real life information security
DESCRIPTION
Real Life Information Security. Bringing cost-benefit analysis into risk management. Hewitt Associates. Human Resources Outsourcing ~25’000 employees worldwide Highly sensitive clients’ data. HRO Market. Not purely financial Mostly B2B Highly competitive Stay competitive - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/1.jpg)
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Real Life Information Security
Bringing cost-benefit analysis into risk management
![Page 2: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/2.jpg)
2OWASP
Hewitt Associates
Human Resources Outsourcing~25’000 employees worldwideHighly sensitive clients’ data
![Page 3: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/3.jpg)
3OWASP
HRO Market
Not purely financialMostly B2BHighly competitive
Stay competitive Stay flexible
![Page 4: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/4.jpg)
4OWASP
Shepherds or policemen?
Very high pressure from businessNo „one size fits all” approachLessons learnt
Talk to business Have real arguments Talk business
Where do all these numbers come from?
![Page 5: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/5.jpg)
5OWASP
From the past
Source: DatalossDB.org
![Page 6: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/6.jpg)
6OWASP
From market analytics
~$100 USD per recordNo actual abuse required„Losing control” is the bad wordHow much to spend and where to stop?
Source: Ponemon Institute, „2008 Annual Study: Cost of Data Breach”
![Page 7: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/7.jpg)
7OWASP
From others’ fines
Source: FSA, 22 July 2009
![Page 8: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/8.jpg)
8OWASP
From Risk Analysis
Risk = Potential Loss * Threat Probability
Potential Loss ~ Asset Cost, Brand Value...
![Page 9: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/9.jpg)
9OWASP
When Risk Analysis makes sense?
Control Cost << Asset Cost
Source: Flickr (edouаrd)
![Page 10: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/10.jpg)
10OWASP
What makes Control cost?
Roll-out cost Obvious
Change cost Not so obvious
Management cost Not so obvious
End-user usage cost Largely ignored Especially if outside
Source: Flickr (dаveme)
![Page 11: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/11.jpg)
11OWASP
Potential loss → Control → Real loss
![Page 12: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/12.jpg)
12OWASP
Case studies
![Page 13: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/13.jpg)
13OWASP
Qualified Certificate in ZUS*
ZUS costs Roll-out = ? Administration = ?
Taxpayer costs (245’000 QC’s) 100-140 million PLN – one-time ~40 million PLN – annual QC renewal
Future costs Attribute certificates (ZUS & taxpayers) = ? „e-PUAP trusted profiles” (ZUS) = ?
Source: Money.pl, ZUS
* ZUS = Polish public pensions provider
![Page 14: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/14.jpg)
14OWASP
Invoicing
What’s the cost of invoicing?People, paper, printing, postal, processingAverage €1,4 per paper invoiceUltimate solutionGive up VAT When e-invoicing makes sense?
» Electronic invoice TCO << Paper invoice TCO» Theory: €0,4 versus €1,4» Key word: TCO
Sources: EU MEMO/00/85
![Page 15: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/15.jpg)
15OWASP
E-Invoicing in Europe
DenmarkOCES & others allowed
OCES: Quite simple origin & integrity authentication
OCES: Proportional to e-invoicing risks
Around 66% of all invoices are e-invoices
PolandOnly QES & EDI allowed
EDI: supermarkets only QES: Not designed for
automatic signature QES: More legal that real
security
Around 5% of companies use e-invoicing
Sources: EEI 2007, ITST, OECD; GUS 2008
![Page 16: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/16.jpg)
16OWASP
Risk Management in e-banking
Auth method
Number
Individual Corporate
Millions of clients
High non-repudiation needs
SMS 15 ↑Usable, ↓Big cost
↓Repudiation
Token 11 ↓Big cost ↓Repudiation
TAN 7 ↓Low security, ↑ Low cost
↓Repudiation
Smartcard
2 ↓Not usable, ↓Big cost
↑ Non-repudiation
Source: Bankier.pl report, October 2009 (selected data only)
![Page 17: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/17.jpg)
17OWASP
Laffer’s curve in security
Source: Wikipedia
![Page 18: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/18.jpg)
18OWASP
Mayfield’s Paradox
Source: ISACA, „Mathematical Proofs of Mayfield's Paradox”, 2001
![Page 19: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/19.jpg)
19OWASP
How to?
![Page 20: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/20.jpg)
20OWASP
Pitfall of „One-size fits all” approach
0
10
20
30
40
50
60
70
80
Risk Cost
A
B
C
![Page 21: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/21.jpg)
21OWASPSource: Willem Duiff, GE (SASMA 2009)
![Page 22: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/22.jpg)
22OWASP
Control questions
Before deploying a new solutionDo my controls help, instead of breaking process?How do my controls help business do its work?
Before asking for new fundingWhat we earned on last project?
![Page 23: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/23.jpg)
23OWASP
Is security a cost?
Security is an investment to prevent lossesSpend $100k to prevent losing $1m = 10x benefitNOT: „Security again spent $100k”YES: „Security helped save $1M for just $100k”
![Page 24: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/24.jpg)
24OWASP
How FDE saves money
Office break-inFour laptops stolenAll with full-disk encryptionCost of incident – zero
Hardware – insurance Data confidentality – able to prove to client Data availability – backups & network drives
Where’s ROI of FDE? No $$$ in fines No $$ in breach notification No $? in brand damage
![Page 25: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/25.jpg)
25OWASP
Building a consistent security policy #1
Should people should take their laptops home? Isn’t that increasing risk of
theft?
Laptop theft Lose laptop ($) Lose data ($$$)
Source: Flickr (аresnick)
![Page 26: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/26.jpg)
26OWASP
Building a consistent security policy #2
Laptop at homeWork from home
Disaster recovery, business continuity
Examples: UK snow (2009), London flood (2009), Hemel Hempstead explosion (2005)
Need to prevent the other risks
Source: Wikipedia
![Page 27: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/27.jpg)
27OWASP
Building a consistent security policy #3
End-user message „Always take your laptop home”
FDE is standard, non-optional proces
![Page 28: Real Life Information Security](https://reader036.vdocuments.net/reader036/viewer/2022062518/56814474550346895db10922/html5/thumbnails/28.jpg)
28OWASP
Things we learned when talking to bussiness
Avoid „weasel talk” and buzzwords„Some attacks exist that might pose a significant
risk...”Use as much facts and numbers as possibleDo use industry reports Be careful with vendor reports
„How spam filtering helps preventing global warming”
Filter them through your company’s reality checkLearn from historic incidents in your organisationPerform periodic review of your controlsMake sure at the old threat is still thereMake sure no new threats appeared