Security For Growth And Governance
May | 21 | 2010 Volume 01 | Issue 02
THE
RoSI DILEMMA It is difficult to see tangible benefits from security investments. SHOULD YOU BE CONCERNED? PAGE 05 IN-SHORT
Data Breach Study
Revealed PAGE 02
IN-PERSON
GoingFAIR
Works PAGE 04
OPINION
CFOs To
Sober Up PAGE 08
A 9.9 Media Publication
IN-DEPTH
EDITORIAL
ANURADHA DAS MATHUR | editor@csoforum.in
Is it really about RoI? F
ive years ago, I recall writing an editorial for a CFO magazine and likening the role of the CFO in a company to that of the nation’s finance minister. Today, I watch our Home Minister struggling to keep us secure and suddenly realised that the CISO’s role in a company will soon mimic that of the country’s Home Minister. Good news? The comparison is apt in the editorial of an issue of CSO Forum that debates the RoI on security. Is it a valid consideration? The jury can and will debate this till the cows come home. But Mr Chidambaram, in a recent interview, said the individual responsible for security (i.e. the Home Minister) can’t really stand up and claim 8.5% growth or thousands of kilometres of roads being constructed or other tangible outcomes. At the end of the day, he said, there is a ‘body count’ to lament. Disconcerting as it might be, that is the truth of the CISO’s role. What shows up, starkly, is not what you do right but whatever goes wrong. Not what you save, but what you lose. Where then does the RoI number fit in? Mr Chidambaram rightly said, his is a ‘tough and thankless’ job. But no one can deny, how critical and integral his role is to our country’s existence. And by the same measure, how important you are for your organisation to survive and grow. Unlike the Home Minister, your role does not end with internal security – you are responsible for external security as well. It is a big ask. Given the current obsession with security, it is an opportunity for CISOs to draw the debate away from a simplistic RoI one. As a community, invest in building indicators to demonstrate your effectiveness and success and suggest a true ‘RoI’. It is telling that this insight has come from the Home Minister who was previously the Finance Minister. I wonder whether there might be merit in appointing some CFOs as CISOs and see how RoI needs are tackled...! I am reminded of Malcolm Gladwell’s book called Blink. He suggests that the human brain pre-processes information (leads to your ‘gut’) which we should leverage and exploit for decision-making. But as managers, we give that up, in favour of analytics to do the convincing! Time to revisit some of the basics and answer for ourselves whether the security issue can be left to what an RoI calculation throws up... Share your thoughts. And stay safe,
VOLUME 01 | ISSUE 02 | 21 MAY 2010 Managing Director: Dr Pramath Raj Sinha Printer & Publisher: Kanak Ghosh Publishing Director: Anuradha Das Mathur EDITORIAL Editor-in-chief: Rahul Neel Mani Editor (Online): Geetaj Channana Associate Editor: Dominic K Resident Editor (West & South): Ashwani Mishra Assistant Editor: Aditya Kelekar Principal Correspondent: Vinita Gupta Correspondent: Sana Khan DESIGN Sr. Creative Director: Jayan K Narayanan Art Director: Binesh Sreedharan Associate Art Director: Anil VK Manager Design: Chander Shekhar Sr. Visualisers: PC Anoop, Santosh Kushwaha Sr. Designers: Prasanth TR, Anil T & Suresh Kumar Chief Photographer: Subhojit Paul Photographer: Jiten Gandhi ADVISORY BOARD Arup Chatterjee, CISO, WNS Global Services (P) Ltd Burgess Cooper, Head, IT Security, Vodafone Essar Limited Felix Mohan, CISO, Bharti Airtel Limited Japjit S Sandhu, VP & Head IT, VFS Global KR Krishnakumar, Group CISO, Aditya Birla Group Murli Nambiar, VP, Information Security, Reliance Capital Pradeep Sekar, Senior VP & Head IS, Citi India, Srilanka & Bangladesh Prof. Ponnurangam, Professor IIITD Raghu Raman, CEO, National Intelligence Grid Satish Warrier, Associate VP, IS, Godrej Industries Sunil Dhaka, CISO, ICICI Bank Ltd. Vishal Salvi, Senior VP & CISO, HDFC Bank SALES & MARKETING VP Sales & Marketing: Naveen Chand Singh National Manager-Events and Special Projects: Mahantesh Godi (09880436623) Product Manager: Rachit Kinger Asst. Brand Manager: Arpita Ganguli GM South: Vinodh K (09740714817) Senior Manager Sales (South): Ashish Kumar Singh GM North: Lalit Arun (09582262959) GM West: Sachin Mhashilkar (09920348755) Kolkata: Jayanta Bhattacharya (09331829284) PRODUCTION & LOGISTICS Sr. GM. Operations: Shivshankar M Hiremath Production Executive: Vilas Mhatre Logistics: MP Singh, Mohd. Ansari, Shashi Shekhar Singh OFFICE ADDRESS Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House,Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed and published by Kanak Ghosh for Nine Dot Nine Interactive Pvt Ltd C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Editor: Anuradha Das Mathur C/o K.P.T House, Plot 41/13, Sector-30, Vashi, Navi Mumbai-400703 India Printed at Silverpoint Press Pvt. Ltd. D 107,TTC Industrial Area, Nerul.Navi Mumbai 400 706
CSO FORUM 21 MAY 2010
1
IN-SHORT ILLUSTRATIONS BY PHOTOS.COM
McAfee promises to reimburse consumers
M
Cost of Data Breach Study Revealed: US corporations Faced Highest costs PRIVACY and information management research The average costs of a data breach in all firm Ponemon Institute, together with PGP Corfive countries were as follow: poration, announced the results of the first-ever Country Av. Cost per Av. Total cost of global study into the costs incurred by organisarecord (US$) a breach (US$) tions after experiencing a data breach. The 2009 Australia 114 1.83 million Annual Study: Global Cost of a Data Breach France 119 2.53 million report, compiled by The Ponemon Institute and Germany 177 3.44 million sponsored by PGP Corporation, assesses the UK 98 2.57 million actual cost of activities resulting from more than U.S. 204 6.75 million one hundred real life breach incidents, affecting Average 142 3.43 million organisations from 18 different industry sectors. The research shows that the average cost of a laws were significantly higher than in countries data breach globally stood at US$3.43 million where no such legislation exists. For example, last year, the equivalent of US$142 per in the U.S., where 46 states have now compromised customer record. Howintroduced laws forcing organisations ever, costs varied dramatically between to publicly disclose the details of breach regions, from US$204 per lost record incidents, the cost per lost record was 43 in the U.S., down to US$98 per record percent higher than the global average. in the UK. A total of 133 organisations, In Germany, where equivalent laws were located in five countries – Australia, passed July 2009, costs were second million France, Germany, UK and U.S. – particihighest; 25 percent above the worldwide stolen pated in the research, which was underaverage. In Australia, France and the Facebook IDs UK, where data breach notification laws taken during 2009. for sale The report shows that costs incurred in have not yet been introduced, costs were countries with data breach notification all below the average.
DATA BRIEFING
1.5
2
CSO FORUM 21 MAY 2010
cAfee will reimburse its customers for "reasonable expenses" they have incurred dealing with faulty antivirus update, the company said. In a message on its Web site aimed at consumers, McAfee promised to pay for repairs. "If you have already incurred costs to repair your PC as a result of this issue, we're committed to reimbursing reasonable expenses," the company said. "Steps to process your reimbursement request will be posted in the next few days." There is no similar message on the flawed update help pages dedicated to businesses. Since last few days when a McAfee antivirus signature update wrongly identified a critical Windows system file as a low-threat virus, the company has stressed that few consumers were affected. Most of the PCs crippled by the flawed update, McAfee has said, were in corporations. Some businesses reported that thousands of systems refused to boot properly, had lost their network connections, or both.
