Justifying the Cost of Security | Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.

The first step of hardening your network infrastructure is to justify the cost of the hardening measures you want to take. Without the money, it doesn t matter what you want to do, because you probably are not going to be able to do it. Security is not a cheap endeavor. Unfortunately, almost all of the security tasks fall well within the category of being a cost center, not a revenue center. One of the best methods to get the money required to implement these security practices is to demonstrate the expenses that exploits and security failings will cost the company. This is known as performing
a risk analysis. For example, if your network is down for one day as a result of viruses, how much money was lost as a result of employees not being able to work? Knowing or being able to demonstrate this cost can be the best method to justify spending the money one time to prevent the situation from occurring. Even this is not a perfect method, however. Unfortunately, sometimes the best way to get the money needed to fix security problems is after an exploit has cost money and caused pain to the company.

Risk Analysis

A risk is the probability of a threat or exploits occurring in your environment. Risk analysis is a method assigning a cost-effective , relevant, and timely response to those threats. Because of the complexities involved in hardening your network infrastructure, it is easy to fall victim to applying too much, too little, or the wrong type of security in your environment. By performing a risk analysis, you can more effectively and efficiently mitigate those threats.

Risk analysis and risk assessment are two similar functions, but with some key differences. In the risk assessment, the objective is to define what level of risk something may have. The risk analysis builds upon the risk assessment with the objective being to demonstrate the security value of implementing the technology that mitigates the risk.

Risk analysis is vital to demonstrating the return on investment (ROI) of the security practices that you are undertaking. This section will provide the information that you need to justify the cost of the firewall or intrusion detection system that you want to implement. Without an effective risk analysis, it can be nearly impossible to justify spending the money that you require.

There are three main goals to performing a risk analysis:

Identify risks and threats. You need to identify the risks that exist to your environment. For example, if you are transmitting confidential data to an external partner, there is a risk involved in that data becoming compromised.
Quantify the impact of threats. You need to determine clearly and concisely the impact of a given threat. The overall impact is a combination of the financial and environmental impacts of a threat.
Define the balance between the cost of the impact and the cost of the security measure. You need to qualify and provide a comparison of the cost of an impact versus the cost of the prevention or countermeasure to the impact. For example, if the cost of an impact is $50,000 and the cost of the solution is $200,000, it might not make financial sense to implement the solution.

Like so many other objectives in this book, performing a risk analysis requires management support. If management will not support and act upon the results of the risk analysis, there really isn t a point in performing one. It s like installing locks on doors that no one ever bothers to lock.

Two predominant risk analysis calculation methods are used: quantitative risk analysis and qualitative risk analysis. Each method contains a distinct process to determine the risk. Both methods share some common elements, however ”namely, the identification of threats, determining the value of assets and information, and the data gathering requirements.

Threat Identification

As I mentioned in Chapter 2, a threat is simply the possibility of an exploit or security incident occurring in your network. In order to analyze the risk of a threat, you have to identify the nature of the threat. This is because each threat carries with it a unique vulnerability method and associated risk result. Table 15-1 illustrates some common threats and their respective vulnerability methods and risk results. You need to evaluate your environment and identify all of the threats, vulnerability methods, and risk results that exist.

Table 15-1: Common Threats
Threat	Vulnerability Method	Risk Result
Hacker	Open services and application	Unauthorized access to information
User	Misconfigured access permissions	Unauthorized access to information
Worms and virus	Lack of anti-virus software	Virus infection
Attacker	Lack of firewall protection	Potential to access data or conduct a denial of service
Contractor	Lax access security mechanisms	Can gain access to trade secrets
Attacker	Poorly written applications and services	Conduct a buffer overflow to gain privilege escalation
Remote user	Lack of filtering and intrusion detection/prevention mechanisms	Ability to infect corporate network with worm/virus
Remote user/business partner	Lack of data encryption	Allows intermediary parties to gain unauthorized access to information
Users	Lack of content filtering software	Exposes company to litigation from inappropriate content and allows unauthorized software to be downloaded

Once you have identified the risk result, you need to determine the loss potential. Loss potential is simply what the company would lose if a risk was realized. This loss can be anything from corrupted data to destruction of systems and data, unauthorized access and disclosure of confidential or protected information, and a loss of productivity in your user community. Not all loss is immediate, however. Some loss is considered delayed loss. Delayed loss defines the negative effects of a risk over time as a result of the risk. For example, if a network outage resulted in enough loss that the company could not pay other bills and expenses, this would be a delayed loss.

