VideoTotal computer security is impossible. No matter how much money you spend on fancy technology, how many training courses your staff attend or how many consultants you employ, you will still be vulnerable. Spending more, and spending wisely, can reduce your exposure, but it can never eliminate it altogether. So how much money and time does it make sense to spend on security? And what is the best way to spend them?
There are no simple answers. It is all a matter of striking an appropriate balance between cost and risk — and what is appropriate for one organisation might be wrong for another. Computer security, when you get down to it, is really about risk management. Before you can take any decisions about security spending, policy or management, the first thing you have to do is make a hard-headed risk assessment.
First, try to imagine all of the possible ways in which security could be breached. This is called "threat modelling", and is more difficult than it seems. Mr Schneier, the security guru, illustrates this point by asking people to imagine trying to eat at a pancake restaurant without paying. The obvious options are to grab the pancakes and run, or to pay with a fake credit card or counterfeit cash. But a would-be thief could devise more creative attacks.
He could, for example, invent some story to persuade another customer who had already paid for his meal to leave, and then eat his pancakes. He could impersonate a cook, a waiter, a manager, a celebrity or even the restaurant owner, all of whom might be entitled to free pancakes. He might forge a coupon for free pancakes. Or he might set off the fire alarm and grab some pancakes amid the ensuing chaos. Clearly, keeping an eye on the pancakes and securing the restaurant's payment system is not enough. Threat modelling alerts you to the whole range of possible attacks.
The next step is to determine how much to worry about each kind of attack. This involves estimating the expected loss associated with it, and the expected number of incidents per year. Multiply the two together, and the result is the "annual loss expectancy", which tells you how seriously to take the risk. Some incidents might cause massive losses, but be very rare; others will be more common, but involve smaller losses.
The final step is to work out the cost of defending against that attack. There are various ways to handle risk: mitigation (in the form of preventive technology and policies), outsourcing (passing the risk to someone else) and insurance (transferring the remaining risk to an insurer).
Suppose you are concerned about the risk of your website being attacked. You can mitigate that risk by installing a firewall. You can outsource it by paying a web-hosting firm to maintain the website on your behalf, including looking after security for you. And you can buy an insurance policy that, in the event of an attack, will pay for the cost of cleaning things up and compensate you for the loss of revenue. There are costs associated with each of these courses of action. To determine whether a particular security measure is appropriate, you have to compare the expected loss from each attack with the cost of the defence against it.
Firewalls make sense for large e-commerce websites, for example, because the cost of buying and maintaining a firewall is small compared with the revenue that would be lost if the site were shut down by an intruder, however briefly. But installing biometric eye-scanners at every turnstile on a city's public-transport system would be overkill, because fare-dodging can be mitigated with far cheaper technology. By contrast, in high-security environments such as military facilities or intelligence organisations, where a security breach would have serious consequences, the use of expensive security technology may be justified. In some situations, however, the right response may be to do nothing at all.
Standards Stuff
That different organisations have different security needs is explicitly recognised in the ISO 17799, an international standard for "best practices in information security" that was introduced by the International Organisation for Standardisation in 2000. Risk analysis is a basic requirement of the standard, as is the establishment of a security policy. But, says Geoff Davies of i-Sec, a British security consultancy, "an industrial firm and a bank with ISO 17799 certification will have totally different systems." The standard does not specify particular technological or procedural approaches to security, but concentrates on broadly defined ends rather than specific means. The standard's flexibility is controversial, however. Critics believe future versions of the standard should be more prescriptive and more specific about what constitutes "best practice". Still, even in its current form, ISO 17799 is better than nothing. Many multinational companies have already embraced it to demonstrate their commitment to security. And in several Asian countries, companies that want to do business with the government electronically must conform to the standard.
Just as different organisations require different levels of protection, they will also respond to an attack in different ways. A large company, for example, may find it useful to have a dedicated security-response team. Scott Charney at Microsoft says that when an attack occurs, one of the things the team has to decide is whether to give priority to remediation or to investigation. Blocking the attack will alert the attacker, which may make collecting evidence against him difficult; but allowing the attacker to continue so that he can be identified may cause damage. Which is more appropriate depends on the context. In a military setting, tracking down the attacker is crucial; for a dotcom under attack by a teenager, blocking the attack makes more sense. Another difficult choice, says Mr Charney, is whether to bring in the police. Internal investigations allow an organisation to maintain control and keep things quiet, but law-enforcement agencies have broader powers.
Reader Comments» Post a comment