Attack Impact


In the world of modern business, owners walk a fine line between profitability and loss. Margins are being squeezed, and expenses are increasing. The last thing business owners want to worry about is additional losses caused by network security problems. It's beyond the scope of this book to conduct security expenditure versus threat risk analysis, but it is appropriate to point out that the cost of an attack can affect the profit and loss of a business. This section helps business owners understand what the impact of a security incident in their company might entail.

The impact on a business of being attacked could be manifold; such impact includes not only the obvious loss of revenue and cost of cleaning up after an attack, but also several hidden implications and considerations.

Tangible Costs

Tangible costs include things such as loss of revenue and the administrative costs to recover from an attack. The web is ripe with information surrounding tangible costs. Instead of focusing on a single report in this book, you are encouraged to use the web to research the different sites and decide which surveys and studies apply to your business.

The general guideline for figuring out the tangible costs of computer security in an enterprise is to assume that an administrator or IT engineer spends approximately fifteen hours per year per desktop on security related issues. This estimate includes operations such as attack forensics, attack clean-up, patch application, operating system upgrade, network device upgrades, syslog processing, event log processing, and antivirus maintenance.

Table 1-2 is a simple calculation to show your average expected security costs based on your number of desktops in combination with a range of the average pay for a desktop or security administrator and assumes that you have an average security policy and that you won't be hit with a major attack.

Table 1-2. Yearly Average Tangible Costs

Maintenance Hours

Desktops

Wages

Tangible Costs

15

25

$15.00

$5,625.00

15

100

$15.00

$22,500.00

15

1000

$15.00

$225,000.00

15

2500

$15.00

$562,500.00

15

25

$25.00

$9,375.00

15

100

$25.00

$37,500.00

15

1000

$25.00

$375,000.00

15

2500

$25.00

$937,500.00

15

25

$50.00

$18,750.00

15

100

$50.00

$75,000.00

15

1000

$50.00

$750,000.00

15

2500

$50.00

$1,875,000.00

The numbers in this table for the average number of hours per years spent on desktop security was derived from informal surveys with IT and security executives conducted over the entire year 2004.


The overall monetary cost to a small or medium-size business (SMB) will vary depending on how well your current security is deployed and the attacks that are successful within your environment. However, remember that when intangible costs are taken into consideration, an attack can cost much more than described in the previous table, which is discussed in the next section. Table 1-2 illustrates that an attack can be costly and that generally the cost of purchasing security hardware and software to prevent such attacks is justified.

The following are some suggested websites that are considered to be objective sources for attack and security-relevant information including attack costs:

• The Computer Security Institute

http://www.gocsi.com/

• The SANS Institute

http://www.sans.org/

• Federal Bureau of Investigation

http://www.fbi.gov/


Intangible Costs

In addition to the traditional and obvious costs incurred during an attack, a business must consider the intangible costs. Intangible costs are those that can't be easily calculated but could represent a significant impact on a company. Some of the common intangible costs include the following:

  • Possible liability if an attack is launched against another business from inside your network.

  • Possible liability if an attack is successful against your network and sensitive data belonging to partners, end users, or customers is compromised.

  • Productivity loss the cost of lost business when your network and hosts are down.

  • The credibility of your company as viewed by customers, end-users and the market. No one wants to do business with a company that can't secure customer, user, and partner information.

  • Loss of shareholder confidence.

  • Negative publicity for competitors to use against a company.

  • Legal liability if you are a health provider or have customer financial data on your network that is lost due to a network attack.

  • Legal liability if you are a health provider and your network is compromised and patient data is stolen or, worse yet, modified.

CAUTION

Keep in mind that many business owners see a list like this and respond with, "This can't happen to us, we have a firewall in place." The truth is, a firewall alone cannot stop all attacks sourced from outside or many attacks launched from inside your network!


Government Network Security Regulations

Businesses must understand the legal exposure and liabilities as outlined by some recent government regulations. If you don't have the proper level of security built in to your network and host devices, you might face liability with the U.S. government based on regulations dating from 2003. Governments in Europe and other parts of the world have also recently proposed or approved laws to regulate host and network security for financial and health-care organizations.

Currently in the United States, three sets of regulations outline guidelines and liabilities for businesses. The first two regulations apply only if the business is involved in health care or handles financial data for customers. The third regulation was authored by the Office of Homeland Security. This third regulation doesn't involve any legal liability, but all companies should be aware of it.

U.S. businesses must adhere to the following regulations:

  • Leach Bailey Act, collectively known as the Gramm-Leach-Bailey Act (GLBA) Requires U.S. financial institutions to ensure the security and confidentiality of financial customer records and information.

  • Health Insurance Portability and Accountability Act (HIPAA) Includes regulations to protect networks and hosts that contain patient health information.

  • The Office of Homeland Security Published a document that encourages businesses to put security in place to protect themselves and others from computer attacks. This document also has some broad recommendations for how to implement security. The main focus of this document is to protect businesses from potential terrorist activities.

CAUTION

Don't make the mistake of thinking that just because you run a small business that a terrorist would have no interest in gaining access to your computer or a computer in your network. The most common method for an attack is for a hacker to first take over a host in a small network or university and then launch the main attack from that host. This scenario benefits hackers because no forensic data points back at them.


The principles of defense in depth (or layer security) described in Chapter 2 help to ensure that a company is compliant with many of the regulations previously described. Some of these regulations might require other technologies not described in this book, such as (but not limited to) server data encryption or audit functions. If you are responsible for finance or patient health data, recommended practice is that you have a specialist in these areas determine your compliance posture.



Securing Your Business with Cisco ASA and PIX Firewalls
Securing Your Business with Cisco ASA and PIX Firewalls
ISBN: 1587052148
EAN: 2147483647
Year: 2006
Pages: 120
Authors: Greg Abelar

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net