Determine the Value of Assets and Information

Another common element to all risk analysis methods is the need to determine and assign a value to all assets and information. This is critical since the company needs to understand the value of the information and assets they are trying to protect, so that they can determine how much money is an appropriate amount to spend on protecting it. The easiest method for determining the value of assets and information is to identify the costs that it takes to acquire, develop, and maintain. The cost is not simply a matter of saying Well, it would cost $3000 to replace the firewall if it was destroyed for some reason, so the value must be $3000. You need to evaluate not only the actual asset repair or replacement costs, but also the cost in lost productivity, the value of any data that might be lost as a result of the incident, and the labor costs associated with shipping, installing, configuring, and testing the new device. The total of all of these costs represents the true value of the asset and the information.

When assigning a value to information, you should consider the following:

What is the cost to acquire or develop the asset? This includes not only the purchase price, but the salary of all the man hours for research and development.
What is the cost to maintain and protect the asset? This includes the cost of maintenance contracts and the salaries for the man hours spent maintaining the asset.
What is the cost to replace the asset if lost? This includes not only the actual purchase price, but the cost of the implementation in salary and man hours.
What is the value of the asset to the owners and users? This is a more intangible value that represents how critical the asset is to the owners and users responsible for the asset.
What is the value of the asset to a competitor? This is a representation of the value that the intellectual property would have in the hands of a competitor. For example, if you are developing a new product and the data was compromised, it could have tremendous value to a competitor by allowing the competitor to see your product strategy and direction, enabling them to develop competitive solutions.
What are the liability issues if the asset is compromised? This is a representation of the legal and monetary liability that your company could be held for in the event of the asset being compromised. For example, how much could the company potentially lose in a lawsuit related to the asset?
What is the usefulness of the asset? This is an examination of how useful the asset is in regard to increasing productivity and/or revenue. For example, if you lost a server that allowed you to process twice as many orders as normal, the asset would be extremely useful.

The objective of assigning the value of the asset and information is to allow you to determine a value related to the cost associated with not protecting the asset. This allows you to answer the question How much would it cost if we didn t protect the asset? The answer to this question allows you to determine the amount of money that might be able to be justified to protect the asset.

Data Gathering

The data gathering step is the most time-consuming aspect of risk analysis. This is because it requires you to perform a significant amount of research and calculations to gather the appropriate information needed for the risk analysis. You need to identify the following components for the risk analysis:

Estimate and assign the values to all assets and information that is to be protected.
Identify each threat and corresponding risk.
Estimate the loss potential.
Estimate the frequency of the threat.
Identify and recommend the relevant remedial measures.

Quantitative Risk Analysis

A quantitative risk analysis uses real numbers in an attempt to assign a value to the costs of a threat and the cost of the security measures to protect against the threat. Each aspect of the risk analysis is quantified and assigned a value that is then used to determine the total and residual risks. This method has the benefit of attempting to determine the real costs associated with the threats and security measures so that management can make its determinations based on the actual costs. The downside of a quantitative risk analysis is that the very nature of security is a qualitative one. It is extremely difficult, if not impossible, to assign accurate numbers to all aspects of the risk analysis, which in turn can reduce the value and accuracy of a purely quantitative risk analysis.

Qualitative Risk Analysis

Unlike a quantitative risk analysis, a qualitative risk analysis does not attempt to assign a cost to the threats, losses, and security measures that can be implemented. Instead, it assigns degrees of severity, probability, potential loss, and effectiveness of a solution in an attempt to define the impact of threats and responses. Qualitative risk analysis is a much more subjective method of risk analysis that relies on judgment, intuition, and experience as its risk analysis formula.

