JustifyingITSecurity

ManagingRisk&KeepingYourNetwork Secure
Thegoalofasecurityprogramistochooseandimplementcosteffective countermeasuresthatmitigatethevulnerabilitiesthatwillmostlikelyleadtoloss. ThispaperdiscussesthemanagementofRiskandhowVulnerabilityManagement isoneofthefewcountermeasureseasilyjustifiedbyitsabilitytooptimizerisk.

By IRAWINKLER

2010Qualys,Inc.Allrightsreserved.

IraWinkler 2/1/2010

JustifyingITSecurity

Page1 of9

JustifyingITSecurity
ManagingRisk&KeepingYourNetworkSecure
byIraWinklerAuthor,SpiesAmongUs

ExecutiveSummary
Oneofthemostdifficultissuessecuritymanagershaveisjustifyinghowtheyspend theirlimitedbudgets.Forthemostpart,informationsecuritybudgetsaredetermined bypercentagesoftheoverallITbudget.Thisimpliesthatsecurityisbasicallyataxon IT,asopposedtoprovidingvaluebacktotheorganization.Thefactisthatsecuritycan providevaluetotheorganization,ifthereisadiscussionofriskwithregardtoIT,as muchasthereisadiscussionofriskwithregardtoallotherbusinessprocesses. Calculatingareturnoninvestmentforasecuritycountermeasureisextremelydifficult asyourarelyhavetheabilitytocalculatethesavingsfromthelossesyouprevented.Itis akintobeingabletopinpointautomobileaccidentsyouavoidedbydrivingsafelyversus recklessly.Thereisnowaytoaccuratelydeterminethatinformation. However,ifyoustarttoconsiderthatSecurityisactuallyRiskManagement,youcan startdeterminingthebestcountermeasurestoproactivelyandcosteffectivelymitigate yourlosses.Bydeterminingthevulnerabilitiesthataremostlikelytocreateloss,you canthencomparethepotentiallossesagainstthecostofthecountermeasure.This allowsyoutomakeanappropriatebusinessdecisionastojustifyingandallocatinga securitybudget. Moreimportantly,ifyoucanmakesuchabusinessdecision,youcanjustifyincreasing securitybudgetsforadditionalcountermeasures.Thekeyistobeabletospecifically identifyanareaofpotentialloss,andidentifyasecuritycountermeasurethatcost effectivelymitigatesthatloss.

2010Qualys,Inc.Allrightsreserved.

JustifyingITSecurity

Page2 of9

WhatisSecurity?
Bydefinition,securityisthefreedomfromriskordanger.Securityisunattainable.You canneverbecompletelysecure.Yourinformationandcomputersystemswillneverbe totallyfreeofriskordanger.Anyonewhotellsyouthattheycanprovideyouwith perfectsecurityisafooloraliar. Corporatesecurityprogramsareboundtofail,unlesstheyclearlydefinetheirmissionto theirorganization.Securityisnotaboutachievingfreedomfromrisk,butaboutthe managementofrisk. ItisthereforeimportanttodefinewhatRiskis. RISK Riskisthepotentialforloss.Inotherwords,whatdoyouhavetolose? Whilethereisthedictionarydefinition,weneedapracticaldefinitionofrisk.Ipreferto usethefollowingformulatoexpressrisk.

RiskitselfisbasicallythepotentiallossresultingfromthebalanceofThreat, Vulnerabilities,Countermeasures,andValue. UsuallyRiskisamonetaryloss.Sometimesriskcanbemeasuredinlives.Sadly,many businessesputavaluetohumanlifetoturnitintoamonetaryloss.Fromacomputer perspective,Riskispossiblythelikelihoodofbeinghacked.Moreimportantlythough, Riskisthelossesexperiencedasaresultofahack. ToquicklybreakdownthecomponentsofRisk: Threatsarethepeopleorentitieswhocandoyouharm. VulnerabilitiesaretheweaknessesthatallowtheThreattoexploityou. Countermeasuresaretheprecautionsyoutake. Valueiswhatyouhavetolose.

2010Qualys,Inc.Allrightsreserved.

