Professional Documents
Culture Documents
ManagingRisk&KeepingYourNetwork Secure
Thegoalofasecurityprogramistochooseandimplementcosteffective countermeasuresthatmitigatethevulnerabilitiesthatwillmostlikelyleadtoloss. ThispaperdiscussesthemanagementofRiskandhowVulnerabilityManagement isoneofthefewcountermeasureseasilyjustifiedbyitsabilitytooptimizerisk.
By IRAWINKLER
2010Qualys,Inc.Allrightsreserved.
IraWinkler 2/1/2010
JustifyingITSecurity
Page1 of9
JustifyingITSecurity
ManagingRisk&KeepingYourNetworkSecure
byIraWinklerAuthor,SpiesAmongUs
ExecutiveSummary
Oneofthemostdifficultissuessecuritymanagershaveisjustifyinghowtheyspend theirlimitedbudgets.Forthemostpart,informationsecuritybudgetsaredetermined bypercentagesoftheoverallITbudget.Thisimpliesthatsecurityisbasicallyataxon IT,asopposedtoprovidingvaluebacktotheorganization.Thefactisthatsecuritycan providevaluetotheorganization,ifthereisadiscussionofriskwithregardtoIT,as muchasthereisadiscussionofriskwithregardtoallotherbusinessprocesses. Calculatingareturnoninvestmentforasecuritycountermeasureisextremelydifficult asyourarelyhavetheabilitytocalculatethesavingsfromthelossesyouprevented.Itis akintobeingabletopinpointautomobileaccidentsyouavoidedbydrivingsafelyversus recklessly.Thereisnowaytoaccuratelydeterminethatinformation. However,ifyoustarttoconsiderthatSecurityisactuallyRiskManagement,youcan startdeterminingthebestcountermeasurestoproactivelyandcosteffectivelymitigate yourlosses.Bydeterminingthevulnerabilitiesthataremostlikelytocreateloss,you canthencomparethepotentiallossesagainstthecostofthecountermeasure.This allowsyoutomakeanappropriatebusinessdecisionastojustifyingandallocatinga securitybudget. Moreimportantly,ifyoucanmakesuchabusinessdecision,youcanjustifyincreasing securitybudgetsforadditionalcountermeasures.Thekeyistobeabletospecifically identifyanareaofpotentialloss,andidentifyasecuritycountermeasurethatcost effectivelymitigatesthatloss.
2010Qualys,Inc.Allrightsreserved.
JustifyingITSecurity
Page2 of9
WhatisSecurity?
Bydefinition,securityisthefreedomfromriskordanger.Securityisunattainable.You canneverbecompletelysecure.Yourinformationandcomputersystemswillneverbe totallyfreeofriskordanger.Anyonewhotellsyouthattheycanprovideyouwith perfectsecurityisafooloraliar. Corporatesecurityprogramsareboundtofail,unlesstheyclearlydefinetheirmissionto theirorganization.Securityisnotaboutachievingfreedomfromrisk,butaboutthe managementofrisk. ItisthereforeimportanttodefinewhatRiskis. RISK Riskisthepotentialforloss.Inotherwords,whatdoyouhavetolose? Whilethereisthedictionarydefinition,weneedapracticaldefinitionofrisk.Ipreferto usethefollowingformulatoexpressrisk.
RiskitselfisbasicallythepotentiallossresultingfromthebalanceofThreat, Vulnerabilities,Countermeasures,andValue. UsuallyRiskisamonetaryloss.Sometimesriskcanbemeasuredinlives.Sadly,many businessesputavaluetohumanlifetoturnitintoamonetaryloss.Fromacomputer perspective,Riskispossiblythelikelihoodofbeinghacked.Moreimportantlythough, Riskisthelossesexperiencedasaresultofahack. ToquicklybreakdownthecomponentsofRisk: Threatsarethepeopleorentitieswhocandoyouharm. VulnerabilitiesaretheweaknessesthatallowtheThreattoexploityou. Countermeasuresaretheprecautionsyoutake. Valueiswhatyouhavetolose.
2010Qualys,Inc.Allrightsreserved.
JustifyingITSecurity
Page3 of9
RISKCOMPONENTS Fundamentally,Valuerepresentsthemostyoucanlose.Itisimportanttounderstand Valuesothatyoucandeterminethepotentialreturnoninvestmentofanyproposed securitycountermeasure.Thereareseveraldifferenttypesofvaluetoconsider, including:Monetary,Nuisance,Competitor,andReputationalValue. TheThreatisessentiallytheWhoorWhatthatcandoyouharmifgiventhe opportunity.Theycannotdoyouharmontheirown.Theyrequirethatyouleave yourselfvulnerable.Also,whilepeoplegenerallyassumethatThreatsaremaliciousin nature,mostthreatsthatyoufacedonotintendtocauseyouanyharm. VulnerabilitiesarebasicallytheweaknessesthatallowtheThreattoexploityou.Again, threatsareentities.Bythemselves,theycancauseyounoharm.Therearefour categoriesofVulnerabilities:Technical,Physical,Operational,andPersonnel.Technical vulnerabilitiesareproblemsspecificallybuiltintotechnology.Allsoftwarehasbugsof oneformoranother.Abugthatcreatesinformationleakageorelevatedprivilegesisa securityvulnerability.Anytechnologyimplementedimproperlycancreatea vulnerabilitythatcanbeexploited. Countermeasuresaretheprecautionsthatanorganizationtakestoreducerisk. CountermeasurescanmitigateaThreatorVulnerability;butalmostalwaysa Vulnerability. Itisassumedthatthereaderofthiswhitepaperisreasonablyfamiliarwiththe componentsofRisk.Foramoredetaileddiscussionofthissubject,pleaserefertomy book,SpiesAmongUs.
2010Qualys,Inc.Allrightsreserved.
JustifyingITSecurity
Page4 of9
YouReallyCantCounterThreat
WhenyoulookattheRiskformula,itwouldappear thatCountermeasurescanaddressbothThreatsand Vulnerabilities.Intheory,thatiscorrect.Inthereal world,itisreallydifficulttocounterThreat.The goodnewsisthatitdoesntreallymatter. First,letsexaminewhyyoucannotcounterThreat. Fundamentally,youcannotstopahurricane, earthquake,flood,orotherWhatthreats.Theywill occurnomatterwhatyoudo. Atthesametime,youcannotreallycounteraWho threat.Maybeabackgroundcheckcanweedout knowncriminals,howeverthisdoesntstop unknowncriminals.WhilethereisaWaron Terror,therearestillmorethanenough(known andunknown)terroriststocreateaterrorthreat. Maybeintheory,agovernmentcanattempttohunt downaspecificgroupofpeopletoextinction,buta nongovernmentorganizationclearlycannot.Itis alsounlikelythatthegovernmentwillsucceed. However,thegoodnewsisthatyoudonthaveto addresstheThreat.IfyoucounteraVulnerability, youareessentiallycounteringanyThreatthatmay exploitit.Forexample,byusingVulnerability Managementtools,youaremitigatingthe opportunityforanyThreattoattemptto compromisewidelyknownvulnerabilities. Whileyoucannotstopascriptkiddiefromexisting, youcancountertheunderlyingcomputer vulnerabilitiesthatallowthehackertoexploityou. Notonlydoyoustopthescriptkiddiefrom exploitingyou,youstopcompetitors, cybercriminals,maliciousemployees,andallother threatsfromexploitingknowncomputer vulnerabilities.
