Layer 8

Hrmm...I’d be a little confused as well.

Business Impact #1 - The technology presence allows business that wouldn’t otherwise be possible or permissible. You need to answer to PCI which pretty much requires SSL for transactions.

Business Impact #2 - The technology presence averts possible downtime, disclosure, cost, support… AV software certainly can keep a sales laptop up far more than if that laptop were naked. Perhaps the art of risk analysis is here...or those fun estimates on theoretical ROI for security?

Business Impact #3 - The technology may result in action that is required by the business, such as reducing privileges. I look at DB Monitoring in this category. The business basically has to do things due to the newfound knowledge; i.e. impact.

Business Impact #4 - The technology holds business back. Change management could become a security/audit resonsibility, which almost certainly will slow down development and customer issue resolution (of course, it might save in downtime and mistakes...).

Of course, this could mean multiple categories, depending on how regulated the business is. Lack of AV may prevent business tasks from being allowed, let alone done with the aversion of risk.

Security Impact #1 - The technology provides benefit to the security teams in determining the security of the business or target of the security technology (more data!). An IDS adds information for the security team that it might otherwise not have, but doesn’t actually actively do anything. It’s presence really does not impact any business functions, either good or bad.

Security Impact #2 - The technology reduces the amount and/or duration of security incidents, either potential or actual. An AV product could actively block malware.

Security Impact #3 - The technology opens new avenues of attack and/or control to attackers; larger footprint, more complexity (added for Hoff!). An IPS can be subverted by an attacker to start blocking legit services due to spoofed data. If I want your firewall to block your communication to XYZ, I’ll abuse the firewall enough with spoofed data from XYZ, such that the IPS kicks in and blocks it. Or Symantec AV rolled out everywhere means a flaw in it can be exploited everywhere.

I’m sure there’s more, but that’s my first 10 minutes’ of thought.

IDS? It may appear to have little business impact, either good or bad, so why bother? Well, because it can be quite invaluable to the security teams, to be honest.

IPS? I understand it can have a security impact, but more security impact and less business impact than a firewall? That seems backwards.

Really briefly:

1) Business Impact can mean any of the things described above; define it as you like and present it as such.
2) Security Impact - ditto.
3) The dots/labels are arbitrary for example only.  I simply had a bunch of colors and added names next to each
of them...please don’t start the “AV is da schnizzle...”

If you spend your time over-analyzing this, you’re going to end up defeating the purpose.

I could tell you how I defined business/security impact, but you’d argue with me and tell me that it’s not how
YOU would define it.  Fantastic (seriously.) Get to it.

The point here is that you can demonstrate the way things are OR the way you’d like them to be.  Just be
consistent.

This has worked fantastically for me over the last 10 years; just keep in mind the audience (executives)
because they’re not going to get as wrapped up in the semantics as you are as long as you define the
axis with consistency and make them easy to understand.

Sometimes y’all need to stay at 30,000 feet where the air is thinner rather than trying to tunnel
to Borneo.

Probably didn’t help, but that’s all I got, kids.

/Hoff

Actually, Chris, that helps a lot—sometimes a banana is just a banana, Anna. 

And I wouldn’t argue with your own definition of business/security impact; I’d actually be really interested in hearing it.  Then I’d have to figure out whether I could make those definitions work for me, but that’s the extent of it.  Come on, dude, don’t be shy and retiring.  It doesn’t suit you.

LV, those are all good categories ... and I still can’t figure out whether I could make any of them work.  Damn.  If I were presenting this to executives, I’d probably want the security impact to equal “more securer”—and then I’d get all axle-wrapped trying to justify my ratings.

BTW - a private comment by LV to me about Hoff led to this song running through my head:

(name the tune this is from)

You didn’t try to pwn me
Why didn’t you try?  didn’t you try?  didn’t you know I was lonely?

Hoff, I’m 100% with you on the consistency and ease of understanding. I think I removed that paragraph from my post where I spiraled this all down to how relative/subjective IT security measures (or IT in general) are. Consistency and being able to define your measures is paramount. Even if they don’t work for someone else, as long as you have some vision, make it relevent to that high altitude view, and stick to them consistently, you can trend it and have something to go on.

Shrdlu, I have Culture Club’s “Do You Really Want To Hurt Me” song stuck in my head from that, but I don’t think that was what you had in mind. In fact, Google tells me I never would have guessed it, not being familiar with the artist.

How can you NOT know The Master??!???  You’re too damned young, LV.  Go to the front of the classroom and write “The crux of the biscuit is the apostrophe” 200 motels—er, times—on the chalkboard.

And DON’T tell me you don’t know what a chalkboard is.

‘sactly.

Take it and make it yours. 

I used this in conjunction with some very real qualatative and quantatative risk management
metrics that measured the effectiveness of controls that I was able to model in a what-if
environment to understand exactly how it contributed to my overall risk posture.

Basically, I could model what would happen if I didn’t have the firewall (or IPS or...) in
place and what that did to my exposure.

Thus, I was able to gauge “business impact” in relative terms as meaning what would happen
to the business’ ability to continue service (and be compliant—sometimes the same thing)
if I did/did not have that control in place (and vicey versey)

Security impact was a measure of how it contributed to achieving my security program goals
and what impact it had in terms of contributing to enforcing policy and compliance.

Not sure if that helped at all.

I used the dashboard that came from my security risk management/change control framework
to really communicate risk (it took into consideration the network, vulnerabilities,
control configs, business impact, etc...)

I used this to help guide me in my investment strategy and demonstrate where I was, wanted to
and didn’t want to continue investing.

Be more than glad to talk to y’all more on this.

/Hoff

Thank god for Google, as I could look up that phrase and what a “chalk board” is.  lol, yes we had chalkboards in school!

@Hoff: I gotcha!

I am in agreement with Hoff.  I am constantly asked about impact and likelihood.  What I have found with the government, they really don’t want to know what impact is.  All they know is that they have a 800-30 Risk Assessment and it is right up there on the shelf.

Impact is what you make of it and based on the mission of the system.  Well...that’s how I have conducted the risk assessments so far. 

I did an IDS/IPS certification not to long ago where the RA said that the sensors wasn’t a low impact / low likelihood.  So I the System Owner: “Ahhhh, what are you on?  Because I want some”.  Of course he had said that their RA was done from an organization level rather than a system level.  That’s fine, if the RA were for the organization.  But this was a system RA so after an hour of spirited conversation he finally saw the light, and decided that the sensors being down was a high impact. 

In short, impact is about context.