Saturday, November 8, 2008

Intrusion Debt and Security ROI and Security Malpractice

Richard Bejtlich has a new post linked to an older post and mentions the idea of intrusion debt as the counter argument to security ROI. I agree with RB that there is no ROI on security (he has lots of posts arguing this and they are good reads), doing things safely is your ROI, operating your network without compromise and data loss (or minimizing it) is your ROI, protecting your IP is your ROI. From the slides on the new post is the question of what if we allowed people who build bridges to operate at the same standards as those who build networks. Scary, right?

"Imagine that you defer that cost by not detecting and responding to the intrusion. Perhaps the intruder is stealthy. Perhaps you detect the attack but cannot respond for a variety of reasons. The longer the intrusion remains active, I would argue, the more debt one builds."

"How many CEOs/CIOs/CTOs/CISOs/CSOs will look at the digital wreckage of an incident and wonder "why didn't we see this happening?"

The key to that is catching it in the first place and being able to adequately respond or have policies in place once you do see it. In 2008, I didn't think we would still be there, but we are and its sad.

I think business and government entities are lucky about how much they are allowed to shield (lie) to its customers and employees about network compromises. If a network has been owned for several months and the appropriate action wasn't taken (so at some point the compromise was discovered) should that be grounds for fines or lawsuits? You know that any domain will have some type of PII, intellectual property, or something worth protecting floating around. What are people to do with network/security malpractice? Is it feasible to hold those CxO people accountable at that level? What are common people supposed to do when there is gross negligence with their information? Current laws, regulation, and fines obviously aren't working or a sufficient deterrent and I'm not sure asking a technology immature legislative system to come up with more unenforceable laws is a good solution either.

Thoughts on what to do?

No comments: