real life information security

29
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Real Life Information Security Bringing cost-benefit analysis into risk management

Upload: zlhna

Post on 12-Jan-2016

24 views

Category:

Documents


2 download

DESCRIPTION

Real Life Information Security. Bringing cost-benefit analysis into risk management. Hewitt Associates. Human Resources Outsourcing ~25’000 employees worldwide Highly sensitive clients’ data. HRO Market. Not purely financial Mostly B2B Highly competitive Stay competitive - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Real Life  Information Security

Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Real Life Information Security

Bringing cost-benefit analysis into risk management

Page 2: Real Life  Information Security

2OWASP

Hewitt Associates

Human Resources Outsourcing~25’000 employees worldwideHighly sensitive clients’ data

Page 3: Real Life  Information Security

3OWASP

HRO Market

Not purely financialMostly B2BHighly competitive

Stay competitive Stay flexible

Page 4: Real Life  Information Security

4OWASP

Shepherds or policemen?

Very high pressure from businessNo „one size fits all” approachLessons learnt

Talk to business Have real arguments Talk business

Where do all these numbers come from?

Page 5: Real Life  Information Security

5OWASP

From the past

Source: DatalossDB.org

Page 6: Real Life  Information Security

6OWASP

From market analytics

~$100 USD per recordNo actual abuse required„Losing control” is the bad wordHow much to spend and where to stop?

Source: Ponemon Institute, „2008 Annual Study: Cost of Data Breach”

Page 7: Real Life  Information Security

7OWASP

From others’ fines

Source: FSA, 22 July 2009

Page 8: Real Life  Information Security

8OWASP

From Risk Analysis

Risk = Potential Loss * Threat Probability

Potential Loss ~ Asset Cost, Brand Value...

Page 9: Real Life  Information Security

9OWASP

When Risk Analysis makes sense?

Control Cost << Asset Cost

Source: Flickr (edouаrd)

Page 10: Real Life  Information Security

10OWASP

What makes Control cost?

Roll-out cost Obvious

Change cost Not so obvious

Management cost Not so obvious

End-user usage cost Largely ignored Especially if outside

Source: Flickr (dаveme)

Page 11: Real Life  Information Security

11OWASP

Potential loss → Control → Real loss

Page 12: Real Life  Information Security

12OWASP

Case studies

Page 13: Real Life  Information Security

13OWASP

Qualified Certificate in ZUS*

ZUS costs Roll-out = ? Administration = ?

Taxpayer costs (245’000 QC’s) 100-140 million PLN – one-time ~40 million PLN – annual QC renewal

Future costs Attribute certificates (ZUS & taxpayers) = ? „e-PUAP trusted profiles” (ZUS) = ?

Source: Money.pl, ZUS

* ZUS = Polish public pensions provider

Page 14: Real Life  Information Security

14OWASP

Invoicing

What’s the cost of invoicing?People, paper, printing, postal, processingAverage €1,4 per paper invoiceUltimate solutionGive up VAT When e-invoicing makes sense?

» Electronic invoice TCO << Paper invoice TCO» Theory: €0,4 versus €1,4» Key word: TCO

Sources: EU MEMO/00/85

Page 15: Real Life  Information Security

15OWASP

E-Invoicing in Europe

DenmarkOCES & others allowed

OCES: Quite simple origin & integrity authentication

OCES: Proportional to e-invoicing risks

Around 66% of all invoices are e-invoices

PolandOnly QES & EDI allowed

EDI: supermarkets only QES: Not designed for

automatic signature QES: More legal that real

security

Around 5% of companies use e-invoicing

Sources: EEI 2007, ITST, OECD; GUS 2008

Page 16: Real Life  Information Security

16OWASP

Risk Management in e-banking

Auth method

Number

Individual Corporate

Millions of clients

High non-repudiation needs

SMS 15 ↑Usable, ↓Big cost

↓Repudiation

Token 11 ↓Big cost ↓Repudiation

TAN 7 ↓Low security, ↑ Low cost

↓Repudiation

Smartcard

2 ↓Not usable, ↓Big cost

↑ Non-repudiation

Source: Bankier.pl report, October 2009 (selected data only)

Page 17: Real Life  Information Security

17OWASP

Laffer’s curve in security

Source: Wikipedia

Page 18: Real Life  Information Security

18OWASP

Mayfield’s Paradox

Source: ISACA, „Mathematical Proofs of Mayfield's Paradox”, 2001

Page 19: Real Life  Information Security

19OWASP

How to?

Page 20: Real Life  Information Security

20OWASP

Pitfall of „One-size fits all” approach

0

10

20

30

40

50

60

70

80

Risk Cost

A

B

C

Page 21: Real Life  Information Security

21OWASPSource: Willem Duiff, GE (SASMA 2009)

Page 22: Real Life  Information Security

22OWASP

Control questions

Before deploying a new solutionDo my controls help, instead of breaking process?How do my controls help business do its work?

Before asking for new fundingWhat we earned on last project?

Page 23: Real Life  Information Security

23OWASP

Is security a cost?

Security is an investment to prevent lossesSpend $100k to prevent losing $1m = 10x benefitNOT: „Security again spent $100k”YES: „Security helped save $1M for just $100k”

Page 24: Real Life  Information Security

24OWASP

How FDE saves money

Office break-inFour laptops stolenAll with full-disk encryptionCost of incident – zero

Hardware – insurance Data confidentality – able to prove to client Data availability – backups & network drives

Where’s ROI of FDE? No $$$ in fines No $$ in breach notification No $? in brand damage

Page 25: Real Life  Information Security

25OWASP

Building a consistent security policy #1

Should people should take their laptops home? Isn’t that increasing risk of

theft?

Laptop theft Lose laptop ($) Lose data ($$$)

Source: Flickr (аresnick)

Page 26: Real Life  Information Security

26OWASP

Building a consistent security policy #2

Laptop at homeWork from home

Disaster recovery, business continuity

Examples: UK snow (2009), London flood (2009), Hemel Hempstead explosion (2005)

Need to prevent the other risks

Source: Wikipedia

Page 27: Real Life  Information Security

27OWASP

Building a consistent security policy #3

End-user message „Always take your laptop home”

FDE is standard, non-optional proces

Page 28: Real Life  Information Security

28OWASP

Things we learned when talking to bussiness

Avoid „weasel talk” and buzzwords„Some attacks exist that might pose a significant

risk...”Use as much facts and numbers as possibleDo use industry reports Be careful with vendor reports

„How spam filtering helps preventing global warming”

Filter them through your company’s reality checkLearn from historic incidents in your organisationPerform periodic review of your controlsMake sure at the old threat is still thereMake sure no new threats appeared

Page 29: Real Life  Information Security

29OWASP

Questions?

Questions, comments

[email protected]

http://www.linkedin.com/in/pawelkrawczyk