IN-SHORT
Hackers Target iPad Owners Hackers are targeting iPad users with bogus update messages that dupe them into downloading malicious code onto their Windows PCs, a security researcher said today. The messages claim that a recent update to iTunes has been released for the iPad , according to Romanian security company BitDefender. "It is very important to keep the software on your iPad updated for best performance, newer features and security," the message reads. "To get the latest version of iTunes software, please go to ... and install the application." The link in the message leads to a copycat of the legitimate iTunes download site , where users are asked to approve the download of a file dubbed "itunessetup.exe." The file masquerading as the iTunes update is actually a Trojan horse that injects code into Windows' "explorer. exe" process and opens a backdoor for hackers, who then use that entrance to add more malware to the PC. The "Backdoor. Bifrose.AADY" Trojan also tries to snatch activation keys from various programs on the hacked machine and steals passwords for instant messaging clients and e-mail accounts. Apple last
refreshed the Windows and Mac software on March 30, when it updated iTunes to version 9.1; it has yet to release an update for the iPad. But because Mac users are not vulnerable to the attack, even if they head to the bogus iTunes download site, the impact of the malware-planting campaign will likely be low, Cosoi said. "If they were able to target Mac customers, it would have spread like wildfire, but because most antivirus companies detect this [Trojan], it's aimed at Windows users who have bought an iPad and who also don't run a security product." Previously, Apple said it had sold more than half a million iPads in the first week of availability, although that number included all pre-orders of the WiFi-only models, which were delivered to customers on 3 April. However, other estimates, including one by Chitika Research, now put iPad sales above the 1 million mark . Just as important as having a good anti-virus programme is taking note of where you download your iTunes from. You should only download iTunes directly from the Apple website. Even if other websites appear to be professional and safe, none are safer than Apple itself.
Cyber Attacks Chip off Rs 59 Lakh from Indian Cos’ Revenues in 2009 INDIAN companies lost around Rs 58.6 lakh in revenues in 2009 due to cyber attacks, security software maker Symantec has said. In addition to this, Indian enterprises also lost an average of Rs 94.6 lakh in data related to organisation, customer and employee in 2009, while they lost an average of Rs 84.6 lakh in productivity (factorsleading to hampering of work like problem with servers), according to Symantec 2010 State of Enterprise Security Study. "In today's competitive business scenario, loss of confidential data is a matter of huge concern for any organisation as it directly affects the business as well its reputation and credibility. They need to manage risk proactively, protecting not just the infrastructure that data resides in, but also the information itself," said Anand Naik, Director, Systems Engineering, Symantec.
With Gartner predicting that total data centre capacity in India would grow at 31% to reach 5.1 million square feet by 2012, data security is a concern. "Protecting information today is the key to a business' ability to grow and thrive. A large percentage of organisations are deploying data loss prevention and end-point protection in order to overcome data and system loss," Naik said. The study found that more than 50% of the enterprises surveyed planned to implement significant changes to their data centres in 2010. "Server virtualisation, storage resource management, continuous data protection, backup and recovery, and security are the key initiatives expected to be in focus in 2010," the report said. "Organisations need to protect their infrastructure by securing their endpoints, messaging and web environments," he said.
CSO FORUM 21 MAY 2010
3
IN-PERSON
IAN AMIT
Managing Partner, Security & Innovation
risks – not only on the technical information security aspect, but also on operational levels and maintenance. Furthermore, as using such a methodology for quantifying and analysing risk is not a one-off effort, FAIR enables users to keep track and measure the effectiveness of security investments over time. This puts businesses at an advantage position when making decisions in terms of choosing one solution over another, and renewing licenses for products purchased before such a quantifying process has been initiated. Surprisingly, most businesses find that after implementing a more coherent risk management framework, their security spending is reduced, while increasing their security level as risks are controlled much more tightly.
