Justifying IT Security-Managing Risk and Keeping Your Network

8/3/2019 Justifying IT Security-Managing Risk and Keeping Your Network

1/10

IraWinkler

2/1/2010

JustifyingITSecurityManagingRisk&KeepingYourNetworkSecure

Thegoalofasecurityprogramistochooseandimplementcosteffective

countermeasuresthatmitigatethevulnerabilitiesthatwillmostlikelyleadtoloss.

ThispaperdiscussesthemanagementofRiskandhowVulnerabilityManagement

isoneofthefewcountermeasureseasilyjustifiedbyitsabilitytooptimizerisk.

By

IRAWINKLER

2010Qualys,Inc.Allrightsreserved.


2/10

JustifyingITSecurity Page 1 of 9


JustifyingITSecurityManaging Risk & Keeping Your Network Secure

by Ira Winkler Author, SpiesAmongUs

ExecutiveSummaryOneofthemostdifficultissuessecuritymanagershaveisjustifyinghowtheyspend

theirlimitedbudgets.Forthemostpart,informationsecuritybudgetsaredetermined

bypercentagesoftheoverallITbudget.Thisimpliesthatsecurityisbasicallyataxon

IT,asopposedtoprovidingvaluebacktotheorganization.Thefactisthatsecuritycan

providevaluetotheorganization,ifthereisadiscussionofriskwithregardtoIT,as

muchasthereisadiscussionofriskwithregardtoallotherbusinessprocesses.

Calculatingareturnoninvestmentforasecuritycountermeasureisextremelydifficult

asyourarelyhavetheabilitytocalculatethesavingsfromthelossesyouprevented.Itis

akintobeingabletopinpointautomobileaccidentsyouavoidedbydrivingsafelyversus

recklessly.Thereisnowaytoaccuratelydeterminethatinformation.

However,ifyoustarttoconsiderthatSecurityisactuallyRiskManagement,youcan

startdeterminingthebestcountermeasurestoproactivelyandcosteffectivelymitigate

yourlosses.Bydeterminingthevulnerabilitiesthataremostlikelytocreateloss,you

canthencomparethepotentiallossesagainstthecostofthecountermeasure.This

allowsyoutomakeanappropriatebusinessdecisionastojustifyingandallocatinga

securitybudget.

Moreimportantly,ifyoucanmakesuchabusinessdecision,youcanjustifyincreasing

securitybudgetsforadditionalcountermeasures.Thekeyistobeabletospecifically

identifyanareaofpotentialloss,andidentifyasecuritycountermeasurethatcost

effectivelymitigatesthatloss.


3/10



WhatisSecurity?Bydefinition,securityisthefreedomfromriskordanger.Securityisunattainable. You

canneverbecompletelysecure.Yourinformationandcomputersystemswillneverbe

totallyfree

of

risk

or

danger.

Anyone

who

tells

you

that

they

can

provide

you

with

perfectsecurityisafooloraliar.

Corporatesecurityprogramsareboundtofail,unlesstheyclearlydefinetheirmissionto

theirorganization.Securityisnotaboutachievingfreedomfromrisk,butaboutthe

managementofrisk.

ItisthereforeimportanttodefinewhatRiskis.

RISKRisk

is

the

potential

for

loss.

In

other

words,

whatdoyouhavetolose?

Whilethereisthedictionarydefinition,weneedapracticaldefinitionofrisk.Ipreferto

usethefollowingformulatoexpressrisk.

RiskitselfisbasicallythepotentiallossresultingfromthebalanceofThreat,

Vulnerabilities,Countermeasures,

and

Value.

UsuallyRiskisamonetaryloss.Sometimesriskcanbemeasuredinlives.Sadly,many

businessesputavaluetohumanlifetoturnitintoamonetaryloss.Fromacomputer

perspective,Riskispossiblythelikelihoodofbeinghacked.Moreimportantlythough,

Riskisthelossesexperiencedasaresultofahack.

ToquicklybreakdownthecomponentsofRisk:

Threatsarethepeopleorentitieswhocandoyouharm. VulnerabilitiesaretheweaknessesthatallowtheThreattoexploityou. Countermeasuresaretheprecautionsyoutake. Valueiswhatyouhavetolose.