The2WaystoHackaComputer
Fromaserver/computerperspective,thereare twofundamentalwaystohackacomputer. Youeither(1)takeadvantageofthewayusers oradministratorsconfigureanduseasystem or(2)compromisetheunderlyingsoftware. Withregardtoconfigurationanduse,the systemscanbesetupwithpoorpasswords,be configuredtoimproperlysharesystems,orbe otherwisesetupinawaythattakesan otherwisesecuresystemandrendersit insecure.Theunderlyinghardwareand softwarecanbecompletelywithoutflaw,but userscanfindanunlimitednumberofwaysto renderallothersecurityeffortsmoot. Thenwehavethesoftwarevulnerabilities.All softwarehasbugs.Someofthemare functional,whilesomecreateelevated privileges,causeinformationleakage,and/or causeadenialofservice.Thelatterbugsare whatwerefertoassecurityvulnerabilities. Thesevulnerabilitiesarewrittenintothe softwareasacodingerror.Whilethevendors hopefullydontintendtoreleasesoftwarewith securityvulnerabilities,afterthesoftwareis releaseforwidespreaduse,theyareeventually found. Whenvendorslearnofvulnerabilities,theycan releasepatches.Unfortunately,usersand administratorsfrequentlydonotimplement thepatches,leavingthesystemsvulnerableto anyonewhocanaccessthesystemwiththe appropriateattack.Forexample,theConficker wormhasinfectedcloseto7,000,000 computersaroundtheworld,yetthepatchto preventinfectionhasbeenwidelyavailablefor closetoayear. BottomLine:Vulnerabilitymanagementtools canensurethatsystemsareproperlypatched againstwidelyknownattacks.
2010Qualys,Inc.Allrightsreserved.
JustifyingITSecurity
Page5 of9
WhatisaSecurityProgram?
NowthatRiskisfundamentallydefined,wecanaddresswhatsecurityprogramsare supposedtodointheory.First,itisimportanttorememberthatyoucannotstopall loss,ifyoufunctionintherealworld.Nomatterwhatyoudo,youmustacknowledge thatyouwillexperiencesometypeofloss.Actually, youwillexperiencemanylosses. Thegoalofasecurityprogram istochooseandimplementcost Inbusinessterms,Iwouldcontendthatthegoalofa effectiveCountermeasuresthat securityprogramistoidentifytheVulnerabilitiesthat mitigatetheVulnerabilitiesthat canbeexploitedbyanyoftheThreatsthatyouface. willmostlikelyleadtoloss. OnceyouidentifythoseVulnerabilities,youthen associatetheValueofthelossthatislikelytoresult fromthegivenVulnerabilities. Theintermediatestepofasecurityprogramistochooseandimplementcosteffective CountermeasuresthatmitigatetheVulnerabilitiesthatwillmostlikelyleadtoloss. Thepreviousparagraphispossiblythemostimportantparagraphinthispaper.Sadly,I findthatmanyprofessionalsdonotgraspthisconceptandfailtounderstandtheirrole inquantifiablebusinessterms.
OptimizingRisk
Itisextremelyimportanttopointoutthatyouarenottryingtoremoveallrisk.Again youcanneverbecompletelysecure,anditisfoolishtotry.Thisiswhyyourgoalisto optimize,notminimize,risk. Letsfirstdiscusstheconceptofoptimizationversusminimizationofrisk.Minimization ofriskimpliesthatyouwanttoremoveasmuchrisk,akaloss,aspossible.Usinga typicalhomeasanexample,firstexaminewhatthereistolose.Assumingyouhavethe typicalhouseholdgoods,variousinsurancecompaniesmightsaythatahousehasfrom $20,000$50,000worthofvalue,andthehousehasavalueof$200,000.Thereisalso theintangiblevalueofthesafetyofyourfamilyandgeneralwellbeing. Thenconsiderthepotentialthingsthatcouldhappentocompromisethehome. Obviously,youhavephysicalthefts.Thereisalsothepotentialforafire.Therehave actuallybeencasesofacarcrashingintoahome.Youcanalsonotignorethatobjects, includingairplanes,havefallenontohomes,destroyingthemandalloftheiroccupants. Youhavetornados,earthquakes,floods,etc.Ifyouwanttominimizerisk,youmust accountforallpossiblelosses,includingsomeofthemostbizarreones.
2010Qualys,Inc.Allrightsreserved.
