How to Justify Your Security Assessment Budget

Transcription

1 2BWhite Paper How to Justify Your Security Assessment Budget Building a Business Case For Penetration Testing WHITE PAPER

2 Introduction Penetration testing has been established as a standard security practice in recent years: while the topic was originally used in the military and intelligence services, penetration testing is now an essential part of regulations such as the Payment Card Industry Data Security Standard (PCI DSS). Penetration testing is now even featured in movies and TV shows. This is not surprising since penetration testing is not only an exciting field to work in, but also offers tangible business benefits. Penetration testing experts seem to have a bright future. One topic that a lot of technical IT professionals have problems with maybe you as well is selling security to their non-technical management. This white paper aims to help you with this by explaining the benefits of penetration testing in relevance to the business so you can secure the necessary budget. How to Explain Penetration Testing to Your Boss We often hear from technical IT folks that communicating the benefit of a penetration test is difficult, especially to a business audience. You want me to authorize you to break into our systems? they ask. Everyone is reluctant to agree to things they are not familiar with. It can help to use analogies to explain how penetration testing works: how do you know whether cars are safe? Even the most experienced engineers will find it hard to accurately predict all aspects of security without a crash test. Likewise, you should carry out penetration testing regularly on important systems so you can detect where your systems are vulnerable. You have to find these vulnerabilities before criminals, cyber punks, and even spies can harm your enterprise. Penetration tests are one of the tools for responsible IT management to identify and mitigate risks. Don t We Already Have a Firewall? We ve spent all this money and you re still telling me that you don t know whether our systems are secure? your manager might say. In addition, they may challenge that you should know your systems well enough to know their weaknesses? Not really. IT systems are more complex than ever: organically grown and connected with the outside world at many points. In many networks, it is very difficult for one individual to have a clear view of all assets. The most talented network specialists can still make mistakes and overlook hard to find security issues. To complicate matters, attackers are increasingly stealthier and the signs of a breach are not always obvious. We need an acid test, a reality check, a quality control for our network s security. Penetration tests are such a quality assurance test for security to achieve, well, security assurance. It verifies that all our firewalls, permission systems, intrusion detection systems, and data loss prevention solutions work as expected. The business of fear Let s be honest, security is primarily sold on the fear of something bad happening. If a breach occurs how will business continuity be affected? What will it cost? How bad could it be? These are the questions penetration testing seeks to answer for you. The end result is completion of a cost benefit analysis for purchasing security controls. The cost benefit analysis is calculated by totaling the cost of a single loss or breach, multiplied by breach likelihood, and comparing that to the price of security controls. Penetration tests help to identify the cost by revealing what exactly can be breached. The likelihood can be judged by how easy systems were to compromise during the penetration test. This is how you obtain the potential annual costs for deficient security.

3 We have enough data to support this: the Ponemon Institute, Verizon Business, Forrester Research, and the FBI periodically publish data. They calculate the likelihood of a data breach, the costs of system downtime, the value of stolen/deleted/manipulated data, legal costs, and revenue impact from lost existing and future customers. Currently, the Ponemon Institute estimates the cost per lost customer data set at about US$204. If your database contains 10,000 customer records, this works out as just over US$2 million in damages. These numbers are certainly helpful, but they re often not usable for IT professionals in large enterprises because they re so large that nobody believes that they re realistic. Also, the numbers were almost exclusively generated in the United States, where heavy compliance regulation has driven up the cost of data breaches, so they re often not accepted by business audiences in other countries, although this is changing as more countries are introducing ever stricter regulations. Also bear in mind that these numbers must be weighed against the entire IT security budget, not only a single penetration test. Security as a Success Factor Selling penetration tests with fear is possible then, but there are also other ways, which may resonate better with your management because selling through fear could be interpreted as black mailing. Not a good approach for a business relationship. Penetration Testing to Refine Vulnerability Management One possibility is to demonstrate that penetration testing can reduce the costs of a vulnerability management program. Many enterprises already have an established program for vulnerability management but cannot remediate all vulnerabilities because there are simply too many. Vulnerability scanners never have trouble finding vulnerabilities the issue is to know which ones are important. By using penetration testing software such as Metasploit, you can verify which vulnerabilities are exploitable and must therefore be remediated first. This refinement of your processes not only ensures that the most important security issues are fixed first, but also reduces the cost of your vulnerability management program because you can identify, and therefore ignore, non-exploitable vulnerabilities that don t pose a risk to your infrastructure. Compliance Compliance should ideally be achieved through good security. In reality it is used as a bridge for IT security professionals to communicate the need for security budget with business managers. Managers know that their division has to comply with certain regulations to avoid penalties. On the other hand, IT security professionals know that they can get additional budget if the business has compliance needs. Compliance is not equal to security, but the compliance budget can, if correctly used, achieve higher security. Business Continuity Most business cases for penetration testing relate to what happens if data gets stolen. Almost none take into account the cost of systems being brought down or how it could their public image. Simply ask the question: How would it impact our organization if our ERP system were down for a week? Your managers will find this easier to imagine than their customer data being on sale on a hacking website. Even the costs should be easier to calculate. Corporate Reputation A company s reputation, represented by its brand, can take a huge hit in a data breach, but it s also one of the hardest things to calculate in hard dollars. Imagine that all buildings of the Coca-Cola company burn down today.

