Archive for the ‘Internet Security’ Category
Monday, November 9th, 2009
This is the third article in this series on the Methodology of Calculating ROI for IT security
There are three components to the ROI calculation:
1. Identifying actual security risks and translating them into quantifiable business risks.
2. Identifying how to mitigate the security risks, and determining the associated cost.
3. Calculating the ROI as the per cent of cost of mitigation divided by the cost of the risk. This segment describes how to calculate ROI as the per cent of cost of mitigation divided by the cost of risk.
Calculating the ROI
The totals of the cost of risk and the mitigation costs are used in the following formula:
ROI = mitigation costs divided by the cost of potential risk divided by 100
Or
ROI = % (mitigation costs) / (the cost of potential risk)
Sample ROI business case
A company is implementing a new web based transaction system for their clients to place orders and to enquire about their account balance. The incremental projected profit from the web site is estimated at $5,000 per day.
To minimize the complexity of the networking infrastructure required for the web site to communicate with a back-end database, the web site will be placed inside a DMZ within the corporate network. However, the database server will reside on the corporate network.
The CISO wants to understand the total business impact of a security breach on the new web site actually translating into a security event. She requests the governance committee identify what the potential costs would arise per occurrence of such an event, relating to four (4) specific subjects:
- Lost profit.
- Inability of other servers on the corporate network to continue operations.
- Damage to corporate and brand reputation.
- Legal consequences.
The governance committee provides the following averaged costs per occurrence of a security event, assuming a two day outage, for the four subjects:
- Lost profit: $10,000
- Inability of other servers on the corporate network to continue operations: $100,000
- Damage to corporate and brand reputation: $800,000
- Legal consequences: $200,000
- Total potential costs. $1,110,000
The CISO then determines that the cost to protect the increase in scope and risk of the infrastructure, over a three years period is $50,000 per year.
The CISO then calculates, per occurrence:
ROI = $50,000 / ($1,110,000 x 100%)
= 5%
Creating an Ongoing ROI Cost Justification Process
Fundamental to ensuring an ongoing adequate security budget is keeping the executive committee fully engaged in the security process. It is incumbent upon the CIO and CISO to educate their executive peers on the principle that security is an ongoing process, and not a onetime event.
As such, as the CISO successfully implements security infrastructure, it is critical they report on the results in terms of the initial business case used to cost justify the process. This can be successfully accomplished by proving with a business case that the investment in security had the planned payback.
An evidentiary approach to providing factual proof to the governance committee is to accumulate statistical proof of potential breaches that were avoided. These statistics should be collected from the logs of the security technology, which identify risks that were caught, vulnerabilities that were mitigated, and potential security events that were therefore avoided.
It is recommended to communicate this material in simple graph format, showing:
- The number of incidents ranked by severity plotted against a timeline.
- The resulting potential losses associated with possible incidents, plotted against time.
My final article in this series will cover outsourcing security monitoring as a cost savings option and a call to action for the entire series.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: IT Security, Return on Investment, ROI, Security Risks
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, November 3rd, 2009
Last week I received a call from a lady requesting my assistance. Let’s call her Linda. Linda’s dilemma was that she purchased online an anti-virus package (from an unknown vendor) which delivered two surprises:
- It did not work.
- It crashed her computer. Linda was about to have her computer restored to a working order.
We reviewed the details of her transaction and her situation and I provided Linda with the following recommendations:
- I found the actual vendor’s web site and contact information for Linda (nothing whatsoever to do with our business), and suggested Linda contact them directly and ask for an immediate refund.
- We discussed the merits of her not doing anything to her computer until the issue of the refund was handled to her satisfaction. My reasoning was that a law enforcement agency may wish to do a forensic review of her computer.
- Further, based upon the outcome of the refund request, we discussed Linda contacting her local law enforcement and the FBI with regard to possible fraud.
- Next we discussed the merits of Linda immediately reporting this transaction to her credit card company and changing her credit card number.
- Finally we agreed that self destructive behavior such as dealing electronically with parties unknown is to be avoided.
A few days later Linda called me again, probably with a smile on her face. Apparently she got a full refund from the vendor, and her credit card company replaced her credit card. So for the time being, law enforcement is out of the loop, and Linda was off to restore her computer to its previous health.
