RE: [logs] hack attempts && price

From: H C (keydet89at_private)
Date: Tue Feb 19 2002 - 17:36:25 PST

  • Next message: Steve Wray: "RE: [logs] hack attempts && price"

    > > identify risk (fx. e-commerce site that brings
    > $10M yearly=>1 day downtime=$300K=>1 hour
    > downtime=$10K)
    > > cover risk by realtime log auditing.. (costs fx
    > $7K daily)
    > > 
    > > profit=> risk value*risk probability -
    > countermeasure=$40K monthly
    > > 
    > 
    > This works for straight commercial front end system,
    
    On the surface, yes, it does.  But it assumes a lot
    and is very, very specific to the system in question. 
    It's not scalable or translatable at all.
    
    Take an IIS front end web server.  It would have taken
    approx 15 seconds to secure it against Code Red, even
    a year ago.  If 1 hr of downtime translates to $10K,
    and the system would not have had to have been taken
    down to prevent a Code Red infection (simply disable
    the script mapping), then what is the cost?  
    
    Now, what happened when Code Red hit?  How many
    incidents are mishandled due to lack of
    policy/procedure, or an under-trained staff?  How many
    incidents are said to cost hundreds of thousands of
    dollars in man-hours and downtime, when a better
    trained staff could have recovered the system in less
    time, with no down-time?
    
    > but how to you cost
    > a breakin to HR or other system that isn't critical
    > to your ability to
    > do business.  The cost is definitely greater than
    > the time to make good
    > the damage but by how much?  How does on cost
    > employees privacy?
    
    
    I don't see how you get to a greater cost for what you
    describe as a non-critical system.  However, I think
    your point is taken...how does one show the cost of an
    incident to a non-critical system like an HR database
    (given that it affects employee privacy, I wouldn't
    call it non-critical)?  
    
    What about the ROI of security?  Take the Code Red
    example again...lots of folks out there know how long
    it took to clean up and can compute a cost based on
    total man-hours and downtime of systems.  However, if
    it would take 4 hrs to write and deploy a script to
    protect, say, 100 IIS servers against Code Red...how
    does one show ROI?  You've got the 4 hours to show for
    your proactive efforts, but you have no reactive costs
    (like so many others do) to compare it to...
    
    
    __________________________________________________
    Do You Yahoo!?
    Yahoo! Sports - Coverage of the 2002 Olympic Games
    http://sports.yahoo.com
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 21:31:03 PST