Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National...
-
Upload
cassandra-thornton -
Category
Documents
-
view
215 -
download
1
Transcript of Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National...
![Page 1: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/1.jpg)
Spending smart: Enforce Security and Achieve ROI
G. Mark Hardy, CISSP, CISMPresident, National Security [email protected]+1 410.933.9333
![Page 2: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/2.jpg)
Discussion
• The 80:20 rule: address 80% vulnerabilities for 20%
cost
• Keep us sleeping soundly at night or just our CFOs?
• Industry standard End User License Agreement
(EULA): absolves vendors of obligation to produce
secure applications
• Time-to-market is paramount; secure commercial
code may be a long way off despite vendor promises
• Similar to engineers in Apollo 13: have to make do?
![Page 3: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/3.jpg)
Agenda
How to decide how much security you need
What are the most cost-effective techniques available
to enforce security?
When is the best time to validate security?
What does cumulative security really look like?
How trustworthy is Microsoft's Trustworthy Computing
Initiative?
![Page 4: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/4.jpg)
How to decide how much security you need
(Or… pay me now, or pay me later)
![Page 5: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/5.jpg)
How much is enough security?
Perfect security is a myth
Effective security is achievable
First: Need to know the value of what you’re
protecting
• To yourself
• To an opponent
![Page 6: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/6.jpg)
What is perfect security?
A computer with no floppy drive, no serial,
parallel, or USB ports, unplugged, and buried
under six feet of reinforced concrete.
This is a good start.
Unfortunately, this doesn’t scale well to an
enterprise model.
![Page 7: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/7.jpg)
What is effective security?
Time-based security model: P>E=D+R
• P = protection
• E = exposure
• D = detection
• R = response
• Ref: Time-based Security, Winn Schwartau
![Page 8: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/8.jpg)
Time-based security example
Jewelry store
• Safe takes 30 minutes to crack or burn through (P)
• Alarm detects intrusion attempts in 0.02 seconds (D)
• Police take 20 minutes to respond (R)
• Since P > D + R, security deemed effective
• To defeat, must lower P or increase D or R
![Page 9: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/9.jpg)
Time-based security example
Network intrusion• Intruder takes 30 minutes to run attack suite• Downloaded password file takes 6 hours to brute-
force for most likely passwords (P)• Network administrator reviews logs every morning
at 8:00 (D)• Administrator takes 30 minutes to find log entries
(R)• Since P < D+R, security deemed ineffective
![Page 10: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/10.jpg)
Make the cost of achieving compromise unacceptable
“Unacceptable” criteria:
• Cost of compromise exceeds monetary value of
information
• Time to compromise exceeds time value of
information
Unfortunately, this metric doesn’t work with
hackers and terrorists.
![Page 11: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/11.jpg)
Key is to know what information is worth, and in what order to protect it
This is basically risk assessment
• FIPS PUB 65 Annualized Loss Expectancy (ALE)
quantitative assessment
• Kepner-Tregoe qualitative assessment
Is risk assessment institutionalized
within your organization’s development,
deployment and operational strategies?
![Page 12: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/12.jpg)
30% 30%
20% 20%
1 2 3 4
Does your organization conduct formal risk assessment before implementing a new application, system or program?
1. Yes, it is an integral part of
our planning
2. Yes, but only when
required by law
3. Rarely
4. Never
![Page 13: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/13.jpg)
Risk assessment models are changing
Pre-9/11 model: protect against the most
likely threats
Post-9/11 model: protect (also) against the
most catastrophic results
Requires a change in mindset
![Page 14: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/14.jpg)
What are the most cost-effective techniques available to enforce security?
(Or… how much can I get for free?)
![Page 15: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/15.jpg)
What makes security cost-effective?
If it’s free
If someone else pays for it
Problem is determining value
• “We gave you $100K last year for security, and
nothing happened. Why should we give you more this
year?”
• Recognize value of security only when something bad
happens = ROSI
![Page 16: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/16.jpg)
Why is ROI such a problem?
ROI designed to demonstrate profitability of
an investment
Security does not yield direct profitability.
Therefore, security is often viewed as an
(undesirable and) unavoidable expense.
![Page 17: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/17.jpg)
Security provides a unique value-add
Provides assurance of return on OTHER
investments
Most ROI calculations assume a
“perfect” environment (and are rarely
challenged)
• What is your ROI with 98% uptime?
• What about 95%?
![Page 18: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/18.jpg)
If you consider security events inevitable, the equation changes.
Cannot be merely satisfied producing a positive ROI
Must prove you won’t take unnecessary losses that
impact bottom line
ROSI (return on seatbelt investment) -- see benefit only
when bad things happen
“Security reduces financial attrition inherent in modern
business practice on Internet”
![Page 19: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/19.jpg)
Value of security
Can be prescribed by law, regulation or business agreement
Usually sets a minimum standard of compliance
Often value to organization is not apparent
Physical examples: airbags, building codes, passenger screening
![Page 20: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/20.jpg)
20% 20% 20% 20% 20%
1 2 3 4 5
What is the most valuable asset of your company?