You may be wondering how Linda, who is a resident of the USA, found my company, as was I. After doing some surfing I found a link from her vendor, which was in Europe, to a site with a somewhat similar name as our company. Only the company in question was apparently also in Europe, not Canada, and provided no contact information whatsoever. So Linda did a partial name search and found our company in Canada.
My last couple of blogs have dealt with the dangers of inappropriate trust on the web and how users can protect themselves. Just as you wouldn’t feel comfortable purchasing meat being sold from a strangers’ car, it seems reasonable to similarly not purchase anything from an unknown party on the web.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Anti-Virus, Internet Security, IT Security, Malware
Posted in Information Security, Internet Security | No Comments »
Tuesday, October 27th, 2009
Executive Summary
The way to get the executive team to pay attention is to provide a quality ROI on any new initiative. If the Boards of Directors can’t understand the needs of various departments then the only way to their pocketbook is to present them with a bottom line return on their investment.
In the case of procuring a security budget executives are often less than forthcoming because of the lack of information they receive from department heads. Boards of Directors and executive teams respond most favorably to requests for information security budgets which are cost justified with a simple ROI business case.
The business case needs to specifically show how potential costs associated with liability, caused by security breaches, may be minimized by implementing a sound security infrastructure. This can be accomplished by allowing a third party to do a security audit that provides evidence of security risks.
This approach of utilizing an ROI to cost justify a security budget is the same premise used to purchase insurance for commodities like office furniture, computers, etc. The difference is that if a security breach occurs as a result of not implementing the proper protection procedures, the associated costs far outweigh the costs to replace furniture.
The potential liabilities, such as loss of production and/or loss of reputation are translated into actual dollars in the ROI. The security budgets are created by taking a small percentage of the cost of the potential losses and applying it to preventative measures.
As such this calculation of ROI is actually a calculation of the % of the cost to avoid the cost of liability compared to the potential cost of liability. This is similar to the methodology for calculating the financial benefit of insurance for commodities such as office buildings, furniture and computers. [1]
Since the cost of a security infrastructure often falls within about the same price ratio of commodity insurance, one would think this cost justification would be easily sold to an executive committee.
This is often the case, particularly when the business risks identified in the business case are based upon hard evidence of actual security risks. Actual security risks can be identified by evidentiary security audits. These audits are performed by impartial third parties, with an expertise in identifying both technical and policy risks.
[1] Typical annual insurance rates for commodities are about 1.5% – 2.5% of asset replacement cost. The author has observed (over many business cases) that annual security budgets can similarly be about 2% – 4% of potential security breach related costs.
My next blog will focus on the Methodology of Calculating ROI.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors. www.ere-security.ca
Tags: Information Security, Information Security ROI, It Security Spending, Risk Security, Security Risk
Posted in Information Security, Internet Security, Security Postings | No Comments »
Monday, October 19th, 2009
Last week’s blog I discussed mitigation steps recommended end users for protecting themselves from malware in general and specifically from drive by malware.
This week I will identify some of most common (popular) malware technical vectors for infecting web sites, and how web site owners can protect their sites.
Technical Malware Vectors
- SQL Injection Attack – exploit application layer security vulnerabilities in order to inject active code or change code in applications or direct attack of databases.
- Javascript Injection Attack – one form of an SQL attack.
- IFrame Injection Attack – strings or active code injected into the web page, sometimes due to poor input data validation.
- Javascript injection- invokes IFrames, active code.
- Stolen FTP credentials Attack – stolen FTP credentials for the web site to gain unauthorized access.
- Server Application Code Vulnerabilities – poorly written or not thoroughly tested code.
- Redirect Injection Attack – takes advantage of function of a web page to a web server of attacker’s choice.
- Malvertising – grabs user information even if publisher is doing a good job. Malvertizing injects dangerous code especially where there is the opportunity for user generated.
Mitigation Steps for Web Site Owners
- Incorporate security into application development / database access at the design stage. Do not treat application security as a bolt-on or afterthought. Particular emphasis on data input fields.
- Thoroughly test all data input fields and validation for input fields. Audit all user input fields and user contribution fields by internal audit or by a group other than the developers.
- Update and patch the Java Virtual Machine (JVM) and Java Developer Kits (JDK).
- Ensure the integrity of any third party tools for managing a web site, even seemingly innocuous apps like traffic counters.
