NSP-SEC

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Tue Mar 23 06:53:50 UTC 2010


On Mon, 22 Mar 2010 23:02:02 BST, Guillaume FORTAINE said:
> How much money would you evaluate a security incident on your Cisco device ?

It would depend on which of the 3,000+ Cisco devices on our network had
the incident.  And yes, we've got a pretty good estimate (to within $1.57 or
so) of what an incident on any given device would cost.

> Because, the fundamental questions are :
> a) How much value does your network bring to your business ?
> b) How much money are you ready to spend to ensure its security ?

We've got a pretty good idea what value our network brings us. We also know
how much we're *ready* to spend.  However, that's not the critical number.

You missed the most important question of all: (c) How much money do you need
to spend to minimize the total cost of protection plus losses. 	If you're
currently spending $50K, but you're *willing* to spend $250K, it only makes
actual sense to do so if the additional spending prevents more than $200K
of additional losses.

And this calculation needs to include second-order effects - if Cisco starts
shipping monthly updates rather than every 6 months, it doesn't do any *actual*
good unless our internal test lab ramps up so it can vet a new release in a few
weeks rather than a few months. That's an additional cost. Meanwhile, there are
a *lot* of sites that find themselves stuck on a specific build of IOS because
it's the only one that fixes bug A but also doesn't suffer from bug B.  If you
deploy a new release of IOS that contains a fix for a security hole, and the
fix eliminates an expectation value of $10K of losses, but contains a
non-security bug that starts your help desk phone ringing and racks up $20K of
support costs, it's a net loss.

Those second-order effect costs are a bitch. And a half.

I'm pretty sure that most of the other big Cisco shops have done exactly
the same risk calculus, and decided that the added expense of moving to a
monthly rather than bi-annual wasn't worth it.  And since the sites aren't
clamoring to buy it, Cisco isn't offering it.

(For the record, for many large shops, Microsoft's "Patch Tuesday" has
similar cost-benefit issues - updating your "crown jewel" production servers
once a month is a truly scary amount of code churn. The only reason Microsoft
does it is for the millions of consumer-grade boxes that auto-update, a
use case that doesn't exist for most of Cisco's product line.)

> Conclusion : if you can't reply to these fundamental questions, hire a 
> CISO and build a CSIRT.

<sigh> I *so* hate making an argument from authority (other than "I think smb
published a paper on that already"), but in your case I'll make an exception.

Go read http://www.sans.org/dosstep/roadmap.php

Read the date, read the signatories. Ask yourself if you *really* want to be
telling me that we need to build a CSIRT. (Answer - our CIRT was up and
running back in 1991, and was well-known in 2000. So no, we don't need advice
on how to start one. We've got literally man-centuries of experience in running
one already. By the way, where were you in 1991?)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100323/4494903e/attachment.sig>


More information about the NANOG mailing list