RE: CRIME Security Justification

From: Andrew Plato (aplato@private)
Date: Tue Aug 13 2002 - 17:06:55 PDT

  • Next message: Seth Arnold: "Re: CRIME Security Justification"

    I would poke around Security Focus and the SANS reading room. Both have numerous great papers on ROI for security spending. 
    
    There is great paper on the ROI for IDS on Security Focus right now. See: http://online.securityfocus.com/infocus/1608 I'd haggle over some of the paper's assumptions and numbers. For example they say a HIDS costs $1000 per unit which is a bit high. The BlackICE HIDS  runs at $80 per unit for workstations and $300 per unit for servers. Nevertheless, its a very good paper over all. 
    
    You might also ask Toby Kohlenberg to point you to his paper on the value of IDS he wrote for SANS. 
    
    One thing to consider when it comes to security is that hackers and terrorists might not be interested in your data, but they are interested in using your computers to hack other machines. So they take over some of your workstations or servers and then use those machines to hack into the Pentagon or elsewhere. Before you know it, the men in black are at your front door questioning you and your IT staff.
    
    The other thing to remember is that most security ROI is predicated on the "single incident problem." All it really takes is one bad intrusion to wipe out a company. In that sense, if your company is valued at say $5,000,000 then investing $50,000 in security is a fairly reasonable expenditure. If that investment thwarts even one attack, it has more than paid for itself. 
    
    Another factor to consider is the numerous inexpensive and free solutions out there. They might not be as easy to use or come with the support that a commercial product has, but the open-source community puts out a lot of interesting stuff that can really help secure your systems. In this sense, your only expenditure is your time learning the products. 
    
    Good luck.
    
    ------------------------------------
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    (503) 644-5656 office
    (503) 201-0821 cell
    http://www.anitian.com
    ------------------------------------
    
    
    
    
    -----Original Message-----
    From: Steve Kirby [mailto:Kirbys@private]
    Sent: Tuesday, August 13, 2002 4:42 PM
    To: 'crime@private'
    Subject: CRIME Security Justification
    
    
    Howdy all, 
    I have poked around cert and a couple of other goverment site, but the data is at too high a level.  I am looking for case studies or statistics for smaller companies/ lower threat companies.
    Are there any papers that offer a compelling drive to spend money on securty?  I am working with several teams at my company that include exeutives, but they are looking for an ROI on any and all expenditures, especially in the current economy, and I have not found anything compelling for spending the money on security.
    The information that I would find interesting would be: 
    Business/company specific numbers.  Companies outside of 'high visibility' sites such as - news/ defense contractors and fortune 100.  I understand why the goverement or yahoo need to defend themselves, I am not as clear as to how much Amce Building need to spend.
    The thought that pervades our IT Dept. is that our company is so low on the radar screen of most hackers that it may not be worth the money to secure, but I would like to see some statistics to back this up ... either for securing or against securing.
    Thanks in advance, 
    Steve 
    



    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 17:47:18 PDT