- Constantly look for unauthorized changes in web site code, such as strings that cause URL redirects. Employ tools to identify unauthorized changes in code.
- Update and patch web server software.
- Harden the web server platform. Eliminate all unnecessary accounts, privileges, restrict access, and vigilantly monitor the logs for attempted but failed access, attempted unauthorized access, and of course successful unauthorized accesses.
- Consider deploying a second layer of anti-malware monitoring and diagnostic technology that is
specifically designed for web site security, with the abilities to block attack attempts, log the
attempted and successful attacks, and which will generate reports and alerts.
- Identify and remedy all network vulnerabilities for the infrastructure which houses the web site, its
platform, and of course its Internet access.
- Have an impartial set of eyes review all aspects of network security, including architecture (isolation of web site on a DMZ, etc.), policies and score of compliance with policies, security architecture and how effectively it is used, event log monitoring, and with the risk of repetition; timely and consistent upgrades and patching.
Have a secure week.
Regards
Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: Information Security, Malware, Malware Detection, Malware Protection, Malware Remove
Posted in Information Security, Internet Security, Security Postings | 3 Comments »
Monday, October 12th, 2009
My last blog discussed the financial motivation for creating malware. This article identifies preventative measures that both end users and web site managers can implement to protect all concerned from the dangers of drive-by malware.
As a brief reminder, drive-by malware is:
A download which the user indirectly authorized by clicking on a link or by being redirected to a misleading link, but without understanding the consequences. For instance the user could be installing an unknown ActiveX component or Java applet. Or any of this happens without the user even knowing about it.
The damaging occurs when the download contains spyware, a computer virus or any kind of malware. Download of malware through exploitation of a web browser, e-mail client or operating system bug, without any user intervention whatsoever. Websites that exploit the Windows Metafile vulnerability may provide examples of “drive-by downloads” of this sort.
Common occurrences of drive-by downloads happen when a user:
- Visits a website.
- Views an e-mail message.
- Clicks on a deceptive popup window believing that, for instance, it is a bone fide message while in fact they have just initiated a malicious software download.
Mitigation Steps Recommended for the End User
- In order of simple to more complex:
- Do not store unencrypted personal information on a workstation.
- Use strong passwords for encryption, access to the workstation, and to any services or devices to which access would be granted by using a workstation.
- Do not use the same password for multiple devices / services.
- Change the passwords regularly.
- Do not open email from unknown senders.
- Never click on attachments or links embedded within emails, even when the emails are from friends. A friend may provide an attachment or link that, unknown to them, is infected with malware.
- Do not go to unknown web sites that could be potentially dangerous. If in doubt about the veracity of a web site, check its credentials on any number of black listed web sites; search black listed web sites.
- Do not assume that the web site of a small organization is less prone to malware. The trend is for criminals to install malware even on small and medium size sites.
- Verify the certificates of web sites on which the user will be divulging confidential information and / or performing a financial transaction. Where possible, I recommend, do the transaction by telephone, unless the end user is highly confident in the identity and reputation of the web site.
- Install an anti-malware package on each workstation.
- Use a browser with anti-malware features.
- Judiciously apply security patches to:
- Anti-malware software.
- Anti-malware features on a browser.
- Operating system software.
- All other application software.
- At the very least, install a personal firewall in front of any Internet facing workstation.
My Next Blog Article
Next week I will identify some of the technical vectors used to install malware on web sites and the preventative and restorative steps web site owners can implement.
Have a secure week.
Regards,
Ron Lepofsky,
ERE Information Security Auditors.
Tags: Drive-by Malware, Information Security, Malware, Malware Remove, Spyware Check
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, September 29th, 2009
My previous blog article focused on the two points that
1) Social networking sites present security threats.
2) There are many steps corporate security professionals can take to mitigate these threats, including policy, enforcing policy with procedures, security training, administrative procedures, and technology.
