|
|
|
|
Keep Out
|
 |
|
October 21, 2002
By Mike Fratto
|
>> continued from previous page
What's It Gonna Do for Me?
It's easy to quantify the practical value of HIP products. Attacks against the OS and applications are no longer viable, so you're not at the mercy of host-level vulnerabilities. It's also easy to show the direct cost benefit of investing in this technology. The huge claims of financial loss attributed to attacks like Code Red and Nimda probably are more accurate than not when you take into account not only system downtime but affected workers' lost productivity. Many reports have systems down for days, in some cases even weeks. Also factor in the costs associated with stopping work on ongoing projects, which now will be late, in turn affecting other business processes. For organizations that had their online systems taken down, the loss spiraled even higher.
To get an accurate assessment of costs associated with a break-in and the savings that would result if that attack had no impact, you need to formalize, in terms of time and money, costs associated with critical IT systems. Unfortunately, according to Forrester Research, 60 percent of companies say they can't even quantify the loss due to security incidents, and 52 percent don't know how to quantify the cost of responding to incidents.
|
|
That means that, to make the business play, you may have to do some leg work to gather this data. Be sure to factor in the cost to determine the cause of the incident, assess the damage and repair the damage.
To do this, determine the number of workers affected and for how long, arrive at average salaries along logical groups, and then total it up to see how much an attack cost you in productivity. If your server is used to generate revenue, such as a customer order system, estimate the cost of lost business during the incident and after.
We developed a sample worksheet to illustrate these principles. We assumed an attack on a Web server was successful, and the attacker had control of the server. The breach was noted, and the server was taken offline. A backup server was available, but because it was identical to the running server, putting it online was too risky. The time to assess the damage, including the vulnerability, took 34 hours (based on the results of the HoneyNet Forensic Challenge, project.honeynet.org/challenge/) and another 15 to restore and repair the server (our experience). Out of a user population of 1,000, roughly 500 users spent a significant amount of time, 30 percent of their workdays, using the server. While the server was down, no work got done with the application. We estimated three classes of users, from data input to managerial functions, and assigned a population to each. After totaling the server downtime, the amount of time lost for employees and the hourly rate for each group, we came up with a staggering $98,306 for the incident.
Of course, if your organization hasn't had to deal with a security breach, your cost of an intrusion is an exercise in speculation. The point is, there are hard costs associated with break-ins, and the savings from one blocked intrusion are just too large to be ignored.
Deploying HIP is not often simple. Depending on the vendor, it could take from a few hours to several days just to learn the product and develop the solution. The more feature-rich applications we tested took us as long as 40 hours to learn and another 20 to deploy and test an effective policy. Multiply that by an hourly rate of a security admin making on average $70,000--that's about $35 per hour, $2,100 for 60 hours--add the cost of software, at a median of $1,800, and the cost of protection is a steal at $3,900.
Mike Fratto is a senior technology editor based in Network Computing's Syracuse University Real-World Labs®. He covers all security-related topics. Prior to joining this magazine, Mike worked as an independent consultant in central New York. Write to him at mfratto@nwc.com.
|
|
|
|
|
|
|
|
RSS
