programming4us
programming4us
SECURITY

Thinking about Security

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
Chapter 15: Thinking about Security
Does Windows Vista change something fundamental about information security? This book has 14 chapters covering all things new in Windows Vista. It discusses all the things that make propeller hats spin. Yet these are just new features. Fundamentally, Windows Vista has not changed the information security landscape. The features change how we manage things, and to some extent, what we manage. But information security is far more than that. It is driven by external factors. One of the things that makes information security so fascinating, and so maddeningly frustrating, is that those of us on the good side are not entirely in control. The mark of good security is the ability to predict and preempt, not just respond. In security, regardless of whether it is information security, computer security, or airport security, those who can only respond are continuously dragged around by the nose by the bad guys. Those who can predict and preempt can change the playing field. To do that, we need to develop a discipline that is strategically sound, temporally stable, and flexible. Windows Vista may give us the flexibility, but without the remainder of the discipline, without the strategy, we will be unable to get ahead of the bad guys. That is why we still need to consider traditional defenses and adapt them tactically using our new tools. The previous 14 chapters were about the new tools. This one is about the strategy.

It Still Comes Down to Risk Management

Above all, security always comes down to risk management. All too often, risk management is phrased in terms of "defense in depth" where "defense in depth" is generally held to mean "stuff we can't justify any other way." This is absolutely the wrong way to go about security. The mentality that if you just change more stuff you must have better security is anathema to risk management.

Risk management is much more complicated, and valuable, than merely making seemingly random tweaks. First, you must analyze your tolerance to risk. How risk averse are you and/or the organization you are securing? Everyone has an inherent propensity for risk, but it is moderated by circumstances. Next you must have an understanding of what you have to lose. What is the value at stake? Those are both easy-or at least, easier. Microsoft, Symantec, and Ziff-Davis produced a free assessment tool to help you understand those issues. The tool is available at https://www.securityguidance.com/.

The much harder item is to determine how likely you are to be attacked, and by which methods. The likelihood is typically related to how valuable you are to someone else. Put yourself in the attacker's mind for a minute. What would they do with your data? With your computer? With your network capacity? If you were out of business? How much are your assets worth to someone else?

Jesper's Position

If you are interested in securing your home computer, then chances are, much of what you have is not worth enough for a bad guy to target you specifically. Most attackers find it too tedious to attack home machines one-by-one to mine data. It takes too long unless you can automate it. That changes the attack method, and changes how you protect it. Many of the attacks are standardized, the malware more common. Generally, the payoff is not large enough to spend significant time crafting a specific exploit for a specific target.

Roger's Position

Ninety-nine percent of malware is designed to steal money, using stolen identities and passwords-which the malware programs do easily from home machines by installing monitoring programs and so on. Although businesses are more valuable to the bad guys, home computers are attacked as much, if not more, because they are typically easier to break into. Taken together, the value to the attacker of a few thousand random home computers is significant.

Enterprise Risk Management

For large enterprises, the scenario is much richer, as is the potential payoff. The volume of information that can be had is much greater. Consequently, the risk is typically higher. Unfortunately, many organizations tend to follow one of two approaches: ignore the vast majority of the problem, or come down so hard on it that the only way employees can be productive is by circumventing the policies in some way. Sometimes we even see a hybrid, where many significant problems are ignored, and the rest are dealt with in such a heavy-handed manner that the cure is worse than the disease.

One reason for this is an inadequate accounting for risk. The wisdom in infosec has for many years been that the risk equation is structured like Equation 15-1. The value P in Equation 15-1 is the probability of an event.

Image from book

ALE stands for "annualized loss expectancy" and is the estimated value of the loss in a given year. This equation has been used to quantify risk for many years. There is one problem with it, however. It fails to account for the impact of the proposed mitigation. The assumption is that the user is interested in discovering how much she should be willing to spend on mitigations. A mitigation that costs more to implement than the risk is worth is not worthwhile. That, however, fails to take into account the fact that it is not just the mitigation itself that has a cost. The mitigation often comes with side-effects, and those have a cost associated with them as well. A more complete risk equation is shown in Equation 15-2.