JustifyingITSecurity
Page6 of9
Maybeifyouarenotinanearthquakepronearea,youmightthinkaboutignoringthat. Howeverevenifyouwanttojustlimityourcountermeasurestoaccountfortheft,while youmightthinkofimprovinglocksonalldoors,youthenhavetothinkofthewindows. Areyougoingtomakeallglassshatterproof?Thenconsiderthatmosthomesaremade ofwood.Thereistechnicallynothingtostopamotivatedthieffromtakingachainsaw tothesideofyourhouse.Doyouthenarmorplatetheentirehouse? Minimizingyourriskwouldleadtospendingmoneyona Inthesecurityfield,youcan lotofcountermeasuresthatarenotreasonable.Maybe solve95%oftheproblems ifyoureanunpopular,highprofiledictator,youwould with5%oftheeffort. consideralloftheseissues,butnotthetypical homeowner. Youcannotjustbroadlydiscountagreatdealofrisk.Optimizationimpliesthatthereis somethoughttotheprocess.Youdontcompletelyignoreanythreatorvulnerability, butmakeaconsciousdecisionthatthelikelihoodofalosscombinedwiththevalueof thelosscannotbecosteffectivelymitigated.Sowhileitwouldgenerallybefeasibleto installahomealarmsystemfor$300,andpay$25permonthformonitoringasa securitycountermeasuretoprotect$50,000fromtheft,alongwithyourpersonal wellbeing,itwouldgenerallynotbecosteffectivetoinstallarmoraroundthehometo protectagainsttheextremelyunlikelycaseofacriminalusingachainsawtogetinyour house. Iliketousethefollowingcharttorepresentrisk,andtoalsoclearlydemonstratewhy onlyafoolwouldtrytominimizerisk.Thecurvethatbeginsintheupperleftcorner representsVulnerabilitiesandthecostassociatedwiththem.Thelinethatbeginsonthe bottomleftrepresentsthecostofCountermeasures.
2010Qualys,Inc.Allrightsreserved.
JustifyingITSecurity
Page7 of9
AsyoubegintoimplementCountermeasures,theircostgoesup,however Vulnerabilitiesandpotentiallossdecrease.AssumingyouimplementCountermeasures thatactuallyaddressVulnerabilities,therecanactuallybeadrasticdecreaseofpotential loss.Itissimilartothe80/20Rule,whereyousolve80%oftheproblemswith20%of theeffort.Icontendthatinthesecurityfield,youcansolve95%oftheproblemswith 5%oftheeffort. Sincetherewillalwaysbepotentialloss,theVulnerabilitylineneverreaches0andis asymptotic.ThepotentialcostofCountermeasureshowevercankeepincreasing forever.Soatsomepoint,thecostofCountermeasuresismorethanthepotentialloss oftheVulnerabilities.Itisillogicaltoeverspendmoretopreventlossthantheactual lossitself,soyouneverwanttoreachthatpoint. Youalsodontwanttocomeclosetothatpointeither.Thereasonisthatthepotential lossisonlypotentialloss.Whileitistheoreticallypossibletoexperienceacompleteloss, itisextremelyunlikely.Youneedtobasethecostofcountermeasuresonthelikelihood ofthelosscombinedwiththecostoftheloss. ThisistheconceptofRiskOptimizationandthechartbelowoverlaysasampleRisk Optimizationlineontheinitialgraph.Thisisthepointthatyouhavedeterminedisthe amountoflossyouarewillingtoacceptandthecostoftheCountermeasuresthatwill getyoutothatpoint.