4/10



RISKCOMPONENTSFundamentally,Valuerepresentsthemostyoucanlose.Itisimportanttounderstand

Valuesothatyoucandeterminethepotentialreturnoninvestmentofanyproposed

securitycountermeasure.

There

are

several

different

types

of

value

to

consider,

including:Monetary,Nuisance,Competitor,andReputationalValue.

TheThreatisessentiallytheWhoorWhatthatcandoyouharmifgiventhe

opportunity.Theycannotdoyouharmontheirown.Theyrequirethatyouleave

yourselfvulnerable.Also,whilepeoplegenerallyassumethatThreatsaremaliciousin

nature,mostthreatsthatyoufacedonotintendtocauseyouanyharm.

VulnerabilitiesarebasicallytheweaknessesthatallowtheThreattoexploityou.Again,

threatsareentities.Bythemselves,theycancauseyounoharm. Therearefour

categories

of

Vulnerabilities:

Technical,

Physical,

Operational,

and

Personnel.

Technical

vulnerabilitiesareproblemsspecificallybuiltintotechnology.Allsoftwarehasbugsof

oneformoranother.Abugthatcreatesinformationleakageorelevatedprivilegesisa

securityvulnerability.Anytechnologyimplementedimproperlycancreatea

vulnerabilitythatcanbeexploited.

Countermeasures aretheprecautionsthatanorganizationtakestoreducerisk.

CountermeasurescanmitigateaThreatorVulnerability;butalmostalwaysa

Vulnerability.

ItisassumedthatthereaderofthiswhitepaperisreasonablyfamiliarwiththecomponentsofRisk.Foramoredetaileddiscussionofthissubject,pleaserefertomybook,SpiesAmongUs.


5/10



YouReallyCantCounterThreatWhenyoulookattheRiskformula,itwouldappear

thatCountermeasurescanaddressbothThreatsand

Vulnerabilities.In

theory,

that

is

correct.

In

the

real

world,itisreallydifficulttocounterThreat.The

goodnewsisthatitdoesntreallymatter.

First,letsexaminewhyyoucannotcounterThreat.

Fundamentally,youcannotstopahurricane,

earthquake,flood,orotherWhatthreats.Theywill

occurnomatterwhatyoudo.

Atthesametime,youcannotreallycounteraWho

threat.Maybe

abackground

check

can

weed

out

knowncriminals,howeverthisdoesntstop

unknowncriminals.WhilethereisaWaron

Terror,therearestillmorethanenough(known

andunknown)terroriststocreateaterrorthreat.

Maybeintheory,agovernmentcanattempttohunt

downaspecificgroupofpeopletoextinction,buta

nongovernmentorganizationclearlycannot. Itis

alsounlikelythatthegovernmentwillsucceed.

However,thegoodnewsisthatyoudonthaveto

addressthe

Threat.

If

you

counter

aVulnerability,

youareessentiallycounteringanyThreatthatmay

exploitit.Forexample,byusingVulnerability

Managementtools,youaremitigatingthe

opportunityforanyThreattoattemptto

compromisewidelyknownvulnerabilities.

Whileyoucannotstopascriptkiddiefromexisting,

youcancountertheunderlyingcomputer

vulnerabilitiesthatallowthehackertoexploityou.

Notonly

do

you

stop

the

script

kiddie

from

exploitingyou,youstopcompetitors,

cybercriminals,maliciousemployees,andallother

threatsfromexploitingknowncomputer

vulnerabilities.

The2WaystoHackaComputerFromaserver/computerperspective,thereare

twofundamentalwaystohackacomputer.

Youeither(1)takeadvantageofthewayusers

oradministratorsconfigureanduseasystem

or(2)compromisetheunderlyingsoftware.

Withregardtoconfigurationanduse,the

systemscanbesetupwithpoorpasswords,be

configuredtoimproperlysharesystems,orbe

otherwisesetupinawaythattakesan

otherwisesecuresystemandrendersit

insecure.Theunderlyinghardwareand

softwarecanbecompletelywithoutflaw,but

userscanfindanunlimitednumberofwaysto

renderallothersecurityeffortsmoot.