“Implementing FAIR framework
is a business enabler’’
Going FAIR, Works Wonders Ian Amit, Managing Partner at Security & Innovation, Israel spoke to Dominic K on the FAIR Risk Management Framework and what can CISOs expect out of it to analyse and manage enterprise risk. What is FAIR Risk Management Framework all about? FAIR or Factor Analysis of Information Risk has been created as a platform for security professionals to be able to articulate what they should have been practicing for a long time, in a more concise and business oriented way. As veteran security practitioners, we have been using FAIR without realising it, ever since we moved on from the simple hack-and-patch cycle and
4
CSO FORUM 21 MAY 2010
the technical vulnerability game to the more practical business implications of such technical elements. What are the various aspects and benefits Indian enterprises can expect post FAIR management framework implementation? First off – once the information risk and threats are mapped and measured, an organisation can more easily manage such
What are the best practices for CISOs to follow if they were to go ahead with FAIR framework? I would suggest that CISOs should adopt a more business-oriented approach to managing their risks. The current situation is more often reliant on technologies, vulnerabilities that show up on various platforms and general risks that may or may not have a direct impact on specific organisations. My best advice would be to start mapping out the business assets that the organisation is most reliant on and that are the organisation's “crown jewels”, and experiment with trying to figure out how much a loss of such an asset would cost the organisation. At that point I would also get the marketing, sales, and legal entities in the business to pitch in, in order to get the full impact of such an event. This small exercise will enable the CISOs to see the security measures already deployed in the business in a different light, as they are now able to more quantifiably compare the investment in such measures to the value of an asset. Implementing the framework is a business enabler from my experience, and I have had a chance to see businesses realise actual value from using it.
COVER STORY
THE
RoSI DILEMMA
It is difficult to see tangible benefits from security investments. Should you be concerned? By Dominic K
R
esearchers have found that you get a 21 percent return on your security investment at the software design phase, a 15 percent return at the implementation stage and a 12 percent return at the testing stage. The analogy to justifying any security investments in place, is simply prevention is better than cure, case in point, is that of vaccinacontracttion that we give to our children to prevent them from contract ing diseases. Are these diseases a major epidemic? The likelihood and impact of the same? No.
Simplify Complications Even though the answer is no, we do not want to take any chances with our children’s health. Shouldn’t it be the same with our reputation and business? Security, today is an essential cost of doing business and no CISO should ever have to justify why do we need to implement security. Sadly, we don’t live in an idealistic world and hence CISOs have to use frameworks and methodology to demonstrate to the management how security has benefited the organisation. Common sense should always prevail and one should be prudent not to invest more than the value of assets/information being protected. One can get a better buy-in by using security as a business enabler to
CSO FORUM 21 MAY 2010
5
COVER STORY
increase business revenue and demonstrate cost reductions by showing metrics which help increase the availability. Simple way of calculating RoSI is “Return on Security Investment is equal to the new business gained and existing business retained.” Says BLV Rao, Vice President -Networks & Systems ,CISO Infotech Enterprise “Return on Security Investment is both tangible and intangible. It is how much we reduce efforts, security incidents, improved productivity by reducing downtime etc., we follow some framework and get evaluated internally with our audit team once in a year.”
Intangible State of RoSI According to Faraz Ahmed, Head - Information Security & Regional IT, Reliance Life Insurance, “ROI, and more so RoSI may not always be suitable for use and one can look at balanced scorecard for the same. I feel RoSI is not very widely used for now, adoption depends on the business vertical and organisational culture.” It is an open secret that benefits of security investments are intangible and measuring of RoSI is difficult. Adds Murali Venkatesan, Product Specialist - Enterprise services, Sify Technologies, “ Security is a set of actions put in place by an enterprise, to protect it against multiple vulnerabilities which safe guard the enterprise from both tangible and intangible damages. The question of RoI or RoSI has been doing the rounds in the CISO office for some time. Is there a definite answer? Well, measuring return on investment with respect to security is a tad difficult. Much of it is derived returns.” Prevention of loss as a result of not deploying a security device or tool is the gauge for RoSI. Commonly followed method is to identify the assets and their vulnerabilities and conduct a risk assessment and attach a cost as per the criticality of the data. The next step is to identify the controls to mitigate the risk and then arrive at the revised cost. If the residual risk is under permissible level and accepted by the organisation no further controls are required. Else, additional controls have to be selected. “Calculation of RoSI is difficult. In outsourcing model, customers are demanding stricter compliance of information security.