1. People
2. Plant, property,
equipment, technology
3. Information
4. Brand identity
5. Financial position
![Page 21: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/21.jpg)
What is the value of your brand?
How much did it cost to establish?
Is it worth defending?
On the Internet, brand can be destroyed in an
instant.
Security event analogous to an airline crash
![Page 22: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/22.jpg)
Enlightened business practices
Run business with knowledge of identified risks.
Mitigate those that are cost-effective to do so.
Assign risks you can’t mitigate.
Not a question of avoiding lawsuits, but of being allowed to stay in business
Haven’t been major lawsuits (yet). Has been establishment of duties: due care, protect assets.
Avoiding liabilities less important than doing right thing
![Page 23: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/23.jpg)
20% 20% 20% 20% 20%
1 2 3 4 5
Who in your organization is responsible for info security?
1. CISO or equivalent (no physical)
2. CISO/physical security
(combined)
3. VP of info security
4. Director of security
5. Below director, or no
assignment
![Page 24: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/24.jpg)
Allocating security costs throughout enterprise
Isolating security as stand-alone cost center sets up
scapegoat -- someone to blame
Require security in each project or initiative to receive
approval
For each new project, require contribution to security
(like a security “tax” or user fee)
Think of security like health insurance, not life
insurance -- incremental use, not binary
![Page 25: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/25.jpg)
New security paradigm
Enhance viability of enterprise
Reduce total cost of ownership (TCO)
Provide insurance on ROI for projects
Enabler to do or get into new businesses
Competitive advantage
Retain customer base
Resistance to lawsuits; legal liability
![Page 26: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/26.jpg)
When is the best time to validate security?
(Or… Can I please have a 100-hour day?)
![Page 27: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/27.jpg)
Rural mechanic’s rates
$30 per hour
$40 per hour if you watch
$75 per hour if you help
![Page 28: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/28.jpg)
Security is not an event; it’s a process.
To be effective, must be integrated
throughout lifecycle
Cannot be a part-time thing
• Screening passengers only in the afternoon is not
effective security
Momentary lapse can permit
catastrophic loss
![Page 29: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/29.jpg)
Build Security into Lifecycle
Software development lifecycle
Procurement lifecycle
Systems lifecycle
Mergers and acquisitions
“Painted on” security will never be as
effective as “baked in” security.
![Page 30: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/30.jpg)
20% 20% 20% 20% 20%
1 2 3 4 5
What is the size of your written information security policy?
1. No written policy (or don’t
know)
2. 1-3 pages
3. 4-20 pages
4. 21-50 pages
5. Greater than 50 pages
![Page 31: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/31.jpg)
How do I get there from here?
Foundational element: written information security policy
Must be short enough to capture management’s attention span
Must be general enough to stand the test of time (i.e., not technology specific)
Defines what needs to be protected
![Page 32: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/32.jpg)
What does cumulative security really look like?
(Or… How do I build a digital Fort Knox?)
![Page 33: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/33.jpg)
Ext
ern
al C
om
mu
nic
atio
ns
Blending Security Defenses
Security PolicySecurity PolicyAwareness and Training
Per
imet
er
Per
imet
er
Net
wo
rk
Net
wo
rk
Ho
st
Ho
st
Ap
plic
atio
n
Ap
plic
atio
n
Dat
a
![Page 34: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/34.jpg)
Layered security reverses the security challenge
Traditionally, the good guy has to defend all vulnerabilities; the bad guy has to find only one.
Ideally, the bad guy has to negotiate multiple layers of security, buying time for good guy to respond.
May be a combination of vendor, custom or service provider
![Page 35: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/35.jpg)
How trustworthy is Microsoft's Trustworthy Computing Initiative?
(Or… Do you really believe that $#!^ ?)
![Page 36: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/36.jpg)
Bottom line…
I don’t care.
![Page 37: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/37.jpg)
How big is it?
Year Product Millions of lines of code
1993 Windows NT 3.1 6
1996 Windows NT 4.0 16.5
1999 Windows 2000 29
2001 Windows XP 45
2003 Windows 2003 50
Source: http://bink.nu/files/Windows%20internals%20expert%20speaks%20on%20source%20code%20leak%20(updated).doc
![Page 38: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/38.jpg)
Leadership 101
Responsibility
Authority
Accountability
What does each term mean?
What can you delegate?
![Page 39: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/39.jpg)
Security 101
You cannot delegate the accountability of
securing your enterprise to any vendor,
consultant, business partner or other entity.
You are responsible for effectively integrating
all security elements and planning for
inevitable security holes.
![Page 40: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/40.jpg)
Summary
Aim for “effective” security.
Know what security costs and what you get in
return.
Think “total cost of ownership,” not ROI.
“Bake in” your security.
Maintain an effective security policy.
Layer your defenses.
![Page 41: Spending smart: Enforce Security and Achieve ROI G. Mark Hardy, CISSP, CISM President, National Security Corporation gmhardy@nationalsecurity.com +1 410.933.9333.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e955503460f94b99466/html5/thumbnails/41.jpg)
Spending smart: Enforce Security and Achieve ROIG. Mark Hardy, CISSP, CISMPresident, National Security [email protected]+1 410.933.9333