What’s in the News
Since the last blog there has been a steady stream of news about more security threats originating at web sites, particularly from social networking sites. Profit motive appears to be the primary intent of the threats. The methodology is committing identity theft for profit. Below are a sample of four web based news articles to which I refer:
Mitigating Web-Based Malware Attacks. August 17, 2009
http://www.threatpost.com/blogs/mitigating-web-based-malware-attacks-117
The Dirtiest Websites To Avoid, 2009-08-20
http://www.securitypronews.com/insiderreports/insider/spn-49-20090820TheDirtiestWebsitesToAvoid.html
Researcher details Facebook CSRF Flaw, August 21, 2009
http://www.scmagazineus.com/Researcher-details-Facebook-CSRF-flaw/article/146986/
Malware designed to steal IDs increased 600 percent, August 20, 2009
http://www.scmagazineus.com/Malware-designed-to-steal-IDs-increased-600-percent/article/146909/
For additional statistical data, the reader can verify the list of infected sites from various manufacturers, including Google and can see growth of malware sites over 100% in last year.
More Financial Motivation
There appears to be a current trend towards targeting smaller and medium sites with identity theft attacks, probably because the larger sites were attached first. Also, organizations that deploy small and medium sized sites may not have the security precautions and resources available to their larger counterparts.
Of course, bad guys do not get sleep deprivation if their attack is running on a small site rather than on a large site.
The Popular Drive-By Attack
There is increase in “drive by download” of malware, where a visitor to a web site unwittingly loads malware from the site. The malware is placed by the perpetrators by exploiting vulnerabilities in web sites. They find the vulnerabilities by a simple query to search engines to find vulnerabilities readily published by software tool manufacturers, providing notifications of patches and weakness warnings.
My Next Blog Article
My next article will provide preventative measures that both end users and web site managers can implement to protect all concerned from the dangers of drive-by malware.
Have a secure week.
Regards,
Ron Lepofsky
ERE Information Security Auditors
Tags: Data Security, IT Security, Social Networking
Posted in Internet Security, Social Media | No Comments »
Monday, September 21st, 2009
Over the last two weeks security news reports identify social networking sites as distribution points for malware of all sorts and flavours and as botnets for distributing more of the same. In addition, site users seem enthusiastic to reveal personal information to those who would gladly accept the information for purposes of identity theft. The benefits of social networking are being strongly challenged by the disadvantages of predatory, definitely anti-social behavior.
We have posted several such articles on the ERE web site: www.ere-security.ca; the most recent one being
August 17, 2009
Hackers put social networks such as Twitter in crosshairs
http://www.infoworld.com/d/security-central/hackers-put-social-networks-such-twitter-in-crosshairs-832?source=IFWNLE_nlt_sec_2009-08-17
My advice to all concerned, especially CIOs CSOs and security managers is to create and enforce end-user policy for social networking sites. The fundimentals are of course:
- Do not reveal any personal / financial information that you would not otherwise gladly hand to your neighbours.
- Do not answer any personal questions.
- Be very leary of links to other web sites, particularly those involving any aspect of personal finance.
Policy should also enforce:
- Timely patch updates on all end-user devices.
- Timely updated anti-malware signatures and updates.
- Defence in depth with at least two layers of malware protection: at least on the end-user devices and on an internet gateway device, through which all related traffic must pass.
- Enforce all related traffic through the gateway; shut down all unnecessary ports and services on the corporate firewall and then test to see if undesired traffic can be tunneled or otherwise circumvent the gateway.
The difficulties of enforcing policy regarding end-user activity is of course convincing them to want to act in accordance with policy and then punishing those who contravene policy. These of course are age old problems. However there are tried-and-true solutions.
Security awareness training has proven most beneficial in this arena, particularly where training is coupled with rewards for adhering to policy. Handing out rewards to those who pass an on-line test demonstrating their awareness and possibly compliance with policy is a positive reinforcement that further encourages support of the policy.
Rewards may include inexpensive items such as tee-shirts with an appropriate message or sporting and entertainment vouchers. Of course accolades in corporate news services are a must.
Enforcement must be consistent and ubiquitous, including all senior management. Detection of non-compliance can be accomplished with the use of many automated tools plus by an audit team, perhaps composed of H/R staff, simply visiting the employee accounts on social networking sites. This of course requires that as part of policy, that employees must disclose all their social networking accounts, which is a major issue of contention with regard to privacy.
Privacy policy is another topic entirely, as the usual measures of privacy really are outdated by the invention of social networking sites. For instance, it would have been impossible for privacy policy authors to contemplate social networking sites 20 years ago. But this is a topic for another time.
Tags: Information Security Consulting, Information Security Monitoring, Social Media, Social Networking
Posted in Internet Security, Social Media | No Comments »
|
|