6
CSO FORUM 21 MAY 2010
FRAMEWORKS: In Brief OWASP: Specifically for Web application security
OCTAVE: OCTAVE(Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. Features and benefits of OCTAVE methods include
Self-directed: Small teams of organisational personnel across business units and IT work together to address the security needs of the organisation. Flexible: Each method can be tailored to the organisation's unique risk environment, security and resiliency objectives, and skill level. Evolved: OCTAVE moved the organisation toward an operational risk-based view of security and addresses technology in a business context. FRAP: FRAP(Facilitated Risk Analysis Process) Risk analysis is a technique to identify and assess factors that may jeopardise the success of a project or achieving a goal. This technique helps to define preventive measures to reduce probability of these factors from occurring. FRAP assumes that additional efforts to develop precisely quantified risks are not cost effective because: Such estimates are time consuming Risk documentation becomes too voluminous for practical use Specific loss estimates are generally not needed to determine if controls are needed.
Lack of compliance can result in direct business loss. A control to meet the requirement is the investing on a tool. Meeting customer’s requirement is one parameter. Another parameter is likelihood of downtime or loss of productivity because of not having a tool.” informs Pramod Kumar Reddy K, CISO & AVP- ICT, AppLabs.
Risk Assessment and General Practice The CISOs need not always calculate return on their security investment before an implementation, certain solutions are a must have and a basic hygiene, for others a careful evaluation must be done to understand the impact on business and the additional security protection the investment provides. Certain solutions may prove to be very expensive in the long run. Long term operations cost should be calculated before investing. Whereas there are solutions that provide a competitive advantage and in such cases even though there is a negative RoSI the organisation may still choose to invest in the same based on calculated risks. Some other solutions may be mandated by regulatory requirements and these are non negotiable. Risk appetite of the organisation also plays a major role. Risk assessment usually provide a systematic and scientific approach to assess the situations for selected security counter measures to mitigate a threat and prevent an untoward incident and ensure high availability. Risk assessment calculates the cost of an asset in terms of criticality and importance for the business as well. Identify the vulnerabilities and threats that can exploit those vulnerabilities. Informs Pramod Kumar Reddy “Risk assessment will necessitate selecting the appropriate hardware and software tools and services to mitigate the risk. It will also explain the need of training and educating the staff.” A CISO’s responsibility is to prevent the security breaches. He has to proactively fix the security issues. In a proactive and preventive approach calculation of RoSI is a challenge and it is based on judgments of likelihood of occurrence of an incident and estimates of loss expectancy, with and without security solutions. —dominic.k@9dot9.in
OPINION BY DOMINIC K dominic.k@9dot9.in
THE AUTHOR IS Associate Editor, CSO Forum
From Perimeter to Managed Security Middleware EVERY ENTERPRISE across verticals today invests heavily on Information Technology and hence follows the never ending legacy of information security and information privacy to protect themselves against internal and external threats. But custom-build enterprise solutions such as antimalware solutions, firewalls, Virtual Private Networks (VPNs) and Unified Threat Management (UTM) boxes, collectively referred to as perimeter security, can only provide security if the internal network can be trusted. As We know that hundred percent security is a myth. It is evident time and again that internal information security has been a matter of trusting the employees. And that’s the catch. Your enterprise security is as strong as your one weakest link, your employee. A single disgruntled employee can leak enough to shut you critical infrastructure down. It is well known now, than ever before, that the 21st century security breaches do not originate from external hackers, viruses or worms, but from employees who, according to Gartner, commit more than 70 percent of unauthorised access to information systems. They are responsible for more than 95 percent of intrusions. According to Computer Security Insti-
tute and FBI, an insider attack causes an average of 2.1 million euros in damages, whereas the average outside attack costs 45,000 euros Information security should undoubtedly be an integral part of operational risk management team, and responsible to cover areas such as human resources, physical security and general security. Managing internal security effectively involves implementation of confidentiality, data integrity, authentication and authorisation to mission-critical business applications as part of the corporate security policy. Embedding encryption and authentication in business applications require code modifications to each business application. For enterprises this is rarely a viable option, given the amount and variety of client/server applications in use. The solution to this complication could be in a new category of information security solutions known as managed security middleware.