JustifyingITSecurity
Page8 of9
VulnerabilityManagementasaCriticalComponentofRiskOptimization
WhenconsideringRiskOptimization,youmustconsiderthelossesthatcomefrom technicalvulnerabilities,ortheknownvulnerabilitiesthatexistinsoftware.Again, thesesoftwarebugscanbetriggeredmaliciouslybycriminals,orbemalignantandjust happenatrandomtimes. WhileitistruethattherearesomeZeroDayVulnerabilities,wheretheunderlyingbugs arenotcurrentlyknownandthereforetheattacksaretheoreticallyunstoppable,that accountsforlessthan1%ofallcomputerattacks. Thebulkofcomputerattackscanbeeasilypreventedwiththeproperimplementation ofvulnerabilitymanagementtoolssuchasQualysGuard.Mostimportantly,these vulnerabilitymanagementsolutionscanbeextremelycosteffectiveandacritical componentofRiskOptimization. Forexample,avulnerabilitymanagementdeploymentmaycost$10Kperyear.Atthe sametime,youvedeterminedthatasinglelossfromknownvulnerabilitiescaneasily resultinalossofmillionsofdollars.Thelikelihoodofaknownvulnerabilityofbeing exploitedisalmost100%giventhepersistentthreatontheInternet.Thepotentialloss wouldotherwiseonlybelimitedbythevalueoftheorganizationasawhole. VulnerabilityManagementisoneofthemostcosteffectivetoolsoutthereandshould bepartofanyRiskManagementsolutionasitcanhelpidentifyandprevent95%ofthe issueswith5%(orless)oftheeffort.
ConsciouslyAcceptRisk
AllRiskManagementdecisionsshouldbebasednotonanarbitrarybudgetassignment, butontherealizationthatthemoneyinvestedonaCountermeasureisjustifiedbya reasonablereductioninRisk. Thebottomline:VulnerabilityManagementisoneofthefewCountermeasuresthatis easilyjustifiedbyitsabilitytooptimizeRisk.
2010Qualys,Inc.Allrightsreserved.
JustifyingITSecurity
Page9 of9
AbouttheAuthor
IraWinkler,CISSPisPresidentoftheInternetSecurity AdvisorsGroupandontheBoardofDirectorsoftheISSA.Heis alsoacolumnistforComputerWorld.comandconsideredone oftheworld'smostinfluentialsecurityprofessionals.Named asa"ModernDayJamesBond"bythemediaforhisespionage simulations,wherehephysicallyandtechnically"brokeinto" someoftheworldslargestcompaniesandinvestigating crimesagainstthem,andtellingthemhowtocosteffectively protectstheirinformationandcomputerinfrastructure.Ira Winklercontinuestoperformtheseespionagesimulations,as wellasassistingorganizationsindevelopingcosteffective securityprograms.IraWinkleralsowontheHallofFameawardfromtheInformation SystemsSecurityAssociation,aswellasseveralotherprestigiousindustryawards. IraWinklerisalsoauthoroftheriveting,entertaining,andeducationalbooks,Spies AmongUsandZenandtheArtofInformationSecurity.Hewasalsoacolumnistfor ComputerWorld.com.IraWinklerhasrecentlybeenelectedVicePresidentofthe InformationSystemsSecurityAssociation. IraWinklerbeganhiscareerattheNationalSecurityAgency,whereheservedasan IntelligenceandComputerSystemsAnalyst.HemovedontosupportotherUSand overseasgovernmentmilitaryandintelligenceagencies.Afterleavinggovernment service,IraWinklerwentontoserveasPresidentoftheInternetSecurityAdvisors Group,ChiefSecurityStrategistatHPConsulting,andDirectorofTechnologyofthe NationalComputerSecurityAssociation.HewasalsoontheGraduateand UndergraduatefacultiesoftheJohnsHopkinsUniversityandtheUniversityofMaryland. IraWinklerhasalsowrittenthebookCorporateEspionage,whichhasbeendescribedas thebibleoftheInformationSecurityfield,andthebestsellingThroughtheEyesofthe Enemy.Bothbooksaddressthethreatsthatcompaniesfaceprotectingtheir information.IraWinklerhasalsowrittenhundredsofprofessionalandtradearticles.He hasbeenfeaturedandfrequentlyappearsonTVoneverycontinent.IraWinklerhasalso beenfeaturedinmagazinesandnewspapersincludingForbes,USAToday,WallStreet Journal,SanFranciscoChronicle,WashingtonPost,PlanetInternet,andBusiness2.0. TolearnmoreaboutQualysOnDemandVulnerabilityManagementandITPolicy Compliancesolutions,visit:www.qualys.com
2010Qualys,Inc.Allrightsreserved.