Security Breach Essay

Companies in the news for security breaches are now benefiting from their newly found hindsight via way of a lack of security point of view. These views come at a highly expensive cost and it should come as no surprise that many companies will continuously and gratuitously benefit from those views. The reason I believe this is because companies just don 't get it. At the cost of millions of dollars spent post compromise, companies rush off to apply band-aids where sutures are needed. Anyone with a connection to the Internet who has viewed any form of news site in recent weeks have come to know their names: RSA, Sony, Nintendo, L3, Northrop and the list goes on and on.

Where do these companies go wrong? With so much already being spent on security

It seems to be "wasted dollars" for security managers and C-Level types since they cannot measure ROIs on voodoo metrics. You know those voodoo metrics well, they are usually cleverly scrawled across every security management level certification you could find: ALE = SLE x ARO or ROSI = R - ALE, where ALE = (R-E) + T. Too many security charlatans have flooded the security arena with this nonsense for too long.

Can we state that Citi, BofA, L3 and others never used these metrics? If they state that they did not, they would be hurting their reputation. We can infer that the outcome of these metrics are useless and this is as obvious a statement as "tomorrow is another day." So how do does the security industry change this backwards approach to security while keeping costs low, and security measures high? Simple, take a different approach to security as a whole.

In a recent case, [6] a judge ruled that a bank was not responsible for fradulent transfers made from an account. In this case, both the bank and the customer lose; the bank loses a customer, the customer loses their money. Case closed. However, imagine if the bank had a validate policy in place where any

In other instances such as say the Sony compromise, the cost of securing that network would have been far less than the estimated 170 million [7] they dished out. The existing approach to security however would have still likely led to a compromise. This is because companies are looking at security as: "build a bigger wall, add a moat, throw sharks in the lake." What they fail to see is that most of the existing attacks are not "coming through the front door." Many are client side attacks [8] where an attacker is leveraging a machine already inside of a network in order to burrow out a trusted network where the attacker can then control that machine. How do you defend against this? It is just as simple as defending from the other side of the "wall." You build mechanisms to inspect what is leaving your network. Disgustingly simple isn 't it?

Ask any security manager or C-Level why they won 't apply this and you are likely to be bombarded with a hodge-podge of voodoo metrics: SLE = EF x AV x CTM or ROI = ALE - (( ALE - (ALE - ALE2)) + T ) in other words, covering one 's ass is far more important than actually getting the job done right. This is