Category: News

This article looks at new ways that businesses are making the ROI case for this critical investment.

It’s a conundrum that plagues businesses large and small as they strive to wring competitive advantage from every dollar they spend: Where is the quantifiable proof that X amount of spending will prevent Y amount of losses due to security breaches?

Traditional cost-benefit analysis hasn’t been much help here because costs and benefits need to be measured in the same terms. That’s easy with some straightforward revenue-enhancing investments, but not with security.

For many companies, the benefit of their security investment often boils down to so-called “soft” returns — such as the protection of their brand image by avoiding the negative publicity associated with being hacked.

Perhaps it’s not surprising that, in the absence of hard numbers, advocates for increased security spending sometimes find themselves falling back on fear, uncertainty and doubt — or FUD — to make their case.

In the past few years a body of research has grown that supports the — theory that it is possible to calculate a tangible return on security investment (or ROSI). Much of this research comes from the fields of risk assessment and risk management

It looks at such things as cost reduction related to risk mitigation and productivity gains associated with security investment.

Cost-benefit trade-offs Researchers at the University of Idaho assessed the cost-benefit trade-offs for a network intrusion detection system (IDS) they built. Their goal was to prove that it’s more cost-effective to deal with attacks using intrusion detection than through other means.

Their conclusion: An IDS that cost $40,000 and was 85 percent effective resulted in a ROSI of $45,000 on a network that was expected to lose $100,000 yearly as a result of intrusions.

Baseline comparisons In a third study, researchers erected a network infrastructure similar to that used by companies conducting transactions over the Internet. Performance metrics were taken to establish a baseline throughput rate. Security measures were then applied in steps, and new metrics were taken and compared with the baseline metrics.

Researchers found that applying appropriate security measures can create efficiency gains — that is, increased network throughput — of more than 3 percent.

As the above examples show, calculating a tangible ROSI is math- and labor-intensive.

Research is now available to help calculate the cost of security incidents to an organization company and the probability that a given incident will occur.

At the same time, the threat of cyber attacks continues to grow each day, including the emergence of two overarching threats to corporate computer security: the spread of fast-spreading, “blended” threats (i.e., malicious code), and insufficient funding allocated by managers for security initiatives.

http://www.itstrategycenter.com/itworld/Res/analytics/what_price_sec/index.html

“Security obviously cannot be ignored,” said Nick Jones, a research vice-president for Gartner, “but you can worry less — so long as you are willing to pay, for it security can be achieved.” Jones said that a variety of advances in areas such as encryption and virtual private networks — and better management strategies — were helping businesses secure their networks more effectively.

Jones, who gave a keynote speech at Gartner’s Wireless and Mobility Summit, said that mobile computing was becoming an increasingly important issue for IT bosses to consider. “Mobility is one of the top priorities for CIOs,” he said. “If you are a CIO, I hope you have a wireless strategy because your peers will have one.”

The Summit also heard that VoIP products such as Skype were likely to drive down mobile phone costs, as some companies are now encouraging staff to use VoIP for long-distance calls.

Jones, however, warned that VoIP services pose a threat to corporate security because they require some ports on the firewall to be left open, which can give hackers opportunities to penetrate a network.

http://www.silicon.com/research/specialreports/voip/0,3800004463,39129635,00.htm

As if Wi-Fi standards are not confusing enough, last week’s addition of four widely used Extensible Authentication Protocol (EAP) types by the Wi-Fi Alliance will make your head spin.

WPA certification will be more confusing than meaningful for enterprise decisions until at least 4Q05, when it becomes mandatory for vendors to pass ‘new’ WPA2 certification.

Additional confusion will undoubtedly result after Cisco and Microsoft likely introduce a new or enhanced EAP type in coming months which will require the Wi-Fi Alliance to conduct further interoperability testing, according to Gartner.

