Clarifying security priorities
planning and implementation of an information security system is an important
task in any enterprise. Here's a look at how you can prioritise your security
needs. by Viren Mantri
One of the biggest risks senior managements face today is business downtime
and financial loss in the face of increasing attacks resulting from sophisticated
threats. How then can an organisation establish an appropriate level of security
readiness that is not draining resources but is a business enabler?
In todays computing environment, malicious attacks have become very sophisticated.
We are observing polymorphic worm attacks in which the same type of attack looks
different each time, making it difficult to detect. We have also started hearing
about a metamorphic attacka recent term that has been coined to describe
the next generation of worms that we might see. In essence, a metamorphic attack
would bundle several different attack vectors and techniques, each of which
might display polymorphic behaviour.
We are observing a rapid growth in zombie networksnetworks of compromised
computers (belonging to thousands of innocent and unaware end-users) running
stealth spywaresold at a price and which are used to broadcast spam and
phishing scams and to spread more e-mail viruses designed to create more zombies.
These spyware programmes can also capture all keystrokes (may include your Internet
banking user ID and password) that can be sent to the hacker. We can imagine
In the last few years, there have been an excessive number of vulnerabilities
(bugs, security holes) across multiple operating environments. When these vulnerabilities
are discovered, vendors rush to issue patches to fix those vulnerabilities.
There have been many cases where an exploit tool was released but no patch was
available. Attacks enabled by exploit tools are called zero-day attacks.
There have also been many cases where both an exploit tool and the patch were
released, but organisations could not deploy the patch in time. Attacks occurring
in this situation are called near-zero-day attacks. In the recent past, we have
observed a number of zero-day and near-zero-day attacks.
Strategies to manage this
Managing security is indeed a balancing act between what to fix, when to fix,
what to spend on, when to spend, how much to spend, and how much is enough.
If you spend too little, there might be disastrous consequences; on the other
hand, how do you know whether you are spending too much? How do you know if
your spending is leading to an improvement?
Costs associated with security are often difficult to quantify. How do you calculate
the costs associated with business loss, data corruption or violation of integrity
after a malicious attack on your network? How do you calculate the value of
goodwill lost in the wake of a major denial-of-service attack?
Creating a highly secure organisation requires reducing risk to an acceptable
level. But what is acceptable? A level at which you feel you
have minimised business downtime and hence reduced financial losses?
How do we get there?
First: why quantify security costs based on losses? Why not focus on benefits?
There are tangible ways to measure associated economic benefits of implementing
a certain security solution. We should quantify operational and economic efficiencies
associated with a security solution.
In other words, instead of thinking what we will lose if we dont spend
on security, we must think what we will gain and how much market differentiation
we can create by implementing a proactive, integrated, and automated security
solution. Only then will security become a business enabler.
Second: we must note that there have been an excessive number of vulnerabilities
(bugs, security holes) across multiple operating environments. When these vulnerabilities
are discovered, vendors rush to issue patches to fix the vulnerabilities.
For each patch you need to determine whether it is relevant and critical to
your specific environment, and whether it must be prioritised for immediate
deployment or can wait. You need to know the security threat you are exposed
to if you dont deploy this patch immediately.
What is the financial impact? How many machines does this patch need to be loaded
on? How fast can it be deployed? Do you have adequate bandwidth to deploy a
critical patch in the middle of the business day? Will the patch work? Does
it need to be tested? Will it create an adverse impact on in-house applications?
Do you have a regression plan? Note that vendors have often issued patches for
With limited funds, we need to prioritise which assets to protect first and
identify those that are most critical. Do you know how many devices you own?
What operating version and what applications are running on those devices? If
not, how do you know which are the most vulnerable? Do you know which assets
support your most important business processes?
To get a picture of risk, you need assets, vulnerability, and threat information,
and you need to manage the risk using a priority-based approach. Organisations
must therefore have a Vulnerability Management (VM) process to determine whether
to eliminate, mitigate or tolerate vulnerabilities based upon risk and the cost
associated with fixing the vulnerability.
