Experts On Demand

10.01.2011

Calculating and Addressing Security Threats

According to an information security expert, corporations can calculate the value of a stolen laptop. In other news, over the holidays, two gigabytes of sensitive government documents were swiped via a Christmas e-card containing the ZeuS malware. Finally, new research from European-based analyst firm Kuppinger Cole has found that most companies have yet to adopt security policies for their virtualization environments.

Focal Points:

  • Information security expert, Bozidar Spirovski, has devised a formula for calculating the "total impact value" or financial impact of a non-protected laptop. His formula is
    Total Impact Value = Cv*[(Pl^2/Lv)/ProtL^2].
    Spirovski explains that the "company value" (Cv) is usually declared in annual reports, and that the "laptop purchase value" (Lv) includes the costs of protection such as encryption and licenses. Pl is defined as the position level of the individual using the laptop and ProtL is the laptop protection level. The blog has the details of how to fill in the formula. Using this formula, for a company worth $10 million, if the CEO's laptop with no encryption is lost, it could cost the company more than $500,000, says Spirovski.
  • Several government employees and contractors received a Christmas e-card purportedly from The White House that contained the ZeuS malware. According to Krebs on Security, when a recipient opened the file or clicked on the included links, a Trojan stole Microsoft Corp. Excel, PDF, and Word documents, and then uploaded them to a server in Belarus. Victims of the phishing attack included an employee of the Financial Action Task Force, an employee at the National Science Foundation's Office of Cyber Infrastructure, and an intelligence analyst with the Massachusetts State Police, reports added.
  • According to research from Kuppinger Cole, 73 percent of global organizations are concerned that far-reaching privileges provided by hypervisors could be abused by users. Moreover, four out of 10 companies believe that virtual environments are more difficult to secure than physical ones. Despite these concerns, the research found that 49 percent of respondents have yet to implement a privileged user management or security log management solution. Additionally, only 38 percent of organizations have implemented data loss prevention (DLP) solutions. Most surprisingly, Kuppinger Cole found that only 65 percent of respondents enforce a separation of duties for administrative tasks across virtual platforms. Additionally, the research indicated that only 42 percent of organizations perform regular access certifications for privileged users, or are able to monitor and log privileged access adequately.

Experton Group believes mobility and Internet enablement will continue to put pressure on IT executives to find new ways to secure enterprise assets. IT executives should routinely incorporate protections for new and emerging attack vectors, monitor security policies and procedures, and employ holistic measurements to determine the financial and reputational impacts of these exploits. All enterprise security tactics should be a part of an overarching security policy and toolset capable of monitoring, managing, and reacting to issues as they arise. Laptop encryption technologies have become increasingly easy and inexpensive to deploy and maintain, and little impact to performance is perceptible on the client machine. IT departments should already have deployed whole disk encryption on those systems deemed particularly important and/or susceptible, and should continue to evaluate opportunities to broaden deployment options as business needs arise. Security education for users should be updated, and users' retention of policies and procedures regularly tested, to reduce the affects of Internet- or disk-based viral threats. Lastly, security should not be an afterthought while corporations evaluate the value and optimal use of new technologies. IT executives should ensure security policies and procedures are implemented, and routinely spot-checked using automated toolsets, thereby assuring all enterprise assets are appropriately secured regardless of their state of usage. Executives and employees should recognize that all security holes are potentially exploitable and the damage could be extensive. 

<- Back to: Pressemeldungen

Press

Experton Group is the leading fully integrated research, advisory and consulting company for mid-sized and large organizations, maximizing the business value of their ICT investments through innovative, neutral and independent expert advice.

Experton Group offers consulting services, market surveys, conferences, seminars and publications related to information and communications technology issues.

Our consulting portfolio includes technology, business processes, management and business co operations, investments and mergers.