Managed Security Middleware Managed security middleware operates in between the underlying IT infrastructure and the actual enterprise applications. It does not rely on specific security functionality
Managed security middleware is a transparent security layer involving invisible security software in the user desktops.
embedded in the IT infrastructure or any enterprise applications. This also means that the complexity related to interoperability, overall system management and maintenance is reduced, and that centrally managed communications security can be brought to almost any clientserver application. Managed security middleware also provides considerable cost savings by not demanding infrastructural or application based changes. Also, the centralised management capabilities complement in eliminating labour related to operating the security system. Managed security middleware is a transparent security layer involving invisible security software in the user desktops. It minimises user interaction, training needs and helpdesk costs, giving an attractive Return on Security Investment (RoSI). As well as protecting application communications, managed security middleware supports organisations implement costeffective, technical countermeasures to improve operational risk management. Compared to traditional perimeter security alternatives, this new approach significantly reduces total cost of ownership.
CSO FORUM 21 MAY 2010
7
OPINION ANTHONY M. FREED afreed@wireheadsecurity.com
THE AUTHOR IS Managing Editor at the Infosec Island Network, USA
CFOs Need To Sober Up to Security Realities FOR MANY organisations, network security issues are still considered technical cost-centres that are approached from the standpoint of compliance and the anticipated return on investment, with little consideration of the very real threat to overall enterprise risk. This continued underestimation of the potential impact a data loss event can have on the viability of a company is of particular concern when publicly traded companies are considered, as individual and commercial investors have little or no idea how such an event will affect shareholder value. As the responsibility for mitigating all enterprise risk ultimately lands on the lap of the Chief Financial Officer (CFO), it's time for CFOs to truly understand that the steady stream of techno-babble related to threats and system upgrades emanating from their IT departments are more than just overly excited geek-speak. Fundamentally, IT system security is at the heart of all enterprise risk abatement, and CFOs need to recognise, they are way behind the curve when it comes to protecting their company and their company's bottom line. And it's not just the CFOs who are fumbling the ball. The problem also stems from the inability of security professionals to holistically translate
8
CSO FORUM 21 MAY 2010
the message of vulnerability into the language of the boardroom: risk. Jeffrey Carr, who consults with U.S. and foreign governments on cyber intelligence matters and is the author of Inside Cyber Warfare, had an article in Forbes that should serve to keep CFOs up nights; however, it will probably go largely unnoticed. If you are a security expert, there are no surprises in what Jeff had to say, as these simple "knowns" are the most basic tenets of information security: 1. You cannot protect all your data. 2. You cannot stop every attack. From the security expert's perspective, these facts are the driving force behind everything they do in their professional capacity on a daily basis, but this is not the message being conveyed to the CFO. Stark realities such as these just don't return larger security budgets, and gloom and doom is generally counter to the spin-happy executive level who are responsible for communicating risk levels to both regulators and investors. Jeff goes on to say in his article, "Once you understand that you cannot stop every attack, and that the attacker has a vast advantage over the defender, the next logical action to take is to reduce the number of
It is time for CFOs to truly understand that the steady stream of techno-babble related to threats and system upgrades emanating from their IT departments are more than just overly excited geek-speak.
attack vectors that a potential adversary may choose from." Again, this is security 101, but for CFOs this should be an alarming revelation. When the simple truth that critical systems can really only be defended and not wholly protected from interlopers is considered across the broad spectrum of industries that comprise our economy, the implications are staggering. Even in the midst of ever-larger data breaches and sharp upticks in cyber related criminal activities, sectors like communication, finance, healthcare, legal, and even our most critical of infrastructure, like the emerging "smart" power grid, are rushing headlong into implementation of systems that dramatically increase the risk of a serious security event. It's time for a real grownup discussion regarding the true nature and very real implications of technology inspired risk, and it's time for security professionals to deliver a clearer message on the actual state of network and system vulnerabilities. It's also time for CFOs to fully account for the expansion of risk in the digital age, and to accurately estimate the potential impact on shareholder value.