Thursday, August 30, 2012

Impacting Adversary ROI

Recently i was looking talks on RSA 2012. One talk  which got my attention is   Adversary ROI: Why Spend $40B Developing It, When You Can Steal It for $1 M.  Two points i liked most are

1. The Adversary Doesn’t Care About Your ROI/ROSI.

2. Whatever security measures you put should reduced the the  Adversary ROI  .

Lets see the formula of adversary ROI

 

Adversary ROI= ((( Attack value (Value of Assets Compromised + Adversary Value of Operational Impact) - Cost of the Attack) x Probability of Success )/Cost of the Attack)-Deterrence Measures (% Chance of Getting Caught x Cost of Getting Caught)

                                                                                                                       

Most important factor of this ROI is the cost of the attack  if your security measures can increase the cost of attack ( which most of the measures do) it will reduce the adversary ROI by multi fold this the area where most of the security vendors focused there effort along with reducing the probability of the success. Advancement of attack tools and techniques reducing the attack cost and increasing the probability of success white hackers/Defenders caught themselves  in a rat race to build the countermeasures. As best practice multilayer security (IPS/IDS/Firewall/antimalware)has to be implement to affect these vectors of adversary ROI.

Let say after applying all the measures attacker still able to penetrate your system  but if you can be alarmed and act (here your various monitoring system play a great role for example File/Registry/Process Integrity monitoring system, Log Inspection system etc. ) before adversary able to steal/damage your assets this will reduce the  probability of success .

What if  your assets has been stolen/damaged before you able to act still there is hope in the form of  your risk management policy and forensics that can help in recovery and catching your adversary. These two factor increase the chance of catching the hacker.

Now there is one factor which you cannot control directly is the impact of getting caught it’s lot depend of the government/country rules and regulation how they treat your adversary.

while you can reduce the value of assets compromised  it’s not always possible and not advisable too  but you cannot control the Adversary Value of Operational Impact as it’s depends on type of adversary you are dealing with.

one this should be note here factor affecting adversary ROI should be considered  in totality not in isolation.

 

Reference.

http://365.rsaconference.com/servlet/JiveServlet/previewBody/3429-102-1-4545/GRC-202.pdf

Security Related Quotes

 

  • A risk requires a threat and a vulnerability that results in a negative consequence.
  • A Threat is an Actor with a Capability and a Motive.
  • Casual Attacker power grows at the rate of Metasploit.
  • PCI won’t stop a determined attacker, but it will at least stop a casual attacker.
  • PCI is better than nothing – it at least raises the bar.
  • The organization doesn’t often profit from security investments.
  • Attack surface is approaching infinity (which is not a real number).
  • ƒRisk Mitigated can be both subjective and objective.
  • The Adversary Doesn’t Care About Your ROI/ROSI.
  • The problem is that security is so complex that every topic has a huge amount of context associated with.
  • Don’t let your project’s definition of security be driven by the signatures in a tool, external compliance requirements, or what happens to be in a particular penetration tester’s or developer’s head.
  • There are simply far too many ways to write insecure code.
  • We don’t need to fix those vulns; we have a WAF-  ROFL

Tuesday, August 21, 2012

Test Process Improvement manifesto

Flexibility over Detailed Processes

Best Practices over Templates

Deployment orientation over Process orientation

Reviews over Quality Assurance (departments)

Business driven over Model driven

Monday, August 13, 2012

Manifesto for Agile Software Development

 

We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:

Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
That is, while there is value in the items on the right, we value the items on the left more.