To Be Completed By: Week 3 of the Semester

Homework 3

To be completed by: week 3 of the semester

Instructions and guidelines

• This assignment asks you to perform a simple financial analysis of the returns from different combinations of security technologies, using Microsoft Excel, and to make a business recommendation based on your analysis.

• Your analysis starts with data that is available to you in the Microsoft Excel file Assignment4.xls, which is available to download from Blackboard.

• It would be a good idea to start working on this assignment early. It is not complicated once you understand its details, and it will be a lot simpler if you have time to plan your spreadsheet well.

Deliverables

• An Excel file containing:. One worksheet (tab) in this file should contain your typed answers to parts (b), (c) and (d). Another worksheet (tab) should contain the analysis for part (a). Most likely, a third worksheet would contain the original data in Assignment5.xls. Feel free to create additional worksheets (tabs) for intermediate analysis towards part (a), that illustrate your answers to parts (b) and (c) graphically, or that further support your answer to part (d).

• I suggest that you start by saving the data file Assignment5.xls as yourNetID.xls, and adding to it appropriately. This way, you have will not run the risk of an error that comes from copying and pasting information wrong. You can add worksheets by choosing Worksheet from the Insert menu.

Following their security crisis, iPremier begins a comprehensive assessment of steps they can take towards making their business more secure. They start by upgrading their firewall. They also hire RiskyBusiness, a consulting firm who perform security and risk assessment for medium-sized businesses. The consultants of RiskyBusiness provide iPremier with the following general background on denial-of-service attacks:

Denial-of-service (DOS) attacks: DOS attacks are typically executed using tools that send a number of request packets to a targeted Internet server, which floods the server's resources, making the system unusable. Attack tools can be secretly installed onto a large number of innocent systems that can be centrally managed by the hacker who initiates DOS attacks remotely. Systems that unknowingly have DOS attack tools installed are called zombie agents or drones. Zombies are not the victims of the DOS attack, but they are used to perform the actual attack. The methods of how and what resources are flooded differ based on the DOS attack tools used. For example, a Smurf DoS attack uses a forged ICMP (Internet Control Message Protocol) echo request. Other DOS tools, like the TFN (Tribe Flood Network) family, use the SYN flooding technique, which creates a flood of half-open connections.

RiskyBusiness thus highlights the importance of protecting not just the servers within one’s organization, but the client computers as well, since the latter may be compromised to launch a DOS attack on someone else’s servers, and can make one’s organization liable if such an attack can be traced. While noting that iPremier’s firewall upgrade is a good first step, they recommend two specific additional solutions to iPremier:

Antivirus software: Specific kinds of antivirus software can play an important role in detecting zombie agents. Antivirus software often identifies viruses by looking for programs that have a predefined signature. By extracting a pattern or a signature from known zombie agents, antivirus products can detect and remove these agents from compromised clients. For example, the Norton Antivirus detects common DOS agents like the TFN.

Traffic Anomaly Detectors (TAD): A Traffic Anomaly Detector (manufactured by Cisco, among others) is a passive monitoring device that constantly looks for indications of a DOS attack against a protected destination such as a server, firewall interface, or router interface. This device examines copies of all inbound traffic to the protected destinations, and compares the current traffic behavior to some baseline patterns, towards detecting anomalous traffic behavior.

RiskyBusiness also notes that there are other solutions available. Their assessment, however, is that iPremier would benefit most from one or both of the solutions they highlight: sophisticated antivirus software, and/or traffic anomaly detectors.

Finally, RiskyBusiness indicates that a crucial part of making the right level of investment in security technologies is whether the investment can be financially justified. Towards this, RiskyBusiness recommend the following simplified version of the annualized loss expectancy (ALE) approach.

(1)iPremier should start by measuring the number of vulnerable PCs in the organization. A vulnerable PC is one with an external Internet connection that is actively used, and whose user’s job involves a sufficient level of outbound network activity (for example, email exchange with people outside iPremier). Since iPremier does not know at this point the exact number of vulnerable PCs, RiskyBusiness proposes to perform the analysis for different number of PCs (see also point 3 below), and examine which solution is best for each configuration.

(2)iPremier should calculate the total cost of breach (TOTALBREACHCOST). This typically involves adding three costs: the cost of lost revenue/customer goodwill (COSTGOODWILL) if systems are compromised or the site is shut down, the liability cost (COSTLIABILITY) associated with potential lawsuits and the direct expenditure of recovering (COSTDIRECT) from a breach. According to RiskyBusiness:

TOTALBREACHCOST = COSTGOODWILL + COSTLIABILITY + COSTDIRECT

(3)iPremier should use the table provided by RiskyBusiness, to measure the probability of breach (PROBBREACH). This depends on the technologies used, and the number of vulnerable PCs in the organization. RiskyBusiness provides the numbers summarized in Table 1 to help guide iPremier’s decision.

