Common sense dictates that before you build a security infrastructure, you need to understand what you're trying to secure. That knowledge will also enable you to later answer whether your security infrastructure is still working properly. As much as this logic makes sense when protecting physical assets like jewelry or cars, it seems to have been thrown out the window when it comes to digital assets.
Most executives and managers equate money spent to security; i.e., If you spend a lot of money, you will be secure. The fact that there are companies that have done this but have still experienced break-ins shows that this logic doesn't work. I can't tell you how many times I have worked on an incident and the executive has looked at me and said, "Eric, we tried to do the right thing, we spent money on security." The unfortunate response is that even though you tried, you didn't do the right thing, and in this game, you do not get any points for trying.
What happens in most organizations is that executives don't ask the right questions and consequently don't have a clear picture of the security stance across their organizations. This leads to a false sense of security, which is very dangerous. It would be much better to know that your organization isn't secure and be nervous than to move ahead thinking that everything is fine when in reality, it's not.
 |
  |
|
Eric Cole is chief scientist at The Sytex Group Inc.'s information warfare center, where he heads cutting-edge research in technology and various areas of network security. An information security expert for more than 10 years, he holds several professional certifications. Eric is the author of Hackers Beware and Hiding in Plain Sight and co-author of SANS GIAC Certification: Security Essentials Toolkit and Security Essentials. |
To make sure you understand your organization's issues, you should be asking the following questions before formulating a security plan:
- What is my organization's critical information or digital assets? Every company has information that's unique to it. In some companies, this question is easy to answer, but in others, it's very difficult. You have to figure out what pieces of information, if compromised, would put your company out of business or make it difficult for you to continue operating.
- On which servers does the critical data reside? Attackers break into servers, which provide the gateway to the data. Therefore, knowing where the data is lets you concentrate your security efforts. It's also important to prioritize servers. Most companies have a large number of servers, and not all servers have the same level of importance.
What are the risks to those servers? Risk is composed of threats and vulnerabilities and can be reduced by countermeasures. The following is the common risk formula: Risk = (Threat x Vulnerabilities)/Countermeasures. A threat is an adverse occurrence that allows someone to do harm to you or your assets. A vulnerability is a weakness that allows a threat to be manifested. A countermeasure is an action you perform to minimize or eliminate either the threat or the vulnerability. The important thing to remember is that if you reduce either the threat or the vulnerability, the resulting risk is also reduced. You only have to reduce one of them, not both.
For example, a threat is that someone can run an Internet Information Server (IIS) buffer overflow against your external Web server. The vulnerability is that your company is running external IIS Web servers. Depending on the specifics, your risk could either be high or low. From a countermeasure perspective, there are three general approaches you can take. First, you can do nothing and accept the risk. Second, you could take actions to minimize the risk. In this case, you could minimize the risk by staying up to date and apply the latest patches in a timely manner. Third, you could eliminate the risk by taking the Web servers off-line. As you can see, in most situations, reducing the risk is the most practical approach.- What is the return on investment for reducing or eliminating certain risks? Executives have to be concerned with the financial effect of given security decision. Spending $500,000 to fix a problem that has a 10% chance of occurring and would cost the company $100,000 if it occurs isn't a good ROI. On the other hand, spending $50,000 to eliminate a risk that has an 80% chance of occurring and would cost the company $800,000 if it occurs is a wise investment.
Here are the key questions you need to ask to determine the ROI for a given risk:
- What is the risk?
- What is the likelihood of it occurring?
- If it occurs, what will it cost?
- What will it cost to eliminate the risk?
- What will it cost to reduce the risk to an acceptable level?
Armed with the answers to these questions, you can spend money in the proper areas.
There is a long list of additional questions that an executive should ask, but the above questions form a foundation for all of the other questions. The above questions also give CIOs a clear view of where the problem is and how bad it is.
Remember, security is mostly about understanding your infrastructure and not necessarily spending money. Taking the time to answer the above questions will best enable you and your management peers to make sure your security dollars are well spent.
Related Article
"Data Security Measures Failing to Match Legal Expectations," by Jaikumar Vijayan.
A dangerous gap may be opening up between emerging legal expectations of due care for data security and the technical means by which companies can meet those requirements.