Security on a Budget

Introduction


Security is expensive. Many small- or medium-sized organizations are struggling to deploy sufficient security defenses on a shoestring budget. This white paper discusses several techniques, methods, and tools that may help you reduce your security budget while maintaining or increasing your actual defenses. No security defense is perfect, and you often get what you pay for. However, just because something is expensive does not mean it is great; likewise, just because something is cheap or free does not mean it is worthless. With these suggestions, you may be able to improve your security without breaking the IT budget.

In these troubled times, many are looking for ways save money, cut costs, and make a greater return on their investments. This applies to groceries and travel, as well as security. The concept of saving money is really nothing new; we should always be looking for ways to “save more, spend less, and avoid getting ripped off;” to borrow a phrase from Clark Howard. However, just because we perceive that the country’s economy or our own personal economy is in peril, this is not really a special reason to look to cut costs. In fact, if we are doing our job correctly at work and at home, “generic” troubled times really shouldn’t affect us.
Security is not an area of business that can be cut or trimmed just to save a few dollars. In fact, security is an essential element of being an organization. Attempting to cut corners in regards to security will often result in compromises that cost more to repair and restore than the protections sacrificed for the perceived “savings.” Security should be as important to your organization as the facility where you work, the utilities needed to run the equipment, and the paychecks of your workers. Security should be seen as the last place for funding cuts and then only when all other avenues have been exhausted and without such cuts the company is going under anyway.
Why do I make such a bold claim? Mainly, because as organizations become more and more information-focused, and we increasingly rely upon networking and the Internet, the threats to our IT infrastructure increase. Today, anyone with basic computer skills is able to perform very damaging attacks. Our IT networks face an ever growing threat from both exterior, malicious entities as well as our own internal personnel. FBI studies in the last few years have shown that around 80% of company security policy violations are caused by their own personnel. These violations are often out of ignorance or negligence, but increasingly they are also out of malice or spite. As we face downturns and belt tightening, our own employees could turn on us and cause severe damage from the inside.

I don’t want to paint the picture that all employees are evil, and their only goal is to harvest the organization’s internals for personal gain, but it is a real risk that must be addressed in a realistic risk assessment and security policy. My point is if there are already malicious people within the organization, and the company chooses to cut back on security, it will make their attacks easier, may make detection more difficult, and will cause the repair and recovery to be more expensive.
So, with a standing policy not to cut security in times of need, we need to establish cost-effective security as a standard practice. This should be a long-term goal, not just one inspired by a tough economy. If this is not already your IT department’s goal, there is no better time to start than now. Ultimately, what you should strive to accomplish is the most reliable preventative and detective security system possible with the least amount of capital expenditure.
Now, let’s explore several ideas regarding saving money on company security. Some of these ideas might be blatantly obvious, while others may be completely revolutionary. I challenge you to read each and see if your organization already employs each concept or if you can put it into effect in new and interesting ways.


Use What You Have
There is this notion in the security field that when you discover a new risk or threat you have to purchase a new countermeasure to safeguard against the new problem. I think this notion itself reveals a key philosophy of security that is not always the best. Improving security is not always the addition of new layers of protection; instead it can often mean the adjustment of components already deployed or even the removal of elements no longer essential to a business function.
Most security can be summed up with only a few key components, namely: firewall, IDS, anti-malware, authentication, authorization, and auditing. Once these are appropriately addressed, there is often little need for significant additional or specialized components for most organizations. Yes, there are likely good reasons why corporation XYZ needs special product Alpha due to some unique risk, but that is more often the exception rather than the rule. Just like many consumers, we in IT have fallen prey to the notion that buying something new is the way to fix or smoothe over a problem. All too commonly, we have a sufficient security solution already on hand if we modify, tune, or configure it properly.
My first suggestion is to put a hold on new security purchases. Instead, evaluate each new threat in light of how existing defenses could be adjusted to provide sufficient to adequate protections. New firewall rules, locked down authorization, or a more finely-tuned auditing focus. Don’t choose to purchase a new security tool until you have exhausted all your options with the existing technology already deployed in your infrastructure.


Leverage Your Knowledge Base
If you finally determine that the only viable defense to a threat is a new product, don’t be in a rush to purchase the least expensive, the most discounted, or even the most highly rated. There are many other important considerations for new countermeasures above and beyond the bottom line purchase price. One of these includes the knowledge base of your existing IT staff. If your staff is already knowledgeable about a product, product line, operating system, etc., then it is often in your best interest to select a new product that will fall within their existing areas of expertise. This allows the security staff to become fully versed on the new product quicker shorten the installation, tuning and testing phases; and get your new defenses rolled out quickly and with solid results.
On the other hand, if you select a product that is significantly different or unique from your existing product space or the knowledge base of your staff, then there are many potential problems. First, the new product may not be compatible with your existing infrastructure. Incompatibility renders a product worthless no matter how expensive, highly rated, or finely polished it might be. Second, new technologies require time to learn and master. Your staff will need specialized training that will take additional time and expense. This will also lengthen the installation, testing, and deployment phases. Furthermore, once deployed, any issues that arise that require troubleshooting may take longer than normal since many issues will be new and unique, once again stretching or exceeding the expertise of your staff.
If keeping within a budget is important, during lean times as well as during prosperous times, always consider new purchases in light of leveraging existing knowledge and skill. When something new and unique offers or promises features or improvements not offered by the familiar or consistent, then the transition may be worth the additional expense and delays. But the total cost for training, deployment, and delays, should be considered, not just the original purchase price.


Consider the Use of Open Source Solutions
Unless you’ve been living under the heel of one of the major software or hardware vendors for the last decade, then you are likely aware of the explosive expansion of the open source community. It is no longer a requirement that all products must be commercial, closed source, proprietary, nor expensive. In fact, many organizations small to large are benefiting from open source solutions.
Open source is not the only solution, nor is it always the right one either. But it is often overlooked or at least not properly considered. When looking for a new solution to a security problem, especially before purchasing a new commercial product, you should explore the open source options. From operating systems, to productivity suites, to network services, to security testing,to malware scanning, the open source community has many amazing products that often rival their commercial competition.
One issue I often hear discussed is that open source is avoided by the government and corporations, because there is no one to sue if things go wrong. I think this is often a misplaced sentiment as it is more likely the issue that it is harder for a government or corporate organization to trust a loose group of individuals over an official company. Let me address this belief and a few other items.
First, commercial products are not necessarily secure and open source is not necessarily insecure when it comes to hacker backdoors. Both sources of software need to be vetted and tested before deployment. Additionally, all software should be continually tested for stability and security after deployment. It may be the case that some open source vendors offer little technical support, but often the community serves as a viable option to obtain support and assistance. Second, open source software isn’t free. Yes, it does not necessarily have a purchase price or licensing fee. However, even without the initial cost, open source will still cost something. For example, it will cost to train the administration staff and users, upkeep and upgrading cost time and money, hardware and utilities have a cost, etc. Studies have shown that even without a significant initial purchase price, some open source solutions will have the same lifetime cost as their commercial equivalents.
Third, never trust software. It doesn’t matter whether a product is from a well-known commercial venture or a loose group of Internet programmers; software is not to be trusted. Unless you wrote every line of code yourself, you have no guarantee that the code is secure, stable, functional, sufficient, efficient, reliable, etc. Thus, software from any and all sources should be tested and evaluated thoroughly before deployment. This includes security testing, penetration/vulnerability testing, performance testing, capability testing, and even fuzzying testing. (Fuzzying is a form of testing where all input variables are stressed by sending any and all possible data sets to see how the system reacts to out-of-bound, invalid, improper, and malicious forms of data.) After testing, the results should be evaluated and then tested again in a pilot partial roll-out program. Then, at the successful conclusion of the pilot, a staged rollout to the rest of production can begin with lock-step evaluations along the way.


Re-Purpose Old Hardware
As your company expands, you will need new equipment, or at least, you will perceive that you do. In many cases, previous years’ desktop or server computers can be re-purposed for a variety of uses. Assuming you’ve decided to give the open source solutions a try, most hardware manufactured in the last five years can be redeployed as highly functional client or server systems. Primarily, the solutions I’m alluding to are variations on the Linux platform. You can find an amazing variety of open source Linux builds that can take “obsolete” hardware and transform it into powerful systems serving as clients, file servers, routers, SAN/NAS servers, Web servers, firewalls, and more. Often, the hardware that will barely support the minimum functions of the latest version of Windows is more than capable of performing a variety of high-end tasks when a low-horsepower Linux build is employed.
Instead of spending thousands of dollars on new hardware plus hundreds on a new operating system, re-using a recently discarded machine to run Linux can often provide more capabilities, features, and flexibility than a commercial solution. Try it yourself; you will be amazed at what you can do with a used notebook, desktop client, or even an out-of-date server machine.
To use Linux as a NAS server, check out the FreeNAS product (www.freenas.org). To use Linux as a firewall, try out Smoothwall (www.smoothwall.org). To use Linux as a router, try FREESCO (www.freesco.info). For more free, Linux-based options, visit www.livecdlist.com or www.distrowatch.com.