JustifyingITSecurity

Page3 of9

RISKCOMPONENTS Fundamentally,Valuerepresentsthemostyoucanlose.Itisimportanttounderstand Valuesothatyoucandeterminethepotentialreturnoninvestmentofanyproposed securitycountermeasure.Thereareseveraldifferenttypesofvaluetoconsider, including:Monetary,Nuisance,Competitor,andReputationalValue. TheThreatisessentiallytheWhoorWhatthatcandoyouharmifgiventhe opportunity.Theycannotdoyouharmontheirown.Theyrequirethatyouleave yourselfvulnerable.Also,whilepeoplegenerallyassumethatThreatsaremaliciousin nature,mostthreatsthatyoufacedonotintendtocauseyouanyharm. VulnerabilitiesarebasicallytheweaknessesthatallowtheThreattoexploityou.Again, threatsareentities.Bythemselves,theycancauseyounoharm.Therearefour categoriesofVulnerabilities:Technical,Physical,Operational,andPersonnel.Technical vulnerabilitiesareproblemsspecificallybuiltintotechnology.Allsoftwarehasbugsof oneformoranother.Abugthatcreatesinformationleakageorelevatedprivilegesisa securityvulnerability.Anytechnologyimplementedimproperlycancreatea vulnerabilitythatcanbeexploited. Countermeasuresaretheprecautionsthatanorganizationtakestoreducerisk. CountermeasurescanmitigateaThreatorVulnerability;butalmostalwaysa Vulnerability. Itisassumedthatthereaderofthiswhitepaperisreasonablyfamiliarwiththe componentsofRisk.Foramoredetaileddiscussionofthissubject,pleaserefertomy book,SpiesAmongUs.

2010Qualys,Inc.Allrightsreserved.

JustifyingITSecurity

Page4 of9

YouReallyCantCounterThreat
WhenyoulookattheRiskformula,itwouldappear thatCountermeasurescanaddressbothThreatsand Vulnerabilities.Intheory,thatiscorrect.Inthereal world,itisreallydifficulttocounterThreat.The goodnewsisthatitdoesntreallymatter. First,letsexaminewhyyoucannotcounterThreat. Fundamentally,youcannotstopahurricane, earthquake,flood,orotherWhatthreats.Theywill occurnomatterwhatyoudo. Atthesametime,youcannotreallycounteraWho threat.Maybeabackgroundcheckcanweedout knowncriminals,howeverthisdoesntstop unknowncriminals.WhilethereisaWaron Terror,therearestillmorethanenough(known andunknown)terroriststocreateaterrorthreat. Maybeintheory,agovernmentcanattempttohunt downaspecificgroupofpeopletoextinction,buta nongovernmentorganizationclearlycannot.Itis alsounlikelythatthegovernmentwillsucceed. However,thegoodnewsisthatyoudonthaveto addresstheThreat.IfyoucounteraVulnerability, youareessentiallycounteringanyThreatthatmay exploitit.Forexample,byusingVulnerability Managementtools,youaremitigatingthe opportunityforanyThreattoattemptto compromisewidelyknownvulnerabilities. Whileyoucannotstopascriptkiddiefromexisting, youcancountertheunderlyingcomputer vulnerabilitiesthatallowthehackertoexploityou. Notonlydoyoustopthescriptkiddiefrom exploitingyou,youstopcompetitors, cybercriminals,maliciousemployees,andallother threatsfromexploitingknowncomputer vulnerabilities.

The2WaystoHackaComputer
Fromaserver/computerperspective,thereare twofundamentalwaystohackacomputer. Youeither(1)takeadvantageofthewayusers oradministratorsconfigureanduseasystem or(2)compromisetheunderlyingsoftware. Withregardtoconfigurationanduse,the systemscanbesetupwithpoorpasswords,be configuredtoimproperlysharesystems,orbe otherwisesetupinawaythattakesan otherwisesecuresystemandrendersit insecure.Theunderlyinghardwareand softwarecanbecompletelywithoutflaw,but userscanfindanunlimitednumberofwaysto renderallothersecurityeffortsmoot. Thenwehavethesoftwarevulnerabilities.All softwarehasbugs.Someofthemare functional,whilesomecreateelevated privileges,causeinformationleakage,and/or causeadenialofservice.Thelatterbugsare whatwerefertoassecurityvulnerabilities. Thesevulnerabilitiesarewrittenintothe softwareasacodingerror.Whilethevendors hopefullydontintendtoreleasesoftwarewith securityvulnerabilities,afterthesoftwareis releaseforwidespreaduse,theyareeventually found. Whenvendorslearnofvulnerabilities,theycan releasepatches.Unfortunately,usersand administratorsfrequentlydonotimplement thepatches,leavingthesystemsvulnerableto anyonewhocanaccessthesystemwiththe appropriateattack.Forexample,theConficker wormhasinfectedcloseto7,000,000 computersaroundtheworld,yetthepatchto preventinfectionhasbeenwidelyavailablefor closetoayear. BottomLine:Vulnerabilitymanagementtools canensurethatsystemsareproperlypatched againstwidelyknownattacks.

2010Qualys,Inc.Allrightsreserved.

JustifyingITSecurity

Page5 of9

WhatisaSecurityProgram?
NowthatRiskisfundamentallydefined,wecanaddresswhatsecurityprogramsare supposedtodointheory.First,itisimportanttorememberthatyoucannotstopall loss,ifyoufunctionintherealworld.Nomatterwhatyoudo,youmustacknowledge thatyouwillexperiencesometypeofloss.Actually, youwillexperiencemanylosses. Thegoalofasecurityprogram istochooseandimplementcost Inbusinessterms,Iwouldcontendthatthegoalofa effectiveCountermeasuresthat securityprogramistoidentifytheVulnerabilitiesthat mitigatetheVulnerabilitiesthat canbeexploitedbyanyoftheThreatsthatyouface. willmostlikelyleadtoloss. OnceyouidentifythoseVulnerabilities,youthen associatetheValueofthelossthatislikelytoresult fromthegivenVulnerabilities. Theintermediatestepofasecurityprogramistochooseandimplementcosteffective CountermeasuresthatmitigatetheVulnerabilitiesthatwillmostlikelyleadtoloss. Thepreviousparagraphispossiblythemostimportantparagraphinthispaper.Sadly,I findthatmanyprofessionalsdonotgraspthisconceptandfailtounderstandtheirrole inquantifiablebusinessterms.

OptimizingRisk
Itisextremelyimportanttopointoutthatyouarenottryingtoremoveallrisk.Again youcanneverbecompletelysecure,anditisfoolishtotry.Thisiswhyyourgoalisto optimize,notminimize,risk. Letsfirstdiscusstheconceptofoptimizationversusminimizationofrisk.Minimization ofriskimpliesthatyouwanttoremoveasmuchrisk,akaloss,aspossible.Usinga typicalhomeasanexample,firstexaminewhatthereistolose.Assumingyouhavethe typicalhouseholdgoods,variousinsurancecompaniesmightsaythatahousehasfrom $20,000$50,000worthofvalue,andthehousehasavalueof$200,000.Thereisalso theintangiblevalueofthesafetyofyourfamilyandgeneralwellbeing. Thenconsiderthepotentialthingsthatcouldhappentocompromisethehome. Obviously,youhavephysicalthefts.Thereisalsothepotentialforafire.Therehave actuallybeencasesofacarcrashingintoahome.Youcanalsonotignorethatobjects, includingairplanes,havefallenontohomes,destroyingthemandalloftheiroccupants. Youhavetornados,earthquakes,floods,etc.Ifyouwanttominimizerisk,youmust accountforallpossiblelosses,includingsomeofthemostbizarreones.
2010Qualys,Inc.Allrightsreserved.

