereistechnicallynothingtostopamotivatedthieffromtakingachainsaw
tothe
side
of
your
house.
Do
you
then
armor
plate
the
entire
house?
Minimizingyourriskwouldleadtospendingmoneyona
lotofcountermeasuresthatarenotreasonable.Maybe
ifyoureanunpopular,highprofiledictator,youwould
consideralloftheseissues,butnotthetypical
homeowner.
Youcannotjustbroadlydiscountagreatdealofrisk.Optimizationimpliesthatthereis
somethoughttotheprocess.Youdontcompletelyignoreanythreatorvulnerability,
but
make
a
conscious
decision
that
the
likelihood
of
a
loss
combined
with
the
value
of
thelosscannotbecosteffectivelymitigated.Sowhileitwouldgenerallybefeasibleto
installahomealarmsystemfor$300,andpay$25permonthformonitoringasa
securitycountermeasuretoprotect$50,000fromtheft,alongwithyourpersonal
wellbeing,itwouldgenerallynotbecosteffectivetoinstallarmoraroundthehometo
protectagainsttheextremelyunlikelycaseofacriminalusingachainsawtogetinyour
house.
Iliketousethefollowingcharttorepresentrisk,andtoalsoclearlydemonstratewhy
onlyafoolwouldtrytominimizerisk.Thecurvethatbeginsintheupperleftcorner
representsVulnerabilitiesandthecostassociatedwiththem.Thelinethatbeginsonthe
bottomleft
represents
the
cost
of
Countermeasures.
Inthesecurityfield,youcansolve95%oftheproblemswith5%oftheeffort.
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
8/10
JustifyingITSecurity Page 7 of 9
2010Qualys,Inc.Allrightsreserved.
AsyoubegintoimplementCountermeasures,theircostgoesup,however
Vulnerabilitiesandpotentiallossdecrease.AssumingyouimplementCountermeasures
thatactuallyaddressVulnerabilities,therecanactuallybeadrasticdecreaseofpotential
loss.Itissimilartothe80/20Rule,whereyousolve80%oftheproblemswith20%of
theeffort.Icontendthatinthesecurityfield,youcansolve95%oftheproblemswith
5%of
the
effort.
Sincetherewillalwaysbepotentialloss,theVulnerabilitylineneverreaches0andis
asymptotic.ThepotentialcostofCountermeasureshowevercankeepincreasing
forever. Soatsomepoint,thecostofCountermeasuresismorethanthepotentialloss
oftheVulnerabilities.Itisillogicaltoeverspendmoretopreventlossthantheactual
lossitself,soyouneverwanttoreachthatpoint.
Youalsodontwanttocomeclosetothatpointeither.Thereasonisthatthepotential
lossisonlypotentialloss.Whileitistheoreticallypossibletoexperienceacompleteloss,
it
is
extremely
unlikely.
You
need
to
base
the
cost
of
countermeasures
on
the
likelihood
ofthelosscombinedwiththecostoftheloss.
ThisistheconceptofRiskOptimizationandthechartbelowoverlaysasampleRiskOptimizationlineontheinitialgraph. Thisisthepointthatyouhavedeterminedisthe
amountoflossyouarewillingtoacceptandthecostoftheCountermeasuresthatwill
getyoutothatpoint.
WhileIwishitwasfeasibletosaythatanentiresecurityprogramshouldbebasedon
thismethodology,therealityisthatmostorganizationsareextremelyfarfrom
implementingthisonamacrolevel.Instead,IrecommendthatpeopleapproachRisk
Optimizationonamicrolevel.
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
9/10
JustifyingITSecurity Page 8 of 9
2010Qualys,Inc.Allrightsreserved.
VulnerabilityManagementasaCriticalComponentofRiskOptimizationWhenconsideringRiskOptimization,youmustconsiderthelossesthatcomefrom
technicalvulnerabilities,
or
the
known
vulnerabilities
that
exist
in
software.
Again,
thesesoftwarebugscanbetriggeredmaliciouslybycriminals,orbemalignantandjust
happenatrandomtimes.
WhileitistruethattherearesomeZeroDayVulnerabilities,wheretheunderlyingbugs
arenotcurrentlyknownandthereforetheattacksaretheoreticallyunstoppable,that
accountsforlessthan1%ofallcomputerattacks.