Hire Interns Instead of Professionals
When it becomes time to increase staff, consider options other than exclusively hiring fully qualified, highly experienced professionals. Instead, look into hiring interns or fresh-out-of-college workers who are looking to get started in an IT career. Obviously, if you are filling a position that requires high levels of expertise or experience, you can’t just hire anyone with a heartbeat. However, you may be able to promote from within, and subsequently fill the lower, vacant positions with new personnel eager to get started but who may need a bit of training and guidance.
Restricting your new hires to only highly qualified, pedigreed professionals will also force you to pay higher salaries, even before you find out if they can do the job. Additionally, such professionals often mandate special bonuses or benefits, which further increase their overall cost to the organization.
Hiring inexperienced personnel will save on the initial salary, bonuses, and benefits, but will likely cost a bit for proper training and the time it takes to get up to speed. Over the entire employment time of such personnel, their overall expense to the company will be less than someone paid a high salary with benefits from the very beginning. Plus, there is the added bonus of being able to train, tune, and guide the new staff member along the lines of company policy and culture without having to work against pre-established, misguided, or counter-productive habits.


Review Your Policies
As I’ve mentioned earlier, most of the benefits of saving money on security are done as a long-term, consistent security management process rather than as a reaction to dire times. Another area where this notion applies is the organization’s security policy. It should be a yearly activity to review the security policy. You may find that the policies themselves are prescribing processes or solutions that are overly expensive. You should evaluate each element of prescribed security as to its cost/benefit versus its actual expenditure.
You may discover that products selected last year have been surpassed by a competitor’s solution, which may not only work better but may cost less. Additionally, you may find that by adding on components or options to one product, you can remove another. With a bit of cost comparison and performance evaluation, a review of company policies may find places that can be altered, stretched, or eliminated.

Re-Assess Your Threats
In addition to a regular review of your security policy, you should also re-perform a risk assessment on a yearly basis. You should recall that the basic steps of risk assessment are: inventory assets, inventory threats, then evaluate costs and risks. By re-performing this process, you may be able to determine whether a risk identified in the past is still present or whether a new threat has appeared that needs to be addressed.
Since a security policy is dependent upon a thorough risk assessment, it should also be apparent that as the threats and risks change, so should the security policy. An obvious place to save money on security is to eliminate protections that are no longer required since the threat is no longer real or likely. For example, you don’t usually wear a jacket in the summer or sunscreen in the winter; in both instances the threat (being cold or getting a sunburn) or risk associated with the threat have either gone away or are avoided.


Cut Out the Fluff
All too commonly in today’s world, security is performed like theater, rather than being implemented for actual defense. Security for show is more often used to justify an expense based on the idea that money is only worth spending if the result is flashy, shiny, and visible. However, security is often most effective when it is either non-seen or, at least, attention is not drawn to it on purpose.
Re-evaluate each component of your security policy and deployed security infrastructure. Any element that is showy or flashy is likely suspect of being of little substance. If the security product is easily fooled, bypassed, or ignored, then it is a solid candidate for disposal.
Another aspect of this concept of cutting out the fluff is to stop performing security tasks that have little to no real benefit. For example, if you require every person to be inspected by a security guard upon entering and leaving the building, but there is little evidence that anyone ever has smuggled data or objects in or out, then why waste everyone’s time. If there is a real threat of theft or espionage, then keep up the defense, but don’t add-in unnecessary security just for show.


Spend Money to Save Money
Many of us roll our eyes at the idea that buying stuff on sale saves you money. It is said that if you didn’t know the item was on sale, you would not have bought it in the first place, thus saving even more. Often, when it comes to security, spending money properly now will save money later. The logic is as follows: if there is a real threat, and you fail to defend against it, when the risk is realized and loss occurs, the loss will often cost the organization more than the defense would have cost. Thus, once you have identified real threats that are likely to occur, you will save money by implementing the proper security defenses before the breach.
Ignoring a threat or wishing that a threat did not exist does not prevent the loss from occurring. Nor will it make the cost of recovery any less. By not taking the appropriate action when that action is known and obvious, you are setting your organization up for future losses. The adage “an ounce of prevention is worth a pound of cure” is as apropos to security as it is for illness.

Use Public Resources
Deploying and maintaining security is often an expensive business task. However, there are ways of keeping those costs under control, especially in the area of configuration and troubleshooting. The Internet has made an astounding amount of knowledge available at one’s fingertips. Just about any topic, especially related to computers, networking, and security, is freely available for anyone to access. The next time your staff needs access to specific information that is perceived to be accessed only through a paid consultant or pay-as-you-go technical support, look into free public resources. From newsgroups to discussion forums to e-mail lists to blog sites, there is an ever growing open community of professionals willing to discuss any topic and provide reliable guidance for free. Don’t pay for consulting or troubleshooting until you have exhausted all free and resources.


