Get smart about patching security vulnerabilities

By Linda Tucci, Senior News Writer 11 Mar 2009 | SearchCIO-Midmarket.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

More on security, Fusion 2009 Data protection trumps threat pursuit in SMBs' 2009 security spending As recession deepens, IT transformation best tackled in chunks

That's the view of Peyton Engel, a technical architect who heads the security assessment team at CDW Corp., at the recent Fusion 2009 CEO-CIO Symposium in Madison, Wis.

Instead, companies need to spend less time reacting willy-nilly to security vulnerabilities and more time asking whether threats are likely to affect them, Engel said. He recommends companies identify the point of diminishing returns of patch management by weighing the probability and severity of the security vulnerability, rather than the severity alone.

"We have a myth right now that we need to patch vulnerabilities. I am not here to tell you you should stop patching critical vulnerabilities -- that would be foolish. But right now, there is this kind of consciousness in the industry that when you have a vulnerability, by golly, the first thing you do is patch it," said Engel, who gave a talk at Fusion 2009 on getting your money's worth from security.

Security vulnerabilities are always with us, Engel said. A new vulnerability usually means an existing weakness that is now just being discovered. Incidents, not vulnerabilities, are the problem -- actors causing mischief, or worse, intent on committing a crime. And even these threats don't cause trouble until they meet up with a vulnerability, be it a missing patch or a weak password or a lax system administrator.

The pertinent question is whether the vulnerability is bad for you. And, if so, is patching the right fix for it? Or might it be wiser to go on the offensive?

Indeed, the patching approach of many security pros is not unlike that of the World War II engineers who studied the distribution of bullets holes on returning planes to determine where best to apply aircraft armor. "Everybody sees the mistake, right?" Engel asked. "These are the planes that made it back." Statistical analyses based on those planes, of course, factored out the aircraft that crashed and burned.

"Taking data at face value is risky," he said.

Calculated hype from security vendors

But calculating risk is itself a risky business. One formula, for example, calls for thinking about risk in terms of annualized loss expectancy. To determine this, you multiply the single loss expectancy, or the cost of a single incident, by the annual rate of occurrence (ARO), or how many incidents per year, to get a dollar figure per year. If the solution the security guy is trying to sell you is less than dollars per year, then it is a no-brainer and you should buy it.

"Well, I wasn't issued the crystal ball that tells me how many incidents you're going to have or how much they cost you. So I am skeptical of really quantitative analysis like this," Engel conceded. "However, I think we can at least agree that there are incidents, they do have costs and happen at some frequency, and if we can reduce incidents -- that is a good thing."

Here are three strategies for getting your money's worth out of security spending, which Engel illustrated with some CDW customer scenarios:

1. Pay attention to ARO but focus on minimizing loss expectancy.

A school district in Indiana supported 314 computers, in the middle of which was the shared user account, the generic system administrator. An incident on any one of the computers was a good way to have an incident on all of them, Engel said. Just by disabling the administrator account, or by not sharing passwords from one system to the next, the district went from worrying about 314 systems to about 20, according to a CDW analysis.

Almost nobody is thinking about buying security to minimize loss expectancy. Peyton Engel technical architect, CDW Corp.

Beware of the fallacies baked into the formula, Engel said.

Many security products today are targeting the ARO marker. A company worried about a certain type of incident might be urged to buy the countermeasure for it, concluding (wrongly) that the worrisome incident will never happen and all is safe.

"Almost nobody is thinking about buying security to minimize loss expectancy," Engel said, but that is the critical measure.

The Indiana school district is "not trying to prevent incidents on all these stupid workstations out in the school district. We're going to admit that some day they are going to get hacked. What we want to make sure is that a hack [on one workstation] doesn't translate into loss of all its student records, HR data and so on," Engel said.

2. Drive down redundant spending, especially now.

A healthcare provider in Michigan had three IT initiatives:

• A scheduling system for its doctors, with the goal of keeping the docs as busy (and billable) as possible and, of course, protecting sensitive medical records;
• An application to allow physicians from other facilities to schedule tests in its labs, because that brought in more money too; and
• Self-service for patients with sudden complaints who could look for openings due to last-minute cancellations -- another way to boost revenue.

The point of the story is not an indictment of healthcare run amuck, but that the provider could build three separate applications, and many companies would. But, if the healthcare provider builds one layer of abstraction atop the database that effectively implements its security rules -- authentication, authorization and accounting -- it spends once for security but gets to use it multiple times.

3. Start thinking about security spending close to the beginning of any project.

In the 1970s, an IBM study looking at the ROI of secure software development found that the cost of fixing security vulnerabilities rose dramatically the later they were discovered in the development cycle. If a fix came once the software was in production, costs could be astronomical.

"If we start thinking about security in terms of overall project plans, if we push our security spending closer to the start of the project, we get to spend less and be more effective," Engel said.

Tags: Risk management for the midmarket,  Information security management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money 10 must-have steps for an effective SMB information security program Information security management for the midmarket Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary