{"id":1031,"date":"2008-11-21T10:32:09","date_gmt":"2008-11-21T18:32:09","guid":{"rendered":"\/?p=1031"},"modified":"2008-11-21T10:36:55","modified_gmt":"2008-11-21T18:36:55","slug":"the-economics-of-vulnerabilities","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=1031","title":{"rendered":"The economics of vulnerabilities&#8230;"},"content":{"rendered":"<p>Gunnar Peterson of <a href=\"http:\/\/1raindrop.typepad.com\" class=\"broken_link\">1 Raindrop<\/a> has <a href=\"http:\/\/1raindrop.typepad.com\/1_raindrop\/2008\/11\/the-economics-of-finding-and-fixing-vulnerabilities-in-distributed-systems-.html\" class=\"broken_link\">blogged his Keynote <\/a>at the<a href=\"http:\/\/qop-workshop.org\/Program.htm\"> recent Quality of Protection conference<\/a>.\u00a0 It is a great read &#8211; and\u00a0a <em>defense in depth<\/em> against\u00a0the binary &#8220;secure \/ not secure&#8221; polarity that characterizes the thinking of\u00a0those new to security matters.\u00a0<\/p>\n<p>His argument riffs on Dan Geer&#39;s\u00a0famous <a href=\"http:\/\/catless.ncl.ac.uk\/Risks\/20.06.html\">Risk Management is Where the Money Is<\/a>.\u00a0 He turns to Warren Buffet as someone who knows something about this kind of thing, writing:<\/p>\n<p style=\"padding-left: 30px;\">&#8220;Of course, saying that you are managing risk and actually managing risk are two different things. Warren Buffett started off his <a href=\"http:\/\/www.berkshirehathaway.com\/letters\/2007ltr.pdf\">2007 shareholder letter <\/a>talking about financial institutions&#8217; ability to deal with the subprime mess in the housing market saying, &#8220;You don&#39;t know who is swimming naked until the tide goes out.&#8221; In our world, we don&#39;t know whose systems are running naked, with no controls, until they are attacked. Of course, by then it is too late.<\/p>\n<p style=\"padding-left: 30px;\">&#8220;So the security industry understands enough about risk management that the language of risk has permeated almost every product, presentation, and security project for the last ten years. However, a friend of mine who works at a bank recently attended a workshop on security metrics, and came away with the following observation &#8211; &#8220;All these people are talking about risk, but they don&#39;t have any assets.&#8221; You can&#39;t do risk management if you don&#39;t know your assets.<\/p>\n<p style=\"padding-left: 30px;\">&#8220;Risk management requires that you know your assets, that on some level you understand the vulnerabilities surrounding your assets, the threats against those, and efficacy of the countermeasures you would like to use to separate the threat from the asset. But it starts with assets. Unfortunately, in the digital world these turn out to be devilishly hard to identify and value.<\/p>\n<p style=\"padding-left: 30px;\">&#8220;Recent events have taught us again, that in the financial world, Warren Buffett has few peers as a risk manager. I would like to take the first two parts of this talk looking at his career as a way to understand risk management and what we can infer for our digital assets.<\/p>\n<p>Analysing vulnerabilities and the values of assets, he uncovers two pyramids that turn out to be inverted.\u00a0<\/p>\n<p style=\"padding-left: 30px;\">To deliver a real Margin of Safety to the business, I propose the following based on a defense in depth mindset. Break the IT budget into the following categories:<\/p>\n<ul>\n<li>\u00a0\n<ul>\n<li>\n<div style=\"padding-left: 30px;\">Network: all the resources invested in Cisco, network admins, etc.<\/div>\n<\/li>\n<li>\n<div style=\"padding-left: 30px;\">Host: all the resources invested in Unix, Windows, sys admins, etc.<\/div>\n<\/li>\n<li>\n<div style=\"padding-left: 30px;\">Applications: all the resources invested in developers, CRM, ERP, etc.<\/div>\n<\/li>\n<li>\n<div style=\"padding-left: 30px;\">Data: all the resources invested in databases, DBAs, etc.<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">Tally up each layer. If you are like most business you will probably find that you spend most on Applications, then Data, then Host, then Network.<\/p>\n<p style=\"padding-left: 30px;\">Then do the same exercise for the Information Security budget:<\/p>\n<ul>\n<li>\u00a0\n<ul>\n<li>\n<div style=\"padding-left: 30px;\">Network: all the resources invested in network firewalls, firewall admins, etc.<\/div>\n<\/li>\n<li>\n<div style=\"padding-left: 30px;\">Host: all the resources invested in Vulnerability management, patching, etc.<\/div>\n<\/li>\n<li>\n<div style=\"padding-left: 30px;\">Applications: all the resources invested in static analysis, black box scanning etc.<\/div>\n<\/li>\n<li>\n<div style=\"padding-left: 30px;\">Data: all the resources invested in database encryption, database monitoring, etc.<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 30px;\">Again, tally each up layer. If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!<\/p>\n<p>He\u00a0relates his thinking\u00a0to a fascinating piece by Pat Helland called <a href=\"http:\/\/blogs.msdn.com\/pathelland\/archive\/2007\/05\/20\/soa-and-newton-s-universe.aspx\">SOA and Newton&#39;s Universe<\/a>\u00a0(a must-read to which I will return) and then proposes\u00a0some elements of a\u00a0concrete approach to development of meaningful metrics that\u00a0he argues allow correlation of &#8220;value&#8221; and &#8220;risk&#8221; in ways\u00a0that could sustain meaningful business decisions.\u00a0<\/p>\n<p>In an otherwise clear argument, Gunnar itemizes a series of &#8220;Apologies&#8221;, in the sense of corrections applied post-facto due to the uncertaintly of decisionmaking in a distributed environment:<\/p>\n<p style=\"padding-left: 30px;\">Example Apologies &#8211; Identity Management tools &#8211; provisioning, deprovisioning, Reimburse customer for fraud losses, Compensating Transaction &#8211; Giant Global Bank is still sorry your account was compromised!<\/p>\n<p>Try as I might, I\u00a0don&#39;t\u00a0understand the\u00a0categorization of identity management tools as apology, or their relationship to account compromise\u00a0&#8211; I hope Gunnar will tell us more.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In security as in investment, &#8220;You don&#39;t know who is swimming naked until the tide goes out&#8230;&#8221; <\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[68,40,11,69],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1031"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1031"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/1031\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1031"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}