At a number of recent events and discussion forums the topic of ‘selling’ security investments to top management has been addressed. The question posed is that if there is no positive return from a security investment, how do security professionals propose a security solution to a CFO or CEO? What is the return on a strong authentication, a firewall or IDS system that neither saves money (except perhaps in employee time, an argument that may fall on deaf ears) nor generates revenue? Importantly to me, how can you justify the investment in strong authentication? The answer lies in what really creates value for an enterprise.

To state it simply, companies create value in three ways increasing revenues, decreasing costs and decreasing their weighted-average cost of capital. In tight economic times, projects are promoted using cost savings (as no one buys arguments for increasing revenues). IT people often seek to measure cost savings as a return on investment . Unfortunately, ROI is a lousy measurement tool for many things, including security.

ROI is essentially a ratio measuring a payback period, which can lead to distortions. Say you have two projects. The first has an investment of $1,000,000 and saves you $100,000 per month. The second has an investment of $100,000 and saves $10,000 a month. Both have a payback period of 10 months (100,000/10,000) and both have an ROI of 100% (100,000/10,000). Which project do you do? Assuming that you can afford to both project (and you should be able to borrow $1,000,000 from a bank if it saves you $100,000 per month!), which do you do? Based on this information, you would do both.

One possible better solution would add a third analysis criterion: weighted average cost of capital. To illustrate this we will use a very simple tool: the cap rate. In real estate, the capitalization rate is used to quickly assess a projects viability. If an office building is 100% leased to the US government for 10 years for $1,000,000 per year net of all the expenses, you would value it at $1,000,000 divided by a suitable cap rate, say prime plus 3% or currently 7% or $14.2 million. If it’s leased to a small private company, you would use something higher, say 10% or $10,000,000. In each case, you know the return you are seeking and will invest where the return is greater than the WACC.

To apply this idea to a security investment, let’s look at it this way: You are looking to roll out an SSL-based VPN that will reduce your ongoing remote access costs by $200,000 per year for 2,000 users. You’re concerned however that one of the main drivers for the project is that users want to login from un-trusted web kiosks. You think doing using SSL instead of a client-based solution is more risky than going with IPSec, but how can you analyze it? If your company’s WACC is 10%, then the value of $200,000 should be $2,000,000. But this project is far riskier than you’re company’s main line of business, so the project should capped at a much higher rate. If you use 20%, then the value is $1,000,000.

What if you have already implemented an SSL-based VPN and you now realize that you have actually saved only 50% of what you estimated because of the risks you have taken? How can you justify spending more money on security when it won’t save any additional money? The answer is that reducing costs is not the only way to create value! It’s never too late to reduce the cost of capital of your project. For example, with an SSL-based VPN, if your main concern is key-loggers installed on kiosks, try investing in strong authentication. The upfront cost of a WiKID Authentication Server is $9,500 and the ongoing costs would be $40,000 per year. If this reduces the risk to 12%, then the project is worth $1,323,833 – a 32% increase in value for your company.

What cap rate should you use when evaluating a project? First, start with your firm’s WACC. Then, try to come up with a departmental average. If your department is riskier than the rest of the company, it should be higher. Then try to estimate the project’s risk. If you’re rolling out a bleeding-edge technology, boost it higher. If it’s a common technology and you’re a late adapter, the risks are lower. If it’s a technology in high demand, but weak in security, such as WiFi access, increase it.

Using a cap rate to evaluate a security project is much better than ROI, but it is still a quick and dirty exercise. It takes into account the cost of capital, but it isn’t really flow-based and it isn’t very good for ongoing analysis. There are other tools such as economic profit that might be better for ongoing management. Stay tuned for more.

Here is a great article about why passwords just don't cut it. mention of WiKID's two-factor authentication system. Too bad.

They do mention SecurID by RSASecurity as "Unfortunately the most well-known two factor authentication solution. Unreasonably expensive, not well supported on non-Windows platforms and generally not very flexible."

Who am I to argue?

The article is here: http://mongers.org/authentication

Apparently, Fred Durst's T-Mobile account has been hacked and the attacker has posted a 3-minute sex video on the net.

While the headlines read that the attacker has "struck again". I wonder. Perhaps they struck once and held back some of their goodies to release over time - over the weekend so that it would hit the press and blogosphere hot on Monday.

Here is the Drudge report.

Network World has given Bruce Schneier a chance to clarify his position that strong authentication is "Too Little Too Late" and has given RSA's CTO, Joe Uniejewski, a chance to rebut.