Table 1: Combination of technologies chosen
Number of vulnerable PC's / Neither
Antivirus nor TAD / Antivirus / TAD / Antivirus and TAD
10 / 0.2035 / 0.0011 / 0.0018 / 0.0011
20 / 0.2064 / 0.0018 / 0.0035 / 0.0014
30 / 0.2090 / 0.0023 / 0.0056 / 0.0016
40 / 0.2115 / 0.0027 / 0.0063 / 0.0018
50 / 0.2139 / 0.0032 / 0.0080 / 0.0020
60 / 0.2162 / 0.0036 / 0.0105 / 0.0021
70 / 0.2185 / 0.0040 / 0.0112 / 0.0022
80 / 0.2207 / 0.0043 / 0.0140 / 0.0023
90 / 0.2229 / 0.0047 / 0.0165 / 0.0024
100 / 0.2251 / 0.0050 / 0.0191 / 0.0025
150 / 0.2354 / 0.0065 / 0.0195 / 0.0029
200 / 0.2452 / 0.0078 / 0.0222 / 0.0032
250 / 0.2546 / 0.0090 / 0.0234 / 0.0035
300 / 0.2638 / 0.0102 / 0.0248 / 0.0037
400 / 0.2814 / 0.0123 / 0.0253 / 0.0041
500 / 0.2984 / 0.0142 / 0.0274 / 0.0044
600 / 0.3149 / 0.0160 / 0.0280 / 0.0047
700 / 0.3310 / 0.0177 / 0.0308 / 0.0050
800 / 0.3468 / 0.0193 / 0.0327 / 0.0052
900 / 0.3622 / 0.0208 / 0.0353 / 0.0054
1000 / 0.3774 / 0.0223 / 0.0354 / 0.0056
1500 / 0.4504 / 0.0290 / 0.0371 / 0.0065
2000 / 0.5198 / 0.0350 / 0.0376 / 0.0072

Table 1: Probability of breach for a given number of vulnerable PC’s

(4) Based on the combination of technologies chosen, and the number of vulnerable computers, iPremier should calculate the cost of protection (COSTPROTECTION). This has two components: the cost of the technology (COSTTECHNOLOGY) and the cost of support (COSTSUPPORT).

Cost of technology: RiskyBusiness reports that antivirus software will cost $50 per vulnerable PC, traffic anomaly detectors will cost $20,000 each, and that one needs one traffic anomaly detector for every 80 (or less) vulnerable PC’s.

Cost of support: iPremier estimates that it will incur support costs of $10,000 for every 10 (or less) antivirus installations, and support costs of $80,000 for every 3 (or less) traffic anomaly detectors it installs.

(5) Then, iPremier should compute the expected cost of breach (EXPECTEDBREACHCOST), which is the probability of breach multiplied by the total cost of breach

EXPECTEDBREACHCOST = PROBBREACH X TOTALBREACHCOST

(6) Finally, iPremier should compute the total expected cost (TOTALEXPECTEDCOST)

TOTALEXPECTEDCOST= COSTPROTECTION + EXPECTEDBREACHCOST

Once this total expected cost is calculated for each combination of technologies, a company typically chooses the combination which results in the lowest total expected cost.

Assignment: Your assignment is to come up with a protection plan for iPremier that relates the number of vulnerable computers to a choice of the best combination of technologies (that is, the combination of technologies that minimizes total expected cost). You estimate the costs associated with a breach to be the following:

COSTGOODWILL: $15 million.

COSTLIABILITY: $10 million.

COSTDIRECT: $2.5 million.

All of the numbers in this document are summarized in the spreadsheet Assignment5.xls, which is available for download off your Blackboard site.

(a) Using the information you have been provided, construct an Excel spreadsheet that assesses the TOTALEXPECTEDCOST for each combination of technologies, and for each number of vulnerable computers for which you have been given data. Think about what would be a good way to lay out your formulas that facilitates making changes in your data easy. For example, you might create tables of formulas of the form in which the probability of breach is laid out. The first such table might contain formulas that calculate the cost of technology under each combination of technologies/number of vulnerable PC’s, the next might contain formulas that calculate the cost of support, and a third might calculate the cost of protection. And so on. Some students prefer to use multiple worksheets, although this is not necessary.

(b) Based on your analysis, what would your recommendation to iPremier be?

(c) The iPremier counsel Peter Stewart indicates to you that he believes that your estimate of the cost of liability is very low. He recommends using a figure of $25 million (rather than $10 million). The technical operations team leader Joanne Ripley suggests that your numbers seem fine, and that Peter’s figure is excessive. “Peter doesn’t understand exactly how someone might tie liability to our actions, because he doesn’t get the technology,” she notes. “Lawyers simply like to throw around big damage numbers.” Peter, in turn, feels that Joanne does not fully appreciate the legal process by which damages of this kind would be assessed. Rather than having to take sides on this, you analyze a second scenario with Peter’s numbers. Under what circumstances does this change your recommendation in part (b) to iPremier?

(d) In a subsequent application of your analysis, the number of vulnerable PCs is estimated to be 1240. RiskyBusiness has not given you probability data for this specific number of PC’s. What features might Excel have to offer to help you here? What business assumptions would your use of this/these features imply? Show how you would do this estimation.