A RISKY PROPOSITION

Today’s chief financial officers are being asked to allocate funds for network security based on the “break and fix” principle. Network managers are explaining to their superiors the potential loss to their network caused by security breaches, how to plug those breaches and the associated price tag. The CFOs then make a financial decision whether to purchase the technology for that situation. Lost in the process, though, is the big picture comparison, the prioritizing of various quantifiable risks faced by an entire network.

A preferred process would include examining the entire network and prioritizing spending based on the percentage of chance individual security breaches could affect the network. For example, it would be informative to quantify that an expenditure of $50,000 on a certain technology would reduce the risk of a security breach by 40%. Examining the various risks, their costs, and percentage of chance the breach could be plugged can go a long way towards determining which network security issues rank highest. Figure 1 (following page) shows what a sample report might look like.

The risk information should cover all of the major network components, so that decisions on spending are based on the big picture. The most pressing problems can be more easily identified by financial managers and be addressed first.

Usually, the issue of solving security problems is thought of in terms of network components. It is also important to identify security risks in terms of important corporate assets. This would include the key servers which house key files such as research and development, engineering files, the on-line inventory and order processing system. If CFOs allocate a value to the corporate assets, or more specifically, to the cost of losing the assets, then it would be possible to map or project the percentage risk reduction onto the assets.

Figure 2 (following page) shows cost and risk reduction in terms of assets rather than just technology.

The next evolution is to create a security Business Impact Analysis. The purpose of this exercise is to transform current “break and fix” technical decisions into financial decisions based upon a Business Impact Analysis. In this scenario, business processes such as manufacturing, billing, engineering, or software production are mapped to the assets described above. Risk would be then allocated to actual business processes, leaving CFOs the freedom of making purchasing decisions on a loss avoidance basis.

The risk analysis described in this article can be achieved today by any corporation with the available resources. It involves creating three databases and correlating the information with an algorithm that calculates the percent change in risk. The first database is a corporation’s key network hardware and software which includes such elements as servers, routers, firewalls, workstations, operating systems, and communications software. The second database consists of all the vulnerabilities associated with the hardware and software elements, such as weak points in operating systems, patches required by hardware, and holes in specific firewalls found by hackers. The third database is a list of remedies to address the vulnerabilities associated with the hardware and software such as recommended configuration changes to a firewall, patches and upgrades that need to be installed, and recommendations based on CERT alerts.

All raw information describing network hardware and software vulnerabilities is available from two major sources. One is from organizations such as technology vendors, security services such as CERT, and the large variety of “hacker” sites such as www.rootshell.com on the Internet. The second source is based on the results of running intrusion detection and network security monitoring and reporting software on one’s own corporate network

The risk calculator, or risk algorithm as it is also called, takes the information gathered in the three databases, and calculates the percentage risk to the corporate network. The risk calculator, for assessing relative risks for the cost justification, can be purchased from security vendors. Some off the shelf software packages have a security algorithm included. The risk algorithm is useful for calculating the percentage risk reduction generated by employing a particular vulnerability fix.

There are five classes of software tools for evaluating network vulnerabilities.

The most well known are penetration testing tools, which attempt to breach security by attempting to overwhelm and disable devices such as firewalls and routers. Sources for such products include bona fide network security software vendors as well as from “hacker” sites on the Internet. These tools usually reside on a laptop, and are launched against a network from an external location. It is always best to completely back-up a network prior to doing a penetration test.

A network resident class of tool is the host-based monitoring tool, which permanently resides on servers and workstations on the network. These tools look for actual attempts at network intrusions and patterns of abuse, such as employees attempting to access servers for which they have no privileges. As an example, a tool may create an alert upon watching a user attempt to gain access to a server by trying multiple user names and passwords. Another example may be reporting on a systems manager trying to access information for which they are not authorized to view.

Similar to the host based monitoring tool is the network-based class which typically reside on a dedicated workstation on a network. The tool sniffs out network traffic, and reports on various types of suspicious activities. These activities may include attempted network intrusions, attempts to use an unauthorized Internet ser- vice at a particular host, or unreported additions to a corporate network since a predetermined point in time. Busy or overly industrious employees can add dial-up modems, workstations, laptops or even routers to a corporate network and forget to mention these potential sources of network vulnerabilities to the corporate network manager.

A new class of software, dubbed “architecture security evaluators,” indicates the vulnerabilities that each major piece of a particular network’s software and hardware face, and suggests how to fix the vulnerabilities. They typically suggest fixes based upon a checklist of known vulnerabilities. The mitigation steps or fixes are usually the application of patches, technology revision levels, and upgrades. They are completely different from penetration testers or monitoring tools. Instead of testing your network to see network vulnerabilities, this software allows the user to find out about possible vulnerabilities, and what the recommended fixes are.

The Internet is a rich source of information about security vulnerabilities for the manufacturers of architecture security evaluator tools. Manufacturers of operating systems and communications technology, hackers, security information and notification services, security associations, technology user groups, and of course, security technology manufacturers all have web sites filled with useful information about security vulnerabilities and their mitigation. While network managers with Internet access have access to almost all this information free of charge, the inconvenience and time required to do so can be eliminated simply by purchasing a software package that already incorporates the research function.

Content scanning and user activity reporting tools falls into the fifth class of tool. Reporting is done on the content of the activities employees are engaging in. Improper employee activity can attract legal liability and can result in the loss of valuable proprietary information. Internet based e-mail, web browsing, chat lines, and ICQ messaging traffic are all potential sources of security problems. For instance, an outgoing e-mail may have content justifying a slander suit against a company. Another example of a potential security proble
m is inbound e-mail that may contain destructive viruses.

Some content and user activity reporting tools are passive. They only report and do not attempt to stop inappropriate activity. Other tools do stop inappropriate or dangerous activity based upon a pre-determined corporate security policy. The active management components deal with stopping, isolating, or modifying data moving across or through a corporate network.

The next evolution in security planning involves a methodology of cost justifying security expenditures, based on the cost avoidance of not losing key corporate assets and processes. The goal of using the methodology is to provide financial decision makers with a business case showing potential losses in terms of dollars, the cost of mitigating these losses, and the percent decrease in risk to the corporate network associated with implementing the mitigation steps.

The methodology looks at a network in its entirety. It compares risk reduction costs for network components instead of looking piecemeal in a “break and fix” fashion.cu