According to Gartner, enterprises that implement a VM process will experience
90 percent fewer successful attacks.
The scope of VM extends well beyond a simple vulnerability assessment and/or
a penetration test that certain organisations are mandated to do by auditors
and regulators. VM extends this scope to prioritising and fixing those vulnerabilities
and hence the exposures that matter most to you. Just because a vendor has said
it is a high-risk vulnerability does not automatically mean so for your organisation.
You have to determine what is high-risk to your specific environment.
VM is a not a one-time exercise. It is a process of continuous
improvement. Organisations need to conduct periodic internal and external vulnerability
assessments or penetration tests as part of validating their security preparedness,
and apply appropriate remedial techniques to mitigate risks and fix exposures.
As a third approach to get there, it is clear that patch management is essential
but not easy. It takes weeks and months to deploy patches successfully across
the organisation. There are automated patch management tools which help make
the patch management process more efficient. However, such automated tools cannot
automate the decision making processto patch or not to patch.
Patch Management, by nature, is reactive, and cannot block zero-day and near-zero-day
attacks. It cannot be therefore considered a priority and a strategic security
investment. It is rather a part of IT lifecycle management that adds value to
It has also become clear that firewalls and anti-virus technologies are not
adequate to protect your organisation against sophisticated security threats.
A security strategy must be proactive and block zero-day and near- zero-day
attacks. Such a strategy mandates effective use of intrusion prevention systems
because it is a lot cheaper to prevent an attack than to recover from it. However,
the task does not end with the identification of the security tool.
Deploying security technologies without enforcing best practices
may create a false sense of security. Not recognising the priorities for security
spend may further diminish business value. It is important to maximise the equation
of technologies, practices and dollars that yields business value to all stakeholders.
People, processes and technologies together make up the complete solution. You
cannot rely on technology alone.
Organisations can mitigate risk by carefully balancing
asset value, vulnerability severity and threat criticality
It is often observed that firms focus on highlighting corporate
risks. In addition, employees need to be educated so that personal responsibility
towards security is instilled in them.
Almost everyone in a large organisation is connected to the Internet. The Internet
browser and e-mail are the most popular applications. An organisations
logical perimeter is rapidly disappearing. Employees work from home; business
is done in real-time; and employees, partners and customers interact over the
Internet, intranet and extranet.
Note that security encompasses confidentiality, integrity and availability.
Organisations must prioritise their security investment in VM, intrusion prevention,
firewalls, anti-virus, anti-spam and anti-spyware. Specific business needs may
further drive their investments in VPN solutions, identity management, granular
access control, and authorisation.
To begin with, it is imperative to establish a priority-based approach to reduce
risk using the 10 steps below. These steps can enforce a priority-based approach
to risk management. (See diagram)
1. Establish processes, standards, and guidelines
2. Discover all assets in the network
3. Assign business value to assets
4. Determine vulnerabilities of assets
5. View potential threats
6. Determine risk levels (which are a product of asset value, vulnerability
severity and threat criticality)
7. Stop intrusions in real-time
8. Proactively fix vulnerabilities
9. Measure impact of security decisions and actions
10. Review for policy compliance.
Organisations can mitigate risk by carefully balancing asset value, vulnerability
severity and threat criticality. This approach recognises that enterprise resources
are limited, and by focussing on the most important assets, vulnerabilities
and threats first, the enterprise can direct resources where theyll have
the greatest return while improving the security health of the organisation.
Adopting the 10 steps as best practices will enable you to
- Study threats, assess risks, and determine how to
reduce risk to an acceptable level
- Determine what to spend on, when, and how much
- Measure your remedial efforts
- Steer education and awareness efforts in a focussed
- Be compliant with regulatory requirements
- Measure the impact of your security decisions and
The author is Principal, Strategic Security Services, SE
Asia and India, McAfee Inc