We often think about Return on Investment (ROI) in security in terms of how much we spend versus how we reduce the risk of a breach. An old article by Bruce Schneier covers this topic fairly well, but today I’d like to flip that model upside down and discuss ROI from the perspective of an attacker.
In the old days of security, hacking was a free activity aside from whatever the time of a lonely teenager was worth, and so anything of value that could be gained was pure upside.
But for a sophisticated attacker today, hacking is big business, and launching a sophisticated attack requires investing real money. So how do you stop a smart attacker? Simple: reduce their ROI to make exploiting you fiscally irresponsible.
Let’s start with the economic equation. We’ll forget about social activists and government espionage, and focus on the hackers that have a straightforward motive we can easily understand – profitability.
First, you need to quantify your assets from the attacker’s point of view. This is a completely different valuation than what your assets are worth to you. Your CFO may look at a breach in terms of its regulatory cost, and the impact to the brand, and how much it might hurt your bottom line, but the attacker is unlikely to care about any of that. They’re more concerned with how much your data is worth to them.
Luckily, we have all sorts of resources about what various assets are worth on the black market. Krebs on Security has great data on valuing credit cards, for example. How about your customer list? Fortunately, just random email addresses are nearly worthless, but if you have an unscrupulous competitor in your industry, you might think more seriously about what that list is worth.
Source code is an area I think most companies over-value from an attacker’s perspective. There have been a number of enterprise software companies that have had their source code stolen – see for example this great series of articles about a breach at Symantec from The Verge. Although a software product may be generating tens of millions or hundreds of millions of dollars in revenue, that doesn’t mean the source code is worth a fraction of that.
The most attractive part of having source code is making it easier to find ways to exploit it, but there are plenty of ways to analyze products without having the source code. I wouldn’t be surprised to find software companies spending millions of dollars protecting their source code in languages where the same source code essentially ships to all their customers anyways.
Why bother breaking into the company to steal product source, when it’s so much cheaper and easier to just buy it?
You might look at this analysis and conclude that you are focusing all your attention on the wrong assets. Or you might ask the question: how do I make an attack less profitable to an attacker? One good option is decentralizing your most valuable assets.
The historical security model of “get everything valuable in one place, then put super-size security controls around that core” is exactly what makes that core of assets so attractive to attack. But if you parcel out those assets in different places, with different controls, disconnected from each other, it becomes a whole lot less attractive to get into any one of them.
The second half of this equation to look at is how much it will cost the attacker. Of course, any additional barriers you put up to make a network more secure may raise that cost, but what are the real pain points of expense for an attacker?
One of the biggest costs is a 0-day exploit (I never liked the name; to me a 0-day should be the day it is released, but the security world disagrees with me and has declared that means it has yet to be published). There are lots of variables, and again lots of great data available – a good although slightly dated article on the topic from Forbes sheds more light on this market.
What does this mean for you? If an attacker can run a free exploitation tool and break into your network for free, that is a whole lot less expensive than if they have to use a 0-day exploit. Using a 0-day can get expensive – it risks being logged, discovered, and eliminated each time it is used. If you reduced the value of your assets enough, it might not even be worth it to waste one on you.
So, make it hard on them. Don’t let an attacker get away using an easy vulnerability to exploit your network. If they want your assets, make them pay, and then make them disappointed with how little value they found once they did. They might just decide there are easier ways to make money than on your network.
- Governance: Understanding Where You Are and What is Important
- 4 Clues to Get Executive Support for Information Security
- On Proving the Business Relevance of Security
- Dealing With Unrealistic Security Expectations from the Executive Office
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].