real life information security
DESCRIPTION
Real Life Information Security. Bringing cost-benefit analysis into risk management. Hewitt Associates. Human Resources Outsourcing ~25’000 employees worldwide Highly sensitive clients’ data. HRO Market. Not purely financial Mostly B2B Highly competitive Stay competitive - PowerPoint PPT PresentationTRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Real Life Information Security
Bringing cost-benefit analysis into risk management
2OWASP
Hewitt Associates
Human Resources Outsourcing~25’000 employees worldwideHighly sensitive clients’ data
3OWASP
HRO Market
Not purely financialMostly B2BHighly competitive
Stay competitive Stay flexible
4OWASP
Shepherds or policemen?
Very high pressure from businessNo „one size fits all” approachLessons learnt
Talk to business Have real arguments Talk business
Where do all these numbers come from?
5OWASP
From the past
Source: DatalossDB.org
6OWASP
From market analytics
~$100 USD per recordNo actual abuse required„Losing control” is the bad wordHow much to spend and where to stop?
Source: Ponemon Institute, „2008 Annual Study: Cost of Data Breach”
7OWASP
From others’ fines
Source: FSA, 22 July 2009
8OWASP
From Risk Analysis
Risk = Potential Loss * Threat Probability
Potential Loss ~ Asset Cost, Brand Value...
9OWASP
When Risk Analysis makes sense?
Control Cost << Asset Cost
Source: Flickr (edouаrd)
10OWASP
What makes Control cost?
Roll-out cost Obvious
Change cost Not so obvious
Management cost Not so obvious
End-user usage cost Largely ignored Especially if outside
Source: Flickr (dаveme)
11OWASP
Potential loss → Control → Real loss
12OWASP
Case studies
13OWASP
Qualified Certificate in ZUS*
ZUS costs Roll-out = ? Administration = ?
Taxpayer costs (245’000 QC’s) 100-140 million PLN – one-time ~40 million PLN – annual QC renewal
Future costs Attribute certificates (ZUS & taxpayers) = ? „e-PUAP trusted profiles” (ZUS) = ?
Source: Money.pl, ZUS
* ZUS = Polish public pensions provider
14OWASP
Invoicing
What’s the cost of invoicing?People, paper, printing, postal, processingAverage €1,4 per paper invoiceUltimate solutionGive up VAT When e-invoicing makes sense?
» Electronic invoice TCO << Paper invoice TCO» Theory: €0,4 versus €1,4» Key word: TCO
Sources: EU MEMO/00/85
15OWASP
E-Invoicing in Europe
DenmarkOCES & others allowed
OCES: Quite simple origin & integrity authentication
OCES: Proportional to e-invoicing risks
Around 66% of all invoices are e-invoices
PolandOnly QES & EDI allowed
EDI: supermarkets only QES: Not designed for
automatic signature QES: More legal that real
security
Around 5% of companies use e-invoicing
Sources: EEI 2007, ITST, OECD; GUS 2008
16OWASP
Risk Management in e-banking
Auth method
Number
Individual Corporate
Millions of clients
High non-repudiation needs
SMS 15 ↑Usable, ↓Big cost
↓Repudiation
Token 11 ↓Big cost ↓Repudiation
TAN 7 ↓Low security, ↑ Low cost
↓Repudiation
Smartcard
2 ↓Not usable, ↓Big cost
↑ Non-repudiation
Source: Bankier.pl report, October 2009 (selected data only)
17OWASP
Laffer’s curve in security
Source: Wikipedia
18OWASP
Mayfield’s Paradox
Source: ISACA, „Mathematical Proofs of Mayfield's Paradox”, 2001
19OWASP
How to?
20OWASP
Pitfall of „One-size fits all” approach
0
10
20
30
40
50
60
70
80
Risk Cost
A
B
C
21OWASPSource: Willem Duiff, GE (SASMA 2009)
22OWASP
Control questions
Before deploying a new solutionDo my controls help, instead of breaking process?How do my controls help business do its work?
Before asking for new fundingWhat we earned on last project?
23OWASP
Is security a cost?
Security is an investment to prevent lossesSpend $100k to prevent losing $1m = 10x benefitNOT: „Security again spent $100k”YES: „Security helped save $1M for just $100k”
24OWASP
How FDE saves money
Office break-inFour laptops stolenAll with full-disk encryptionCost of incident – zero
Hardware – insurance Data confidentality – able to prove to client Data availability – backups & network drives
Where’s ROI of FDE? No $$$ in fines No $$ in breach notification No $? in brand damage
25OWASP
Building a consistent security policy #1
Should people should take their laptops home? Isn’t that increasing risk of
theft?
Laptop theft Lose laptop ($) Lose data ($$$)
Source: Flickr (аresnick)
26OWASP
Building a consistent security policy #2
Laptop at homeWork from home
Disaster recovery, business continuity
Examples: UK snow (2009), London flood (2009), Hemel Hempstead explosion (2005)
Need to prevent the other risks
Source: Wikipedia
27OWASP
Building a consistent security policy #3
End-user message „Always take your laptop home”
FDE is standard, non-optional proces
28OWASP
Things we learned when talking to bussiness
Avoid „weasel talk” and buzzwords„Some attacks exist that might pose a significant
risk...”Use as much facts and numbers as possibleDo use industry reports Be careful with vendor reports
„How spam filtering helps preventing global warming”
Filter them through your company’s reality checkLearn from historic incidents in your organisationPerform periodic review of your controlsMake sure at the old threat is still thereMake sure no new threats appeared