Thenwehavethesoftwarevulnerabilities.All

softwarehasbugs.Someofthemare

functional,whilesomecreateelevated

privileges,causeinformationleakage,and/or

causeadenialofservice.Thelatterbugsare

whatwerefertoassecurityvulnerabilities.

Thesevulnerabilitiesarewrittenintothe

softwareasacodingerror.Whilethevendors

hopefullydont

intend

to

release

software

with

securityvulnerabilities,afterthesoftwareis

releaseforwidespreaduse,theyareeventually

found.

Whenvendorslearnofvulnerabilities,theycan

releasepatches.Unfortunately,usersand

administratorsfrequentlydonotimplement

thepatches,leavingthesystemsvulnerableto

anyonewhocanaccessthesystemwiththe

appropriateattack.Forexample,theConficker

wormhasinfectedcloseto7,000,000

computersaroundtheworld,yetthepatchto

preventinfectionhasbeenwidelyavailableforclosetoayear.

BottomLine:Vulnerabilitymanagementtoolscanensurethatsystemsareproperlypatchedagainstwidelyknownattacks.


6/10



WhatisaSecurityProgram?NowthatRiskisfundamentallydefined,wecanaddresswhatsecurityprogramsare

supposed

to

do

in

theory.

First,

it

is

important

to

remember

that

you

cannot

stop

all

loss,ifyoufunctionintherealworld.Nomatterwhatyoudo,youmustacknowledge

thatyouwillexperiencesometypeofloss.Actually,

youwillexperiencemanylosses.

Inbusinessterms,Iwouldcontendthatthegoalofa

securityprogramistoidentifytheVulnerabilitiesthat

canbeexploitedbyanyoftheThreatsthatyouface.

OnceyouidentifythoseVulnerabilities,youthen

associatetheValueofthelossthatislikelytoresult

fromthegivenVulnerabilities.

Theintermediatestepofasecurityprogramistochooseandimplementcosteffective

CountermeasuresthatmitigatetheVulnerabilitiesthatwillmostlikelyleadtoloss.

Thepreviousparagraphispossiblythemostimportantparagraphinthispaper.Sadly,I

findthatmanyprofessionalsdonotgraspthisconceptandfailtounderstandtheirrole

inquantifiablebusinessterms.

OptimizingRiskItisextremelyimportanttopointoutthatyouarenottryingtoremoveallrisk.Again

youcanneverbecompletelysecure,anditisfoolishtotry.Thisiswhyyourgoalisto

optimize,notminimize,risk.

Letsfirstdiscusstheconceptofoptimizationversusminimizationofrisk.Minimization

ofriskimpliesthatyouwanttoremoveasmuchrisk,akaloss,aspossible.Usinga

typicalhomeasanexample,firstexaminewhatthereistolose.Assumingyouhavethe

typicalhouseholdgoods,variousinsurancecompaniesmightsaythatahousehasfrom

$20,000$50,000worthofvalue,andthehousehasavalueof$200,000.Thereisalso

theintangiblevalueofthesafetyofyourfamilyandgeneralwellbeing.

Thenconsiderthepotentialthingsthatcouldhappentocompromisethehome.

Obviously,youhavephysicalthefts.Thereisalsothepotentialforafire.Therehave

actuallybeencasesofacarcrashingintoahome.Youcanalsonotignorethatobjects,

includingairplanes,havefallenontohomes,destroyingthemandalloftheiroccupants.

Youhavetornados,earthquakes,floods,etc.Ifyouwanttominimizerisk,youmust

accountforallpossiblelosses,includingsomeofthemostbizarreones.

ThegoalofasecurityprogramistochooseandimplementcosteffectiveCountermeasuresthatmitigatetheVulnerabilitiesthatwillmostlikelyleadtoloss.


7/10



Maybeifyouarenotinanearthquakepronearea,youmightthinkaboutignoringthat.

Howeverevenifyouwanttojustlimityourcountermeasurestoaccountfortheft,while

youmightthinkofimprovinglocksonalldoors,youthenhavetothinkofthewindows.