And the Wi-Fi Alliance is reserving the term “WPA3” for new IEEE 802.11 security features rather than for security testing extensions, further contributing to the confusion around WPA and WPA2 certification through at least the first half of next year.

Gartner says to simply select the authentication approach that best meets matches your business, IT and security processes, regardless of Wi-Fi certification.

http://blogs.zdnet.com/Research/index.php?p=152

Anthony Nadalin, chief security architect for IBM’s Software Group, said IBM is looking to do more to address the issue of security throughout the application life cycle, starting during the requirements process and going straight through to modeling and deployment. “There is a lot of interest in companies building secure applications and how to guarantee that, so we’re looking at the notion of security in the application life cycle.”

Nadalin said IBM is considering enhancing its modeling capability to enable users to integrate security into the process.

The authentication becomes a policy issue, and “you wind up with a policy-driven model. It is nearly impossible to retrofit,” Murphy said.

http://www.eweek.com/article2/0,1759,1787115,00.asp?kc=EWRSS03119TX1K0000594

That remains the province of specialized organizations such as the Internet Corporation for Assigned Names and Numbers, or ICANN; the Internet Engineering Task Force; the World Wide Web Consortium; and regional address registries. Though Zhao is far too diplomatic to state it directly, the ITU’s increasing interest in the Internet could presage a power struggle between ITU, ICANN, and perhaps even the U.S. government, which retains some oversight authority over ICANN and appears content with the current structure.

“The whole world is looking for a better solution for Internet governance, unwilling to maintain the current situation,” Houlin Zhao, director of the ITU’s Telecommunication Standardization Bureau, said last year. Zhao, a former government official in China’s Ministry of Posts and Telecommunications, has been in his current job since 1999. “Countering spam is just one of many elements of protecting the Internet that include availability during emergencies and supporting public safety and law enforcement officials,” Zhao wrote in December.

Also, he wrote, the ITU “would take care of other work, such as work on Internet exchange points, Internet interconnection charging regimes, and methods to provide authenticated directories that meet national privacy regimes.”

This article documents an interview with Houlin Zhao, director of the ITU’s Telecommunication Standardization Bureau.

http://news.zdnet.com/2100-9588_22-5648953.html

The new Fingerprint Sharing Alliance hopes to help its members, which include British Telecommunications, Cisco Systems, EarthLink, MCI and NTT Communications, more effectively share information on individuals responsible for launching online attacks. Other organizations involved in the collaboration include Asia Netcom, Broadwing Communications, Verizon Dominicana, XO Communications and the University of Pennsylvania.

Members of the Fingerprint Sharing Alliance will automatically send one another data on computer hackers as they observe or experience new attacks. By immediately alerting other communications companies when they’re being threatened, members of the group hope they can more effectively guard against online attacks and infrastructure hacks that cross network boundaries.

Arbor Networks is helping to spearhead the effort. The Lexington, Mass.-based company, which specializes in network threat detection and monitoring tools, will provide the technology used by the group’s members to share emerging attack data. By helping the communications giants rapidly distribute information on hackers, the security company said it can aid in blocking attacks closer to the source.

Mark Sitko, vice president of MCI’s Security Services Product Management group, said the Fingerprint Sharing Alliance will quickly provide an “unparalleled view” into new security threats as they surface around the globe. Sitko also promised that MCI will bring significant antihacking firepower to the table.

At least one industry watcher has also endorsed the group’s efforts. Jim Slaby, senior analyst with Boston-based Yankee Group, said that as online attacks become more sophisticated, industrywide collaboration is becoming a more important tool in stopping criminals. “We’re seeing more technology-savvy criminals trying to make money through denial-of-service extortion schemes,” Slaby said in a statement. “Service providers that are cooperating by sharing attack fingerprints are helping mitigate these threats more quickly and closer to the source, thus making the Internet a more secure place.”

http://news.zdnet.com/2100-1009_22-5642840.html?part=rss&tag=feed&subj=zdnet