Consider Outsourcing
Not every aspect of your company’s IT or security has to be performed by your own staff. There may be some circumstances where outsourcing to a service company or consulting group is less expensive than doing it yourself. From staffing, to training, to equipment, to licensing, often, outsourced solutions provide high-quality services at a lower price than you could provide for yourself.
Firewall services, anti-malware services, penetration testing, Web hosting, DMZ/Extranet support, help desk, and others may be services you can find cheaper externally than you have so far been able to support internally. Just because you’ve always done it yourself is not a good reason to avoid seeking consultants and service organizations that can provide superior services at a reasonable price.


Evaluate Your Insurance Options
Another aspect of security that many IT workers overlook is insurance. There are several forms of insurance that are relevant to the corporate IT infrastructure. Proper understanding of the options, your organization’s needs for coverage, and prices will help you make sound insurance decisions.
One insurance area to evaluate is that of disaster or damage insurance that will replace equipment damaged by various issues, such as fire, flood, earthquake, bomb, etc. You need to perform a risk assessment on each threat to determine if the risk is serious enough to warrant insurance and the insurance is cost effective. Also, be sure to obtain replacement insurance, not depreciated value insurance.
Another insurance to consider is that of hacker or malware insurance. A few insurance companies are beginning to offer this type of specialized IT security insurance. However, be aware that insurance companies are not in the business to pay claims - they are in the business of collecting premiums. So, you may find that the offered options for hacker or malware insurance are not favorable enough for the expense.
One final area of insurance to consider is that of general or umbrella liability insurance. If a security breach could cause harm, not just to your organization but also to distributors, resellers, suppliers, clients, customers, etc., then this proximate causation or downstream liability leaves your organization responsible for paying some of their losses as well. With general or umbrella liability insurance, most of those downstream claims will be paid by the insurance provider rather than out of your organization’s own back pocket.
In any case, consult with a business liability attorney, professional business consultant, and several insurance agencies when making these types of insurance decisions. Don’t just rely upon the advice of a single insurance representative or you may get biased advice, in much the same way that asking a single car dealer what is the best car for result in a biased answer.


Security Is Not Just IT
Security is not just a computer issue. Security is a business issue. Businesses need to see security as an essential part of their organization. This idea is important, because any breach at any location throughout the organization can result in severe damage to the company as a whole, as well as the IT infrastructure.
Security is a complete system with defenses, deterrents, and detection components for IT as well as the facility and its personnel. Without a complete, company-wide application of security, it will be ineffective. Just as only applying sunscreen to one arm will not protect the whole body, all of your bases should be covered when it comes to security.
In attempting to save money by only protecting the computers and the network, the result will not only be inadequate protections, it will also be wasted time and effort as well. Without a complete solution addressing each threat, a company remains at risk.

Security Cost Is Not Just Purchase Price
The purchase price of a new security component is not the only factor that should be addressed when evaluating security costs. In fact, often the purchase or licensing fee of a product is small in comparison to other costs of maintaining security over time. You should take into consideration the expense of training administrators to install, configure, manage, maintain, and troubleshoot a product over its lifetime. And as an administrator spends time on one product or system, they are not spending time on another. This is a form of opportunity cost that must be evaluated.
Next, workers will need to be trained on using the product, or at least working within the confines the security product places on them. This will result in some form of reduced or lost productivity in most situations, plus, whenever the security product interferes with their work due to a failure, mis-configuration, etc., the downtime must be estimated and the help desk and tech support costs should be considered.
Additionally, security products may require supporting hardware or software, require regular maintenance, updates, upgrades, consume electricity and storage space, computation cycles, and use memory. As these resources are consumed or used by the security solutions, they are not available for use by the productivity solutions.
These are just some of the costs of security that are often overlooked or at least not fully evaluated. Thus, proper long term, true cost of deployment evaluations are needed to select the most effective but least life-costly security product. This is likely one of the best ways to save money on security – i.e., don’t spend more in the long-run by purchasing a solution that gets in the way of production.


Improve Security While Reducing Costs with Training
Yet another way to stretch your IT and security budget is to spend it wisely on training. By improving the knowledge and skill base of your existing staff, you directly improve your organization’s internal ability to handle its own security issues. As you train existing staff, they can move up the position hierarchy – vacating lower job positions to be filled by new, fresh employees eager to learn. When your own employees, from administrators to managers, to help desk, to individual workers, are more knowledgeable about their assigned work tasks, computers and networking in general, and in regards to IT security, your organization directly benefits. Those benefits include being able to re-use existing equipment more efficiently, properly tune and manage the environment, prevent external consulting or technical support, reduce the need for more staff, etc.