Areyougoingtomakeallglassshatterproof?Thenconsiderthatmosthomesaremade

ofwood.Thereistechnicallynothingtostopamotivatedthieffromtakingachainsaw

tothe

side

of

your

house.

Do

you

then

armor

plate

the

entire

house?

Minimizingyourriskwouldleadtospendingmoneyona

lotofcountermeasuresthatarenotreasonable.Maybe

ifyoureanunpopular,highprofiledictator,youwould

consideralloftheseissues,butnotthetypical

homeowner.

Youcannotjustbroadlydiscountagreatdealofrisk.Optimizationimpliesthatthereis

somethoughttotheprocess.Youdontcompletelyignoreanythreatorvulnerability,

but

make

a

conscious

decision

that

the

likelihood

of

a

loss

combined

with

the

value

of

thelosscannotbecosteffectivelymitigated.Sowhileitwouldgenerallybefeasibleto

installahomealarmsystemfor$300,andpay$25permonthformonitoringasa

securitycountermeasuretoprotect$50,000fromtheft,alongwithyourpersonal

wellbeing,itwouldgenerallynotbecosteffectivetoinstallarmoraroundthehometo

protectagainsttheextremelyunlikelycaseofacriminalusingachainsawtogetinyour

house.

Iliketousethefollowingcharttorepresentrisk,andtoalsoclearlydemonstratewhy

onlyafoolwouldtrytominimizerisk.Thecurvethatbeginsintheupperleftcorner

representsVulnerabilitiesandthecostassociatedwiththem.Thelinethatbeginsonthe

bottomleft

represents

the

cost

of

Countermeasures.

Inthesecurityfield,youcansolve95%oftheproblemswith5%oftheeffort.


8/10



AsyoubegintoimplementCountermeasures,theircostgoesup,however

Vulnerabilitiesandpotentiallossdecrease.AssumingyouimplementCountermeasures

thatactuallyaddressVulnerabilities,therecanactuallybeadrasticdecreaseofpotential

loss.Itissimilartothe80/20Rule,whereyousolve80%oftheproblemswith20%of

theeffort.Icontendthatinthesecurityfield,youcansolve95%oftheproblemswith

5%of

the

effort.

Sincetherewillalwaysbepotentialloss,theVulnerabilitylineneverreaches0andis

asymptotic.ThepotentialcostofCountermeasureshowevercankeepincreasing

forever. Soatsomepoint,thecostofCountermeasuresismorethanthepotentialloss

oftheVulnerabilities.Itisillogicaltoeverspendmoretopreventlossthantheactual

lossitself,soyouneverwanttoreachthatpoint.

Youalsodontwanttocomeclosetothatpointeither.Thereasonisthatthepotential

lossisonlypotentialloss.Whileitistheoreticallypossibletoexperienceacompleteloss,

it

is

extremely

unlikely.

You

need

to

base

the

cost

of

countermeasures

on

the

likelihood

ofthelosscombinedwiththecostoftheloss.

ThisistheconceptofRiskOptimizationandthechartbelowoverlaysasampleRiskOptimizationlineontheinitialgraph. Thisisthepointthatyouhavedeterminedisthe

amountoflossyouarewillingtoacceptandthecostoftheCountermeasuresthatwill

getyoutothatpoint.

WhileIwishitwasfeasibletosaythatanentiresecurityprogramshouldbebasedon

thismethodology,therealityisthatmostorganizationsareextremelyfarfrom

implementingthisonamacrolevel.Instead,IrecommendthatpeopleapproachRisk

Optimizationonamicrolevel.


9/10



VulnerabilityManagementasaCriticalComponentofRiskOptimizationWhenconsideringRiskOptimization,youmustconsiderthelossesthatcomefrom

technicalvulnerabilities,

or

the

known

vulnerabilities

that

exist

in

software.

Again,

thesesoftwarebugscanbetriggeredmaliciouslybycriminals,orbemalignantandjust

happenatrandomtimes.

WhileitistruethattherearesomeZeroDayVulnerabilities,wheretheunderlyingbugs

arenotcurrentlyknownandthereforetheattacksaretheoreticallyunstoppable,that

accountsforlessthan1%ofallcomputerattacks.