While Schneier does clarify that he's not against strong authentication, he seems to think it's not going to be effective against identity theft and fraud. He references the fact that credit card companies pay little attention to authenticating the identity of the individual and focus on authenticating the transaction. However, he seems to think that two-factor authentication can't do this! As I have discussed before why not?? This seems like a great solution. Log in with your password, but when you want to do a transaction, give us the one-time password.

Uniejewski's response misses this fact, unfortunately. He indicates that RSA is looking at ways to "raise the standard authentication interfaces".

Both authors agree that passwords are past their prime.

It's a complex issue that threatens online banking and ecommerce. There are a number of attacks on the client, the servers and the network that make it difficult for one single solution to fix all the problems. If you look at the credit card processing systems and ATM systems out there, you can see the complexity that has developed to address security. It is important to remember that it is an ongoing battle and also that the risk needs to be minimized to a point where it can be insured against.

Bruce Schneier posted a clarification on his stance regarding two-factor authentication today.

Two-factor authentication is a long-overdue solution to the problem of passwords. I welcome its increasing popularity, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they'll stop advocating stronger authentication measures and the sooner security will actually improve.

Again, he's missing a couple of points.

First, it is simple to use strong authentication to authenticate transactions as well as sessions.

Second, some strong authentication systems, such as our strong authentication system can combat the "non-authentication" attacks Schneier describes. For example, the WiKID two-factor client will not generate a valid passcode if the DNS system is poisoned. We are working on extending WiKID in other ways as well.

According to David Aucsmith, architect and CTO, Security Business & Technology Unit at Microsoft, 15% of corporate PCs have key stroke loggers.

To quote the article:

In another study of spyware penetration, it was found that 15 percent of corporate machines had keystroke loggers, Aucsmith said, noting that it's "an extremely big cost for us (at Microsoft Corp.) -- dealing with spyware on our boxes."

So it's not clear if that is a Microsoft internal number or a study somewhere. I can't find a study that mentions that percentage of penetration by keystroke loggers. If the percentage is that high for corporate PCs, it must be huge for home PCs.

As Aucsmith pushes for stronger authentication, better firewalls, etc. he notes that:

"We've seen an explosion of criminal enterprise moving onto the Net in the last 18 months or so," he said in describing hacker motivation trends. "It's no longer just for kicks. It is for making money."

I think people need to realize this. It's not clear to me that people understand that the same people sending spam are trying to steal their identity.

This is the first time that I have seen this:

Most now have a financial variant. "Bots are very cleverly used now," Aucsmith said. First they become a spam relay. When that gets shut down, they become Distributed Denial of Service facilitators. Later they can become keystroke loggers hunting for financial or software license information.

I guess I always assumed that a good trojan would do all of those at the same time.

Both RSA and Versign have done sponsored surveys on password usage and abusage by users. The first one - where they offered candy bars for passwords, was funny, but it is increasingly clear that these surveys are more about getting press than being scientific. Here are some hightlights from Verisign's survey:

Two out three three people (180 of 272) approached in a downtown San Francisco street by researchers were happy to provide their password in exchange for a coffee gift card.

57 per cent reported having four or more passwords

79 per cent reported using the same password for multiple websites or applications

I think that most people assume that just having the password isn't enough to get access. I wonder if the surveyors also asked the people where they worked and their name. I also wonder if they gave their actual password, or just lied. I wonder how many people would be willing to give up the ATM PIN for a candy bar?

Interestingly, unlike WiKID Strong Authentication neither Verisign's nor RSA's token systems can handle multiple websites or applications without some type of federated identity.

Survey results can all be seen at the reg: http://www.theregister.co.uk/2005/05/06/verisign_password_survey/

Not Bad for a Cubicle has posted about location as an authentication factor.

We have also thought about that. The WiKID Strong Authentication token comes in two basic flavors: wired for the Mac, Windows and *nix and wireless for J2ME, Blackberry, Palm, PocketPC and soon, BREW. As the carriers are supposed to be rolling out E911 here in the states, they have some devices that are capable of location-based services. To my knowledge, only BREW phones (Verizon and Alltell in the US) and certainof Nextel's J2ME phones from Motorola allow programmers to access that information.

We would love to create a wireless client that provided three-factor authentication, but I'm not sure if anyone would want it. I would also argue that perhaps it would be more of a deterent than an authentication factor. If someone stole your phone and then tried to guess the PIN - which is stored on the WiKID server - you would know where they were.

In the wired world there are geo-location services based on your IP address, but I don't know how they deal with IP spoofing or a situation where the attacker is logging in from a compromised machine.