Clarifying security priorities

The planning and implementation of an information security system is an important task in any enterprise. Here's a look at how you can prioritise your security needs. by Viren Mantri

One of the biggest risks senior managements face today is business downtime and financial loss in the face of increasing attacks resulting from sophisticated threats. How then can an organisation establish an appropriate level of security readiness that is not draining resources but is a business enabler?

In today’s computing environment, malicious attacks have become very sophisticated. We are observing polymorphic worm attacks in which the same type of attack looks different each time, making it difficult to detect. We have also started hearing about a metamorphic attack—a recent term that has been coined to describe the next generation of worms that we might see. In essence, a metamorphic attack would bundle several different attack vectors and techniques, each of which might display polymorphic behaviour.

We are observing a rapid growth in zombie networks—networks of compromised computers (belonging to thousands of innocent and unaware end-users) running stealth spyware—sold at a price and which are used to broadcast spam and phishing scams and to spread more e-mail viruses designed to create more zombies. These spyware programmes can also capture all keystrokes (may include your Internet banking user ID and password) that can be sent to the hacker. We can imagine the consequences.

In the last few years, there have been an excessive number of vulnerabilities (bugs, security holes) across multiple operating environments. When these vulnerabilities are discovered, vendors rush to issue patches to fix those vulnerabilities. There have been many cases where an exploit tool was released but no patch was available. Attacks enabled by exploit tools are called zero-day attacks.

There have also been many cases where both an exploit tool and the patch were released, but organisations could not deploy the patch in time. Attacks occurring in this situation are called near-zero-day attacks. In the recent past, we have observed a number of zero-day and near-zero-day attacks.

Strategies to manage this

Managing security is indeed a balancing act between what to fix, when to fix, what to spend on, when to spend, how much to spend, and how much is enough. If you spend too little, there might be disastrous consequences; on the other hand, how do you know whether you are spending too much? How do you know if your spending is leading to an improvement?

Costs associated with security are often difficult to quantify. How do you calculate the costs associated with business loss, data corruption or violation of integrity after a malicious attack on your network? How do you calculate the value of goodwill lost in the wake of a major denial-of-service attack?

Creating a highly secure organisation requires reducing risk to an “acceptable level.” But what is “acceptable?” A level at which you feel you have minimised business downtime and hence reduced financial losses?

How do we get there?

First: why quantify security costs based on losses? Why not focus on benefits? There are tangible ways to measure associated economic benefits of implementing a certain security solution. We should quantify operational and economic efficiencies associated with a security solution.

In other words, instead of thinking what we will lose if we don’t spend on security, we must think what we will gain and how much market differentiation we can create by implementing a proactive, integrated, and automated security solution. Only then will security become a business enabler.

Second: we must note that there have been an excessive number of vulnerabilities (bugs, security holes) across multiple operating environments. When these vulnerabilities are discovered, vendors rush to issue patches to fix the vulnerabilities.

For each patch you need to determine whether it is relevant and critical to your specific environment, and whether it must be prioritised for immediate deployment or can wait. You need to know the security threat you are exposed to if you don’t deploy this patch immediately.

What is the financial impact? How many machines does this patch need to be loaded on? How fast can it be deployed? Do you have adequate bandwidth to deploy a critical patch in the middle of the business day? Will the patch work? Does it need to be tested? Will it create an adverse impact on in-house applications? Do you have a regression plan? Note that vendors have often issued patches for patches.

With limited funds, we need to prioritise which assets to protect first and identify those that are most critical. Do you know how many devices you own? What operating version and what applications are running on those devices? If not, how do you know which are the most vulnerable? Do you know which assets support your most important business processes?

Vulnerability management

To get a picture of risk, you need assets, vulnerability, and threat information, and you need to manage the risk using a priority-based approach. Organisations must therefore have a Vulnerability Management (VM) process to determine whether to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost associated with fixing the vulnerability.

According to Gartner, enterprises that implement a VM process will experience 90 percent fewer successful attacks.

The scope of VM extends well beyond a simple vulnerability assessment and/or a penetration test that certain organisations are mandated to do by auditors and regulators. VM extends this scope to prioritising and fixing those vulnerabilities and hence the exposures that matter most to you. Just because a vendor has said it is a high-risk vulnerability does not automatically mean so for your organisation. You have to determine what is high-risk to your specific environment.

VM is a not a one-time exercise. It is a process of continuous improvement. Organisations need to conduct periodic internal and external vulnerability assessments or penetration tests as part of validating their security preparedness, and apply appropriate remedial techniques to mitigate risks and fix exposures.

Patch management

As a third approach to get there, it is clear that patch management is essential but not easy. It takes weeks and months to deploy patches successfully across the organisation. There are automated patch management tools which help make the patch management process more efficient. However, such automated tools cannot automate the decision making process—to patch or not to patch.

Patch Management, by nature, is reactive, and cannot block zero-day and near-zero-day attacks. It cannot be therefore considered a priority and a strategic security investment. It is rather a part of IT lifecycle management that adds value to operational efficiency.

It has also become clear that firewalls and anti-virus technologies are not adequate to protect your organisation against sophisticated security threats.

A security strategy must be proactive and block zero-day and near- zero-day attacks. Such a strategy mandates effective use of intrusion prevention systems because it is a lot cheaper to prevent an attack than to recover from it. However, the task does not end with the identification of the security tool.

Best practices

Deploying security technologies without enforcing best practices may create a false sense of security. Not recognising the priorities for security spend may further diminish business value. It is important to maximise the equation of technologies, practices and dollars that yields business value to all stakeholders. People, processes and technologies together make up the complete solution. You cannot rely on technology alone.

It is often observed that firms focus on highlighting corporate risks. In addition, employees need to be educated so that personal responsibility towards security is instilled in them.

Almost everyone in a large organisation is connected to the Internet. The Internet browser and e-mail are the most popular applications. An organisation’s logical perimeter is rapidly disappearing. Employees work from home; business is done in real-time; and employees, partners and customers interact over the Internet, intranet and extranet.

Note that security encompasses confidentiality, integrity and availability. Organisations must prioritise their security investment in VM, intrusion prevention, firewalls, anti-virus, anti-spam and anti-spyware. Specific business needs may further drive their investments in VPN solutions, identity management, granular access control, and authorisation.

Priority-based approach

To begin with, it is imperative to establish a priority-based approach to reduce risk using the 10 steps below. These steps can enforce a priority-based approach to risk management. (See diagram)

1. Establish processes, standards, and guidelines
2. Discover all assets in the network
3. Assign business value to assets
4. Determine vulnerabilities of assets
5. View potential threats
6. Determine risk levels (which are a product of asset value, vulnerability severity and threat criticality)
7. Stop intrusions in real-time
8. Proactively fix vulnerabilities
9. Measure impact of security decisions and actions
10. Review for policy compliance.

Organisations can mitigate risk by carefully balancing asset value, vulnerability severity and threat criticality. This approach recognises that enterprise resources are limited, and by focussing on the most important assets, vulnerabilities and threats first, the enterprise can direct resources where they’ll have the greatest return while improving the security health of the organisation.

Adopting the 10 steps as best practices will enable you to

• Study threats, assess risks, and determine how to reduce risk to an acceptable level
• Determine what to spend on, when, and how much
• Measure your remedial efforts
• Steer education and awareness efforts in a focussed manner
• Be compliant with regulatory requirements
• Measure the impact of your security decisions and actions. r

The author is Principal, Strategic Security Services, SE Asia and India, McAfee Inc