Thebulkofcomputerattackscanbeeasilypreventedwiththeproperimplementation

ofvulnerabilitymanagementtoolssuchasQualysGuard.Mostimportantly,these

vulnerabilitymanagement

solutions

can

be

extremely

cost

effective

and

acritical

componentofRiskOptimization.

Forexample,avulnerabilitymanagementdeploymentmaycost$10Kperyear.Atthe

sametime,youvedeterminedthatasinglelossfromknownvulnerabilitiescaneasily

resultinalossofmillionsofdollars.Thelikelihoodofaknownvulnerabilityofbeing

exploitedisalmost100%giventhepersistentthreatontheInternet.Thepotentialloss

wouldotherwiseonlybelimitedbythevalueoftheorganizationasawhole.

VulnerabilityManagementisoneofthemostcosteffectivetoolsoutthereandshould

bepartofanyRiskManagementsolutionasitcanhelpidentifyandprevent95%ofthe

issueswith

5%

(or

less)

of

the

effort.

ConsciouslyAcceptRiskAllRiskManagementdecisionsshouldbebasednotonanarbitrarybudgetassignment,

butontherealizationthatthemoneyinvestedonaCountermeasureisjustifiedbya

reasonablereductioninRisk.

Thebottomline:VulnerabilityManagementisoneofthefewCountermeasuresthatiseasilyjustifiedbyitsabilitytooptimizeRisk.


10/10



AbouttheAuthorIraWinkler,CISSPisPresidentoftheInternetSecurityAdvisors

Group

and

on

the

Board

of

Directors

of

the

ISSA.

He

is

alsoacolumnistforComputerWorld.comandconsideredone

oftheworld'smostinfluentialsecurityprofessionals.Named

asa"ModernDayJamesBond"bythemediaforhisespionage

simulations,wherehephysicallyandtechnically"brokeinto"

someoftheworldslargestcompaniesandinvestigating

crimesagainstthem,andtellingthemhowtocosteffectively

protectstheirinformationandcomputerinfrastructure.Ira

Winklercontinuestoperformtheseespionagesimulations,as

wellasassistingorganizationsindevelopingcosteffective

security

programs.

Ira

Winkler

also

won

the

Hall

of

Fame

award

from

the

Information

SystemsSecurityAssociation,aswellasseveralotherprestigiousindustryawards.

IraWinklerisalsoauthoroftheriveting,entertaining,andeducationalbooks,SpiesAmongUsandZenandtheArtofInformationSecurity.HewasalsoacolumnistforComputerWorld.com.IraWinklerhasrecentlybeenelectedVicePresidentofthe

InformationSystemsSecurityAssociation.

IraWinklerbeganhiscareerattheNationalSecurityAgency,whereheservedasan

IntelligenceandComputerSystemsAnalyst.HemovedontosupportotherUSand

overseasgovernmentmilitaryandintelligenceagencies.Afterleavinggovernment

service,Ira

Winkler

went

on

to

serve

as

President

of

the

Internet

Security

Advisors

Group,ChiefSecurityStrategistatHPConsulting,andDirectorofTechnologyofthe

NationalComputerSecurityAssociation.HewasalsoontheGraduateand

UndergraduatefacultiesoftheJohnsHopkinsUniversityandtheUniversityofMaryland.

IraWinklerhasalsowrittenthebookCorporateEspionage,whichhasbeendescribedasthebibleoftheInformationSecurityfield,andthebestsellingThroughtheEyesoftheEnemy.Bothbooksaddressthethreatsthatcompaniesfaceprotectingtheir

information.IraWinklerhasalsowrittenhundredsofprofessionalandtradearticles.He

hasbeenfeaturedandfrequentlyappearsonTVoneverycontinent.IraWinklerhasalso

beenfeatured

in

magazines

and

newspapers

including

Forbes,

USA

Today,

Wall

Street

Journal,SanFranciscoChronicle,WashingtonPost,PlanetInternet,andBusiness2.0.

TolearnmoreaboutQualysOnDemandVulnerabilityManagementandITPolicyCompliancesolutions,visit:www.qualys.com

Justifying IT Security-Managing Risk and Keeping Your Network

Documents

Transcript of Justifying IT Security-Managing Risk and Keeping Your Network