Thebulkofcomputerattackscanbeeasilypreventedwiththeproperimplementation
ofvulnerabilitymanagementtoolssuchasQualysGuard.Mostimportantly,these
vulnerabilitymanagement
solutions
can
be
extremely
cost
effective
and
acritical
componentofRiskOptimization.
Forexample,avulnerabilitymanagementdeploymentmaycost$10Kperyear.Atthe
sametime,youvedeterminedthatasinglelossfromknownvulnerabilitiescaneasily
resultinalossofmillionsofdollars.Thelikelihoodofaknownvulnerabilityofbeing
exploitedisalmost100%giventhepersistentthreatontheInternet.Thepotentialloss
wouldotherwiseonlybelimitedbythevalueoftheorganizationasawhole.
VulnerabilityManagementisoneofthemostcosteffectivetoolsoutthereandshould
bepartofanyRiskManagementsolutionasitcanhelpidentifyandprevent95%ofthe
issueswith
5%
(or
less)
of
the
effort.
ConsciouslyAcceptRiskAllRiskManagementdecisionsshouldbebasednotonanarbitrarybudgetassignment,
butontherealizationthatthemoneyinvestedonaCountermeasureisjustifiedbya
reasonablereductioninRisk.
Thebottomline:VulnerabilityManagementisoneofthefewCountermeasuresthatiseasilyjustifiedbyitsabilitytooptimizeRisk.
-
8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network
10/10
JustifyingITSecurity Page 9 of 9
2010Qualys,Inc.Allrightsreserved.
AbouttheAuthorIraWinkler,CISSPisPresidentoftheInternetSecurityAdvisors
Group
and
on
the
Board
of
Directors
of
the
ISSA.
He
is
alsoacolumnistforComputerWorld.comandconsideredone
oftheworld'smostinfluentialsecurityprofessionals.Named
asa"ModernDayJamesBond"bythemediaforhisespionage
simulations,wherehephysicallyandtechnically"brokeinto"
someoftheworldslargestcompaniesandinvestigating
crimesagainstthem,andtellingthemhowtocosteffectively
protectstheirinformationandcomputerinfrastructure.Ira
Winklercontinuestoperformtheseespionagesimulations,as
wellasassistingorganizationsindevelopingcosteffective
security
programs.
Ira
Winkler
also
won
the
Hall
of
Fame
award
from
the
Information
SystemsSecurityAssociation,aswellasseveralotherprestigiousindustryawards.
IraWinklerisalsoauthoroftheriveting,entertaining,andeducationalbooks,SpiesAmongUsandZenandtheArtofInformationSecurity.HewasalsoacolumnistforComputerWorld.com.IraWinklerhasrecentlybeenelectedVicePresidentofthe
InformationSystemsSecurityAssociation.
IraWinklerbeganhiscareerattheNationalSecurityAgency,whereheservedasan
IntelligenceandComputerSystemsAnalyst.HemovedontosupportotherUSand
overseasgovernmentmilitaryandintelligenceagencies.Afterleavinggovernment
service,Ira
Winkler
went
on
to
serve
as
President
of
the
Internet
Security
Advisors
Group,ChiefSecurityStrategistatHPConsulting,andDirectorofTechnologyofthe
NationalComputerSecurityAssociation.HewasalsoontheGraduateand
UndergraduatefacultiesoftheJohnsHopkinsUniversityandtheUniversityofMaryland.
IraWinklerhasalsowrittenthebookCorporateEspionage,whichhasbeendescribedasthebibleoftheInformationSecurityfield,andthebestsellingThroughtheEyesoftheEnemy.Bothbooksaddressthethreatsthatcompaniesfaceprotectingtheir
information.IraWinklerhasalsowrittenhundredsofprofessionalandtradearticles.He
hasbeenfeaturedandfrequentlyappearsonTVoneverycontinent.IraWinklerhasalso
beenfeatured
in
magazines
and
newspapers
including
Forbes,
USA
Today,
Wall
Street
Journal,SanFranciscoChronicle,WashingtonPost,PlanetInternet,andBusiness2.0.
TolearnmoreaboutQualysOnDemandVulnerabilityManagementandITPolicyCompliancesolutions,visit:www.qualys.com