JustifyingITSecurity

Page6 of9

Maybeifyouarenotinanearthquakepronearea,youmightthinkaboutignoringthat. Howeverevenifyouwanttojustlimityourcountermeasurestoaccountfortheft,while youmightthinkofimprovinglocksonalldoors,youthenhavetothinkofthewindows. Areyougoingtomakeallglassshatterproof?Thenconsiderthatmosthomesaremade ofwood.Thereistechnicallynothingtostopamotivatedthieffromtakingachainsaw tothesideofyourhouse.Doyouthenarmorplatetheentirehouse? Minimizingyourriskwouldleadtospendingmoneyona Inthesecurityfield,youcan lotofcountermeasuresthatarenotreasonable.Maybe solve95%oftheproblems ifyoureanunpopular,highprofiledictator,youwould with5%oftheeffort. consideralloftheseissues,butnotthetypical homeowner. Youcannotjustbroadlydiscountagreatdealofrisk.Optimizationimpliesthatthereis somethoughttotheprocess.Youdontcompletelyignoreanythreatorvulnerability, butmakeaconsciousdecisionthatthelikelihoodofalosscombinedwiththevalueof thelosscannotbecosteffectivelymitigated.Sowhileitwouldgenerallybefeasibleto installahomealarmsystemfor$300,andpay$25permonthformonitoringasa securitycountermeasuretoprotect$50,000fromtheft,alongwithyourpersonal wellbeing,itwouldgenerallynotbecosteffectivetoinstallarmoraroundthehometo protectagainsttheextremelyunlikelycaseofacriminalusingachainsawtogetinyour house. Iliketousethefollowingcharttorepresentrisk,andtoalsoclearlydemonstratewhy onlyafoolwouldtrytominimizerisk.Thecurvethatbeginsintheupperleftcorner representsVulnerabilitiesandthecostassociatedwiththem.Thelinethatbeginsonthe bottomleftrepresentsthecostofCountermeasures.

2010Qualys,Inc.Allrightsreserved.

JustifyingITSecurity

Page7 of9

AsyoubegintoimplementCountermeasures,theircostgoesup,however Vulnerabilitiesandpotentiallossdecrease.AssumingyouimplementCountermeasures thatactuallyaddressVulnerabilities,therecanactuallybeadrasticdecreaseofpotential loss.Itissimilartothe80/20Rule,whereyousolve80%oftheproblemswith20%of theeffort.Icontendthatinthesecurityfield,youcansolve95%oftheproblemswith 5%oftheeffort. Sincetherewillalwaysbepotentialloss,theVulnerabilitylineneverreaches0andis asymptotic.ThepotentialcostofCountermeasureshowevercankeepincreasing forever.Soatsomepoint,thecostofCountermeasuresismorethanthepotentialloss oftheVulnerabilities.Itisillogicaltoeverspendmoretopreventlossthantheactual lossitself,soyouneverwanttoreachthatpoint. Youalsodontwanttocomeclosetothatpointeither.Thereasonisthatthepotential lossisonlypotentialloss.Whileitistheoreticallypossibletoexperienceacompleteloss, itisextremelyunlikely.Youneedtobasethecostofcountermeasuresonthelikelihood ofthelosscombinedwiththecostoftheloss. ThisistheconceptofRiskOptimizationandthechartbelowoverlaysasampleRisk Optimizationlineontheinitialgraph.Thisisthepointthatyouhavedeterminedisthe amountoflossyouarewillingtoacceptandthecostoftheCountermeasuresthatwill getyoutothatpoint.

WhileIwishitwasfeasibletosaythatanentiresecurityprogramshouldbebasedon thismethodology,therealityisthatmostorganizationsareextremelyfarfrom implementingthisonamacrolevel.Instead,IrecommendthatpeopleapproachRisk Optimizationonamicrolevel.

2010Qualys,Inc.Allrightsreserved.

