Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byStephen Terry Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Real Life Information Security Bringing cost-benefit analysis into risk management

2 OWASP 2 Hewitt Associates  Human Resources Outsourcing  ~25’000 employees worldwide  Highly sensitive clients’ data

3 OWASP 3 HRO Market  Not purely financial  Mostly B2B  Highly competitive  Stay competitive  Stay flexible

4 OWASP 4 Shepherds or policemen?  Very high pressure from business  No „one size fits all” approach  Lessons learnt  Talk to business  Have real arguments  Talk business  Where do all these numbers come from?

5 OWASP 5 From the past Source: DatalossDB.org

6 OWASP 6 From market analytics  ~$100 USD per record  No actual abuse required  „Losing control” is the bad word  How much to spend and where to stop? Source: Ponemon Institute, „2008 Annual Study: Cost of Data Breach”

7 OWASP 7 From others’ fines Source: FSA, 22 July 2009

8 OWASP 8 From Risk Analysis  Risk = Potential Loss * Threat Probability  Potential Loss ~ Asset Cost, Brand Value...

9 OWASP 9 When Risk Analysis makes sense? Control Cost << Asset Cost Source: Flickr (edou а rd)

10 OWASP 10 What makes Control cost?  Roll-out cost  Obvious  Change cost  Not so obvious  Management cost  Not so obvious  End-user usage cost  Largely ignored  Especially if outside Source: Flickr (d а veme)

11 OWASP 11 Potential loss → Control → Real loss

12 OWASP 12 Case studies

13 OWASP 13 Qualified Certificate in ZUS*  ZUS costs  Roll-out = ?  Administration = ?  Taxpayer costs (245’000 QC’s)  100-140 million PLN – one-time  ~40 million PLN – annual QC renewal  Future costs  Attribute certificates (ZUS & taxpayers) = ?  „e-PUAP trusted profiles” (ZUS) = ? Source: Money.pl, ZUS * ZUS = Polish public pensions provider

14 OWASP 14 Invoicing  What’s the cost of invoicing?  People, paper, printing, postal, processing  Average €1,4 per paper invoice Ultimate solution  Give up VAT When e-invoicing makes sense? »Electronic invoice TCO << Paper invoice TCO »Theory: €0,4 versus €1,4 »Key word: TCO Sources: EU MEMO/00/85

15 OWASP 15 E-Invoicing in Europe  Denmark  OCES & others allowed  OCES: Quite simple origin & integrity authentication  OCES: Proportional to e- invoicing risks Around 66% of all invoices are e-invoices  Poland  Only QES & EDI allowed  EDI: supermarkets only  QES: Not designed for automatic signature  QES: More legal that real security Around 5% of companies use e- invoicing Sources: EEI 2007, ITST, OECD; GUS 2008

16 OWASP 16 Risk Management in e-banking Auth method Num ber IndividualCorporate Millions of clients High non- repudiation needs SMS15 ↑ Usable, ↓ Big cost ↓ Repudiation Token11 ↓ Big cost ↓ Repudiation TAN7 ↓ Low security, ↑ Low cost ↓ Repudiation Smartc ard 2 ↓ Not usable, ↓ Big cost ↑ Non- repudiation Source: Bankier.pl report, October 2009 (selected data only)

17 OWASP 17 Laffer’s curve in security Source: Wikipedia

18 OWASP 18 Mayfield’s Paradox Source: ISACA, „Mathematical Proofs of Mayfield's Paradox”, 2001

19 OWASP 19 How to?

20 OWASP 20 Pitfall of „One-size fits all” approach

21 OWASP 21 Source: Willem Duiff, GE (SASMA 2009)

22 OWASP 22 Control questions Before deploying a new solution  Do my controls help, instead of breaking process?  How do my controls help business do its work? Before asking for new funding  What we earned on last project?

