FW: Cost of Worm Attack Protection

sgorman1 at gmu.edu sgorman1 at gmu.edu
Thu Nov 13 21:59:22 UTC 2003



I guess the hypothetical would be if you were in charge of security for an AS what would be the cost to put a best-effort worm mitigation system in.  The second question being how would you scale that cost with the size of the AS.  Maybe it is a case that there is not a best practice to fix a cost to, too much variability in the market and theories of how best to defend, if defend at all.  Just figured it would be prudent to ask before we made something up - usually not such a good idea.

----- Original Message -----
From: kgraham at rogers.com
Date: Thursday, November 13, 2003 4:40 pm
Subject: Re: FW: Cost of Worm Attack Protection

> 
> It would be great not to spend any money and let the worms run 
> their course.  But when you have to deal with downed production at 
> the cost of give or take possibly 500K per attack it unfortunately 
> cannot be done without one loosing their job.  The last worm that 
> spread throughout enterprises mentioned having to reinstall the 
> entire server.  If that server is a critical production server 
> what would you do?
> 
> Would spending 100K prevent the attack, very likely not.  Would 
> spending 100K help track the offending machine(s) and enable 
> someone to remove them from the network until they are serviced, 
> possibly?  
> Would this help keep production rolling, possibly?
> 
> The installation management and response time needed to implement 
> an IDS solution does have to be investigated to see if the ROI 
> comes in line with the cost.  The ROI would need to include any 
> saved downtime.  If someone has this information please pass it 
> along. 
> 
> A nicer solution would be an operating system that does not need a 
> critical patch every other week, due to it's exploitable nature. 
> 
> Yes I am dreaming :)
> 
> Kim
> 
> > 
> > From: "Braun, Mike" <MBraun at firstam.com>
> > Date: 2003/11/13 Thu PM 03:02:59 EST
> > To: "'nanog at merit.edu'" <nanog at merit.edu>
> > Subject: FW: Cost of Worm Attack Protection
> > 
> > 
> > The old saying of "you get what you pay for" seems to be well 
> directed when
> > it comes to this topic.  If you're willing to allocate $100K 
> more than you
> > currently spend to mitigating the effects from Worms and 
> Viruses, I'm sure
> > you will have some increased success.  If you allocate 1 mill 
> more, your
> > success will increase substantially.  The true cost really boils 
> down to
> > what you are trying to protect, such as how many servers, users, 
> network> segments, and other critical devices you are willing to 
> encompass in your
> > protection plan.  Also, you may be able to mitigate the cost by 
> using the
> > functionality built into devices you may already own.  A good 
> protection> schema needs to address the use and benefits from the 
> following:  Firewalls,
> > VPN tunnels and policies, HIDs, NIDs, Antivirus software, and a 
> good network
> > security policy that grows with your network.  You may already 
> have most of
> > this in place and need only a little extra funding allocated to 
> give you the
> > protection level you feel comfortable with.  
> > 
> > If you're looking for pricing on each component, they will vary 
> widely> depending on the brand and model you go with.  You should 
> shop around for
> > components that suit your budget.  An example of this price 
> variance can be
> > found by looking at a Net Forensics project priced at $500k 
> compared to a
> > similar solution going will Network Intelligence at $40K.  The 
> Network> Intelligence solution may not have all the functionality 
> offered by Net
> > Forensics, but it may be enough for your needs. 
> > 
> > Best of luck in fighting this ever growing problem,
> > 
> > Mike Braun
> > 
> > -----Original Message-----
> > From: sgorman1 at gmu.edu [mailto:sgorman1 at gmu.edu] 
> > Sent: Thursday, November 13, 2003 7:59 AM
> > To: Joel Jaeggli
> > Cc: nanog at merit.edu
> > Subject: Re: Cost of Worm Attack Protection
> > 
> > 
> > 
> > Good point - then what is the cost of attempting to mitigate or 
> handle> attacks vs. doing nothing?
> > 
> > ----- Original Message -----
> > From: Joel Jaeggli <joelja at darkwing.uoregon.edu>
> > Date: Thursday, November 13, 2003 10:14 am
> > Subject: Re: Cost of Worm Attack Protection
> > 
> > > I haven't seen any network or customer site that has protected 
> > > itself from 
> > > worms... only mitigated them.
> > > 
> > > joelja
> > > 
> > > On Thu, 13 Nov 2003 sgorman1 at gmu.edu wrote:
> > > 
> > > > 
> > > > 
> > > > I was hoping to get some estimates from folks on the costs 
> of 
> > > defending> networks from various worm attacks.  It is a pretty 
> > > wide open question,
> > > > but if anyone has some rough estimates of what it costs per 
> edge,> > > manpower vs. equipment costs, or any combination 
> thereof it 
> > > would be of
> > > > great assistance.  We are doing some simulations of attack 
> and 
> > > defense> strategies and looking for some good metrics to plug 
> into 
> > > a cost benefit
> > > > model.  We'd be happy to share the results if anyone is 
> > > interested as
> > > > well.
> > > > 
> > > > Thanks in advance,
> > > > 
> > > > sean
> > > > 
> > > 
> > > -- 
> > > ---------------------------------------------------------------
> ----
> > > ------- 
> > > Joel Jaeggli                 Unix Consulting                
> > > joelja at darkwing.uoregon.edu    
> > > GPG Key Fingerprint:     5C6E 0104 BAF0 40B0 5BD3 C38B F000 
> 35AB 
> > > B67F 56B2
> > > 
> > > 
> > > 
> > 
> > 
> > "MMS <firstam.com>" made the following
> >  annotations on 11/13/2003 12:03:21 PM
> > -----------------------------------------------------------------
> -------------
> > "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE 
> INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY 
> CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION.  IF 
> YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR 
> RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY 
> NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES 
> TRANSMITTED HEREWITH.  IF YOU RECEIVE THIS MESSAGE IN ERROR, 
> PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE 
> AND ALL COPIES OF IT FROM YOUR SYSTEM."
> > 
> ==============================================================================> 
> > 
> 
> 




More information about the NANOG mailing list