JustifyingITSecurity

Page8 of9

VulnerabilityManagementasaCriticalComponentofRiskOptimization
WhenconsideringRiskOptimization,youmustconsiderthelossesthatcomefrom technicalvulnerabilities,ortheknownvulnerabilitiesthatexistinsoftware.Again, thesesoftwarebugscanbetriggeredmaliciouslybycriminals,orbemalignantandjust happenatrandomtimes. WhileitistruethattherearesomeZeroDayVulnerabilities,wheretheunderlyingbugs arenotcurrentlyknownandthereforetheattacksaretheoreticallyunstoppable,that accountsforlessthan1%ofallcomputerattacks. Thebulkofcomputerattackscanbeeasilypreventedwiththeproperimplementation ofvulnerabilitymanagementtoolssuchasQualysGuard.Mostimportantly,these vulnerabilitymanagementsolutionscanbeextremelycosteffectiveandacritical componentofRiskOptimization. Forexample,avulnerabilitymanagementdeploymentmaycost$10Kperyear.Atthe sametime,youvedeterminedthatasinglelossfromknownvulnerabilitiescaneasily resultinalossofmillionsofdollars.Thelikelihoodofaknownvulnerabilityofbeing exploitedisalmost100%giventhepersistentthreatontheInternet.Thepotentialloss wouldotherwiseonlybelimitedbythevalueoftheorganizationasawhole. VulnerabilityManagementisoneofthemostcosteffectivetoolsoutthereandshould bepartofanyRiskManagementsolutionasitcanhelpidentifyandprevent95%ofthe issueswith5%(orless)oftheeffort.

ConsciouslyAcceptRisk
AllRiskManagementdecisionsshouldbebasednotonanarbitrarybudgetassignment, butontherealizationthatthemoneyinvestedonaCountermeasureisjustifiedbya reasonablereductioninRisk. Thebottomline:VulnerabilityManagementisoneofthefewCountermeasuresthatis easilyjustifiedbyitsabilitytooptimizeRisk.

2010Qualys,Inc.Allrightsreserved.

JustifyingITSecurity

Page9 of9

AbouttheAuthor
IraWinkler,CISSPisPresidentoftheInternetSecurity AdvisorsGroupandontheBoardofDirectorsoftheISSA.Heis alsoacolumnistforComputerWorld.comandconsideredone oftheworld'smostinfluentialsecurityprofessionals.Named asa"ModernDayJamesBond"bythemediaforhisespionage simulations,wherehephysicallyandtechnically"brokeinto" someoftheworldslargestcompaniesandinvestigating crimesagainstthem,andtellingthemhowtocosteffectively protectstheirinformationandcomputerinfrastructure.Ira Winklercontinuestoperformtheseespionagesimulations,as wellasassistingorganizationsindevelopingcosteffective securityprograms.IraWinkleralsowontheHallofFameawardfromtheInformation SystemsSecurityAssociation,aswellasseveralotherprestigiousindustryawards. IraWinklerisalsoauthoroftheriveting,entertaining,andeducationalbooks,Spies AmongUsandZenandtheArtofInformationSecurity.Hewasalsoacolumnistfor ComputerWorld.com.IraWinklerhasrecentlybeenelectedVicePresidentofthe InformationSystemsSecurityAssociation. IraWinklerbeganhiscareerattheNationalSecurityAgency,whereheservedasan IntelligenceandComputerSystemsAnalyst.HemovedontosupportotherUSand overseasgovernmentmilitaryandintelligenceagencies.Afterleavinggovernment service,IraWinklerwentontoserveasPresidentoftheInternetSecurityAdvisors Group,ChiefSecurityStrategistatHPConsulting,andDirectorofTechnologyofthe NationalComputerSecurityAssociation.HewasalsoontheGraduateand UndergraduatefacultiesoftheJohnsHopkinsUniversityandtheUniversityofMaryland. IraWinklerhasalsowrittenthebookCorporateEspionage,whichhasbeendescribedas thebibleoftheInformationSecurityfield,andthebestsellingThroughtheEyesofthe Enemy.Bothbooksaddressthethreatsthatcompaniesfaceprotectingtheir information.IraWinklerhasalsowrittenhundredsofprofessionalandtradearticles.He hasbeenfeaturedandfrequentlyappearsonTVoneverycontinent.IraWinklerhasalso beenfeaturedinmagazinesandnewspapersincludingForbes,USAToday,WallStreet Journal,SanFranciscoChronicle,WashingtonPost,PlanetInternet,andBusiness2.0. TolearnmoreaboutQualysOnDemandVulnerabilityManagementandITPolicy Compliancesolutions,visit:www.qualys.com
2010Qualys,Inc.Allrightsreserved.