4 Someone is offering you to buy the rights to use the brand Coca-Cola in the future to sell beverages. What would this right be worth to you? Although the entire enterprise has ceased to exist, the brand still has a certain value. Many companies invest a lot of money for advertising, especially when products are generic, for example bank accounts. Unless your best buddy works as a customer representative in one of the banks, your perception of the company and your trust relationship with the brand are probably the biggest factors in making a decision. What happens when the trusted relationship to your brand is damaged by a data breach? As a consumer, your privacy has been violated when your online bookshop inadvertently publishes your purchasing history of the past three years. Maybe you even have to cancel your credit card. If the competitor s product is virtually identical with the one you re using now, the emotional decision is simple: You re switching. This has direct impact on the revenue of the organization that made the error. How Do You Calculate a Business Case? There are approaches to calculating the business case for penetration testing, including the payback period, net present value, and internal rate of return. I d like to offer more pragmatic ways to justify your security budget. A business case is very simple: you compare what is with what could be. What could be is your suggestion. If this suggestion costs less money (or generates more revenue) than what is, you have a business case. In IT security, business cases can be hard to calculate but it s possible. It really depends on your scenario. Get Buy-in With Business Jiu-Jitsu Alternatively, how about some business Jiu-Jitsu: don t suggest the penetration test in a vacuum, rather make it part of a larger project. Select a project that is currently on the list of management goals of your CIO. If you don t know your CIO s goals, just ask him and offer your help! Let s assume your CIO has to integrate 20% of suppliers into the ERP system via web services this quarter. You can now offer your help with this project and build in a penetration test as part of the project s requirements. Of course, you cannot just test the ERP system s web services, but have to review the entire system. That way, you align yourself with the business and become a trusted adviser in rolling out new technology to support business goals - securely. Introducing Penetration Testing to the Organization If you are currently not conducting penetration tests, you currently don t have any perceptible costs. To build a business case, you therefore have to calculate the costs of a data breach or a system failure and multiply it with its likelihood. Alas, in this scenario your arguments are reduced to fear. An example: Your ERP system contains 10,000 customer data sets. According to the Ponemon Institute, the costs per lost data set is US$204, equivalent to a total cost of US$2,040,000. We ll estimate that a data breach is likely to happen every 10 years. The likelihood is therefore 10%. The annual costs for a data breach are therefore US$2,040,000 x 10% = US$204,000. Alternatively, let s calculate what the downtime of your ERP system would cost. Let s assume the cost of the downtime is US$1 million per day and the system would be down for 3 days. With a likelihood of 10%, this works out as 3 x US$1 million x 10% = US$300,000. Compared to these potential costs broken down annually, your costs for a penetration test and subsequent security controls might be attractive. The question is whether your calculations will be regarded as realistic.

5 Penetration Tests and Vulnerability Management If you re introducing penetration tests to reduce the remediation costs of your vulnerability management program, the calculation becomes very different: Let s assume you have 3 network administrators who cost an average of US$65 per hour. If they spend 20% of their time installing updates, this costs the company about US$78,000 (50 weeks x 40 hours per week x 3 people x 20%). If we can reduce their time investment by half, the company saves US$39,000 per year. You should also factor into this that the company is now focusing on vulnerabilities that have been identified as real risks because they are exploitable, so the infrastructure is also better protected. Rapid7 s portfolio gives you the best integration of vulnerability management with penetration testing to deliver great Security Risk Intelligence. Taking Penetration Testing In-house Maybe you ve been conducting penetration tests with an external consulting company and you now want to take these in-house to save money. You may not know this, but you can even take the penetration tests mandated by PCI DSS requirement 11.3 internal if you follow a few guidelines (check out this blog post). The calculation for taking penetration testing in-house is easy because you can simply compare the external costs to new internal costs, including licensing costs, training, and hourly costs. When looking at the external costs, bear in mind that you ll also carry internal hourly costs for the selection and meetings with external consultants in addition to their consulting fees. Rapid7 offers both penetration testing services and products. Especially if you re conducting frequent internal penetration tests, you may want to check out Metasploit Pro, the commercial Metasploit edition, which enables you to carry out penetration tests more efficiently, testing a larger number of machines at a lower cost. Now Add It All Up If more than one business case applies to you, add up the benefits. Most likely, you can make an even more compelling argument if you can leverage the licensing and training costs for several benefits. Penetration Testing Goals When you start a penetration test, it s also important to have a clear goal, for example: Demonstrating security issues in the infrastructure to gain management attention and support for new security programs Reducing costs of a vulnerability management program Creating a baseline for a new CIO or CISO/CSO Deciding where security budget should be spent to optimally protect the infrastructure Testing response mechanisms of IDS, IPS, and DLP systems Complying with regulations such as PCI DSS

6 Summary In the same way that you should get a regular health check to live responsibly, penetration testing should become a best practice for responsible companies. Metasploit is the leading solution for penetration testing with more than a million downloads each year. Testing your infrastructure s security level with Metasploit is as close to simulating a realistic attack as you will get. With Metasploit Pro, you not only reduce the effort, and therefore cost to carry out a penetration test, but you ll also be able to scale penetration tests much easier to larger networks. Metasploit Pro offers team collaboration with consolidated reporting, supporting more than 50,000 hosts and 1,000 sessions at a time. It integrates with Nexpose and other vulnerability scanners so you can take your vulnerability management program to the next level. To get your free trial of Metasploit Pro, go to About Metasploit A collaboration between the open source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world s largest, public collection of quality-assured exploits. To learn more about Metasploit or for a free trial, visit About Rapid7 Rapid7 is a leading provider of IT security risk management software. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, and mobile risk management solution, Mobilisafe, enable defenders to gain contextual visibility and manage the risk associated with the IT environment, users and threats relevant to their organization. Rapid7 s simple and innovative solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company s free products are downloaded more than one million times per year and enhanced by more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a Top Place to Work by the Boston Globe. Its products are top rated by Gartner, Forrester and SC Magazine. The Company is backed by Bain Capital and Technology Crossover Ventures. For more information about Rapid7, please visit com.