23 OWASP 23 Is security a cost? Security is an investment to prevent losses  Spend $100k to prevent losing $1m = 10x benefit  NOT: „Security again spent $100k”  YES: „Security helped save $1M for just $100k”

24 OWASP 24 How FDE saves money  Office break-in  Four laptops stolen  All with full-disk encryption  Cost of incident – zero  Hardware – insurance  Data confidentality – able to prove to client  Data availability – backups & network drives  Where’s ROI of FDE?  No $$$ in fines  No $$ in breach notification  No $? in brand damage

25 OWASP 25 Building a consistent security policy #1  Should people should take their laptops home?  Isn’t that increasing risk of theft?  Laptop theft  Lose laptop ($)  Lose data ($$$) Source: Flickr ( а resnick)

26 OWASP 26 Building a consistent security policy #2  Laptop at home  Work from home  Disaster recovery, business continuity  Examples: UK snow (2009), London flood (2009), Hemel Hempstead explosion (2005)  Need to prevent the other risks Source: Wikipedia

27 OWASP 27 Building a consistent security policy #3  End-user message  „Always take your laptop home”  FDE is standard, non-optional proces

28 OWASP 28 Things we learned when talking to bussiness  Avoid „weasel talk” and buzzwords  „Some attacks exist that might pose a significant risk...” Use as much facts and numbers as possible  Do use industry reports  Be careful with vendor reports  „How spam filtering helps preventing global warming”  Filter them through your company’s reality check  Learn from historic incidents in your organisation Perform periodic review of your controls  Make sure at the old threat is still there  Make sure no new threats appeared

29 OWASP 29 Questions?  Questions, comments  PAWEL.KRAWCZYK@HEWITT.COM PAWEL.KRAWCZYK@HEWITT.COM  http://www.linkedin.com/in/pawelkrawczyk http://www.linkedin.com/in/pawelkrawczyk

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.

Property Inventory Valuation Replacement Cost Value The amount it would take to replace property with like property of the same quality and construction.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
Understanding secure data erasure and end-of-lifecycle IT asset management.

Understanding secure data erasure and end-of-lifecycle IT asset management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.

Privacy (or Data) Breaches - Examples South Carolina Department of Revenue Hackers got into the SCDOR’s computers, and stole information on up to 3.2 Million.
Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented.

Copyright Security-Assessment.com 2006 Protecting The Data Data security, compliance, disclosure requirements and what can happen if you get it wrong Presented.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Agenda Reality check Who are you hiring Primary Source Verification Facts How PSV helps communities Conclusion.

Agenda Reality check Who are you hiring Primary Source Verification Facts How PSV helps communities Conclusion.
Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.

Persistent Protection Using E-DRM Technology Jason Fasoo 06/18/2008.
Our Technology Comes with People Disaster Recovery Planning Glenn Lytle, Vice President Sales, Lumos Networks July 28, 2014 1.

Our Technology Comes with People Disaster Recovery Planning Glenn Lytle, Vice President Sales, Lumos Networks July 28,
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.

Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 Copyright © 2008 Accenture All Rights Reserved. U.S. Insurance Company Mergers & Acquisitions Services; Product/Policy/Billing Trans Services Client.

1 Copyright © 2008 Accenture All Rights Reserved. U.S. Insurance Company Mergers & Acquisitions Services; Product/Policy/Billing Trans Services Client.
Embracing IP Multimedia Services for Strategic Business Advantage Rick Seeto VP & GM Enterprise Networks, Asia Pacific.

Embracing IP Multimedia Services for Strategic Business Advantage Rick Seeto VP & GM Enterprise Networks, Asia Pacific.
1Copyright 2009. Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.

1Copyright Jordan Lawrence. All rights reserved. Annual In-House Symposium Practical Steps to Minimize Privacy Risks: Understanding The Intersection.
[Name / Title] [Date] Effective Threat Protection Strategies.

[Name / Title] [Date] Effective Threat Protection Strategies.
Overview of Cybercrime

Overview of Cybercrime

Similar presentations

Ads by Google