In general, you will gather together a team of specialists, who will examine a given scenario. Based on the scenario, each team member will assign a rank, for example from 1 (least severe) to 5 (most severe), to the threat and the vulnerability of assets based on the severity of the threat. Next each team member will assign a rank based on the probability of the threat occurring. After that, each team member will assign a rank to the potential loss to the company due to the threat. The final step is to assign a rank based on the protection mechanisms that can be used to mitigate the threat. This information is calculated and used to determine the relative severity, probability, and loss due to the threat. In addition, the recommended countermeasures are reviewed to determine the most effective countermeasure identified by the risk analysis team. For example, the team could evaluate the threat of an outside hacker gaining access to a web server. They would assign ranks to the severity of this threat, the probability of occurrence, and the potential loss to the company. Next, they would assign ranks to the effectiveness of various solutions ”for example, implementing a firewall, IDS, and honeypot. Each individual s results would be calculated to determine the overall degree of risk the team assigns to the threat as well as the most effective countermeasure for the threat. This information could then be used by management to determine whether they want to take the countermeasures recommended or not based on the relative risk of the threat.

Because it is less precise than a quantitative risk analysis, a qualitative risk analysis tends to lend itself more to prioritization of risk than anything else. Table 15-2 provides a detailed breakdown of the difference between quantitative and qualitative risk analysis.

Table 15-2: Differences Between Quantitative and Qualitative Risk Analysis.
Attribute	Quantitative	Qualitative
Requires complex calculations	X
High degree of guesswork		X
Can be automated	X
Provides a cost/benefit analysis	X
Uses objective metrics	X
Uses subjective metrics		X
Shows clear losses associated with threat	X

Perform the Quantitative Risk Analysis Calculation

All of the preparation and planning of a quantitative risk analysis can be identified in a six-step process that should happen in every risk analysis and assessment. This is where we tie the identification of threats, the value of assets and information, and the data that we have gathered into a formal procedure that will allow us to determine the results of the risk analysis.

Risk Analysis Terms and Definitions

Before we perform the steps required for the risk analysis calculation, we must define some terms:

Exposure Factor (EF) The EF is the percentage of loss an incident can have on an asset.
Annualized Rate of Occurrence (ALO) The ALO is a value that represents the estimated possibility of an incident occurring within a year. The range for the ALO is 0.0 (never) to 1.0 (always). The ARO can be determined by performing the following calculation:

1 / number of years = ARO

For example, if an incident is expected to occur every 100 years, the ARO would be 0.01, or it would have a 1 percent chance of occurrence every year.
Single Loss Expectancy (SLE) The SLE is the dollar amount that is assigned to a single event that represents the company s potential loss if an incident were to occur. The SLE is determined by performing the following calculation:

Asset value — EF = SLE

So if the asset is valued at $100,000 and an incident would result in an estimated 25 percent loss (the EF), the SLE would be $25,000.
Annualized Loss Expectancy (ALE) The ALE is the dollar amount that is assigned to a risk on an annual basis. The ALE is determined by the following calculation:

SLE — ARO = ALE

So if the SLE is $25,000 and the ARO is 0.5 (once every two years), then the ARE would be $12,500. The ALE value is what a company can use to determine the amount of money that it makes sense to spend on an annual basis (in this case, $12,500) to provide protection from the incident occurring.

The steps of a quantitative risk analysis are as follows :

Assign the asset or information value as defined above.
1. What is the value of the asset to the company?
2. What is the maintenance cost?
3. For how much profit is the asset responsible?
4. What is the value of the asset to the competition?
5. What would the cost be to recover or re-create the asset?
6. What is the cost to acquire or develop the asset?
Estimate the potential loss per risk.
1. What is the cost of physical damage?
2. What is the cost in lost productivity?
3. What is the cost of confidential information being disclosed?
4. What is the cost of recovering from an attack?
5. What is the SLE for each risk scenario?
Identify the threats.
1. Determine the likelihood of each risk occurring and where the threat may come from.
2. Calculate the probability of an occurrence for each risk.
3. Calculate the annualized rate of occurrence for each risk.
Determine the overall loss potential for each risk.
1. Combine the potential loss and probability.
2. Calculate the ALE using the information previously gathered for the SLE and ARO.
Identify the methods to mitigate each risk.
1. Can you implement new hardware or software?
2. Do you need to redesign your network?
3. Do you need to change or improve procedures?
4. Do you need to implement a training and education program?
5. Do you need to implement some kind of detection methods to minimize the impact of the risk?
Reduce, assign, or accept the risk.
1. Risk reduction Implement changes and/or spend money to reduce the risk occurrence.
  1. Install the new hardware or software.
  2. Change the network environment.
  3. Improve your procedures.
  4. Implement a training and education program.
  5. Implement an intrusion detection mechanism to identity the risk.
2. Risk assignment Transfer the liability for the risk to other parties.
  1. Purchase insurance to transfer some or all of the risk.
3. Risk acceptance Accept the possibility of the risk while undertaking no actions to reduce or assign the risk.

Keep in mind that while we are attempting to provide quantitative values associated with risk and risk loss, we are relying on forecasting the potential of future events occurring. This is not an exact science, however, and while we do our best to provide as much accurate and correct information as possible, we cannot accurately predict the future. This is a level of expectation that you must set with upper management.

Determining the Value of Protection

Now that we have performed the risk analysis and identified the cost associated with a given threat, we need to determine the value of the protection and countermeasures to the threat. This allows us to determine the effectiveness of the security mechanisms that were implemented.

At the end of the day, whatever security mechanism you implement must be cost effective and the benefits must outweigh the cost. To determine whether this is the case, we can perform a cost/benefit analysis against the security mechanism. The calculation for this is

(ALE before implementing security mechanism) “ (ALE after implementing security mechanism) “ (annual cost of the security mechanism) = value of the security mechanism

For example, if the ALE of hacking a web server is $10,000 and after a firewall implemented to protect the web server the ALE is $2500 and the cost of maintaining and operating the firewall that is protecting the web server is $1000, then the value of the firewall is $6500. If this number is less than the ALE before implementing the security mechanism, which it is in this case, we have a cost effective security mechanism because it is saving us more than it would have cost us not to have it.

When you calculate the cost of the security mechanism, you have to be careful that you do not underestimate the full cost of the security mechanism. To ensure that this does not occur, make sure that you consider the following:

Product costs The raw product cost from the invoice.
Design and planning costs The costs associated with designing and planning a solution.
Testing and implementation costs The costs associated with testing and implementing the solution.
Modifications that need to be made to the environment The costs associated with needing to change the operating environment to support the solution ”for example, needing to purchase an additional switch.
Compatibility with other security mechanisms The costs associated with integrating the security mechanism with your existing environment ”for example, purchasing additional enterprise management plug-ins.
Maintenance costs The costs associated with maintaining, repairing, replacing, or updating the security mechanism.
Operating costs The costs associated with the operating and support of the security mechanism, which also includes training for the new mechanism.
Effects on productivity The costs associated with downtimes and outages related to the implementation of the security mechanism.

Not all of these costs occur on an annual basis. Some of these costs will occur only once, during the first year of implementation, causing the value of the security mechanism to increase in subsequent years. For example, if the ALE of a web server is $10,000 and the ALE after implementing a firewall is $2500 and the total cost of the firewall is $9000 ($4000 to purchase, $500 to design and plan, $500 to test and implement, $1000 for modifications to the environment, $1000 in maintenance costs, $1000 in operating costs, and $1000 in lost productivity for the implementation) for the first year, the cost/benefit analysis is a loss of $1500. However, in subsequent years the costs associated with the purchase, design and planning, testing, modifications to the environment, and lost productivity for the implementation are no longer relevant. This means that the total cost of the firewall for the second year is only $2000. This means that the cost/benefit analysis for the second year is a value of $5500, and that over the course of two years the cost/benefit analysis is a value of $4000 and will only increase as more time goes by. This is commonly referred to as the return on investment (ROI).

Provide the Risk Analysis Results

Once you have conducted your risk analysis calculations, you need to present that information to management to determine what measures, if any, will be taken for a given risk. The objectives of the risk analysis results are to provide the following information:

The value of the assets
The list of all threats
The likelihood of occurrence of each threat
The loss potential of each threat on an annual basis
The recommended safeguards, countermeasures, and actions and the costs associated

You should be prepared to present this information in two formats. First, you need a detailed analysis that addresses all aspects of the risk analysis. Second, you need an executive summary that can be used by upper management to help them understand the issues and costs.

When you submit your risk analysis results, you need to make sure that you identify the residual risk as a mechanism of setting the appropriate expectations. We know that we cannot prevent 100 percent of threats and incidents 100 percent of the time. Residual risk is simply the amount of risk left over even after all the security mechanisms have been put in place.