Image from book

Equation 15-2 modifies the ALE to take into account the changed probability and cost of loss after a mitigation, and the cost of the mitigation. The cost of the mitigation consists of the cost of the mitigation itself, and any expected cost of side-effects of the mitigation. By using an equation that takes into account the expected cost of mitigations we have a much more complete picture of the impact of our decisions. Equation 15-2 has the potential to more accurately account for the value of the risk. It reflects the fact that the mitigations and side-effects of mitigations are potentially costly. For instance, let us consider the case of wireless networking. Wireless networking has a risk of loss associated with it, as an attacker can potentially use it to break into the organization. Just to make numbers up, we will assume the probability of that event is 0.01 percent per year. The value of the loss that would occur in that case is harder to quantify, but let us say we are protecting personal data for 10,000 customers. The average cost of loss of such a record is $182 (according to the Ponemon Institute in 2007). In other words, the total possible loss is $1,820,000. That is how much we should be willing to spend, according to the conventional risk equation. According to the modified one, our willingness to spend would be offset by the impact of the mitigation.

One possible mitigation would be to put a virtual private network (VPN) device between the wireless network and the wired network. However, host-to-site VPN connections typically drop when there is an interruption in the underlying network. This can happen for a number of reasons, but a very common interruption in wireless networking is that users move from one access point to another as they move through the building. In fact, they could move from one access point to another without even moving the computer. This causes a disruption as the user needs to (a) recognize that a disconnection has occurred, (b) interrupt what she is doing to launch a VPN client to reconnect, and (c) re-establish the context for the task that was interrupted. This process can easily take five minutes each time, and it can happen several times a day.

For the sake of argument, let us say the disconnection event happens on average three times per day per user, including the initial setup. That is 15 minutes of lost productivity per user. There could also be data loss associated with this connectivity drop, but we will ignore that for now. There are approximately 200 workdays in a year, so each year every user loses 3,000 minutes, or 50 hours of work due to network connectivity issues. If you have 1,000 users, it means that every year you lose 50,000 hours of work. To estimate total cost, you would need to count how much each user costs per hour. A figure of $75–100 per hour is typical, after accounting for salary, benefits, and ancillary costs. Using the lower of those numbers, the potential cost of side-effects from our mitigation, a VPN device between our wireless and wired network, is $3,750,000. We do not have complete confidence in these figures, but we could say that it is about a 50/50 chance that things will play out this way. That means our estimated cost of the side-effects of the mitigation is $1,875,000. In other words, the cost of side effects from our mitigation is estimated at $55,000 per year more than the risk itself is worth! We do not even need to include the cost of actually building the mitigation. This mitigation option should be eliminated from consideration.

These are just made up figures, obviously, but the concept is critical. Much of what we today think of as the basic tenets of information security came from a military environment, where the cost of a breach could mean massive casualties. This led, naturally, to an extremely conservative approach. In a commercial or non-military public sector environment, and even in a military one, these models need to be reviewed and reconsidered based on a more risk-tolerant approach. Unfortunately, far too often, the security department views its job as removing all risk, and hence all work. They become the work stoppage department, and quickly become irrelevant and left out of all important decisions.

Taking this approach to security leads to a loss of benefits from security as the sensible consideration of risks, which the security department ostensibly is better at than anyone else, is removed from the decision making process. Security becomes irrelevant. Only by taking into account business needs, user desires, and what pain will be caused by our mitigations, can we become relevant again. In essence, the field of information security needs to question our world view. In short, we need to think differently about security and managing risk. We need to partner with the rest of the business and leverage others to improve our overall risk posture. The rest of this chapter looks at a number of areas of information security, and how Windows Vista can be leveraged to do just that.


Other  
 
Soccer Highlights
- VIDEO Marseille 2 – 2 PSG (Ligue 1) Highlights
- VIDEO Real Madrid 3 – 0 Eibar (La Liga) Highlights
- VIDEO Udinese 2 – 6 Juventus (Serie A) Highlights
- VIDEO Tottenham Hotspur 4 – 1 Liverpool (Premier League) Highlights
- VIDEO Celta 0 – 1 Atletico Madrid (La Liga) Highlights
- VIDEO Everton 2 – 5 Arsenal (Premier League) Highlights
- VIDEO Torino 0 – 1 Roma (Serie A) Highlights
- VIDEO Benevento 0 – 3 Fiorentina (Serie A) Highlights
- VIDEO AC Milan 0 – 0 Genoa (Serie A) Highlights
- VIDEO Troyes 0 – 5 Lyon (Ligue 1) Highlights
- VIDEO Nice 1 – 2 Strasbourg (Ligue 1) Highlights
- VIDEO Atalanta 1 – 0 Bologna (Serie A) Highlights
REVIEW
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
programming4us
 
 
programming4us