Friday, June 08, 2007

How to rate the value of your websites (Road to Website Security part 2)

Part 1 (How to find your websites) of the series describes a process for website discovery. This piece (part 2) describes a methodology for rating the value of a website to the business that many of our customers have found helpful. Website asset valuation is a necessary step towards overall website security because not all websites are created equal. Some websites host highly sensitive information, others only contain marketing brochure-ware. Some websites transact million of dollars each day, others make no money or maybe a little with Google AdSense. The point is we all have limited security resources (time, money, people) so we need to prioritize and focus on the areas that offer the best risk reducing ROI.

For example, it might be more beneficial to first resolve a medium severity vulnerability on mission critical website rather than a high severity vulnerability on a website of marginal value to the business. Without the intelligence of website valuation and vulnerability severity, effective decision-making is impaired. Another piece of intelligence we’ll discuss later on is what we at WhiteHat call a vulnerability threat rating, or how difficult a particular vulnerability is to exploit. Not all vulnerabilities are created equal either, but we’re getting a little ahead of ourselves.

As a continuation of the end of part 1, visit each website in the asset inventory spreadsheet, then answer a series of questions about them. These answers assist in a subjective value rating process. I say subjective, rather than objective, because I’ve yet to see a generic value rating system for websites that was quantifiable. If you happen to have one specifically for your company, fantastic, use it. Heck if you can, post it so others can learn from it! If you don’t have one don’t worry, over time you should be able to tailor this methodology specifically for your company.

1) What does this website do and who is responsible for it?
Click around the website, exercise the functionality, fill out a few forms, register an account if you need to. Is it a shopping cart? Web bank? Brochure? Who manages the content and/or security?

2) What would the business impact be if the website were to be compromised or suffer more than 24 hours of downtime?

Sometimes unplugging the network cord (not recommended) on a website is the only way to tell if someone cares about it or if its important. Before you do that though, consider if the website were unreachable or suffered a publicly known data/system compromise. Sometimes organizations have downtime in quantifiable terms. If so, great, use it. If not, terms such will suffice such as:
  • Major/moderate/low loss of revenue
  • Major/moderate/low reputation impact and brand damage
3) What are the amount of registered users and/or level of visitor’s traffic?
  • Hundreds/thousands/millions of registered users
  • Thousands/millions/billions of page views / unique visitors per month
  • Unknown
4) What's the most valuable type of data collected and/or distributed?
  • Personal and private information (names, addresses, phone numbers, social security numbers, etc.)
  • Regulated information (credit card numbers, bank account numbers, patient records, attorney privileged data, etc.)
  • Intellectual property (source code, customer lists, business plans and objectives, etc.)
5) How often do the web applications change (not the content)?

a) 1 – 4 times per month
b) Quarterly
c) Annually
d) Never or as needed

Answering these questions takes time and a lot of research, but the spreadsheet you’re building will be of huge benefit to the company, especially those with a substantial Web footprint. Taking these answers into account with the appropriate weighting, assign a rating from 1 – 5 to each website with 5 being the most valuable. Share the document around internally for feedback. After you have completed the process, what you’ll have is something that most do not. A well defined and prioritized website asset inventory.

The spreadsheet will look something like this:


Anonymous said...

this reminds me of a ccnp book i read about doing network documentation, here.

if you have a safari library account (*), you can login to the above and see the tables, which look surprisingly a lot like the ones you suggested.

any well-run organization has this sort of information available at least in spreadsheet form. some do asset management via agents (tivoli, snmpd, etc) so that the documentation is a live view. assigning threat/value/risk levels like you did is a very interesting approach to solving some security metrics issues associated with applications.

safari library is a great resource for $39.95/month. safaribooksonline provides rough-cuts and short-cuts that you should know about if you like to stay on the cutting-edge of technology knowledge. they also release some books a little early. in fact, they just added a few interesting books such as:
"Secure Programming with Static Analysis" and "Fuzzing: Brute Force Vulnerability Discovery"

also, where did this link come from?
it's an interesting/easy way to get a list of virtual hosts running. i just randomly came across it when thinking about your part 1, "how to find your websites" blog entry. seems to think it has existed since march of 2007, netcraft doesn't know it exists (until now), and whois says that the creation date is 23-nov-2006. the owner of the site also runs an seo-related site, is on linkedin, is almost 33 years old, and apparently paid a ticket for $50 for speeding in the year 2001 (after a rudimentary 5 second search).

the digg entry is even more interesting:

Unknown said...

This might be wishful thinking, but it can at least be tried. Through this valuing process, each website should get assigned to someone, or someone should be assigned to it, somewhat like a data owner who takes over some measure of responsibility and knowledge to answer questions. Eventually, websites with no owners should be deemed of no value and remove. (Ever walk into a company that had no clue they were hosting a publicly accessible 3 year-old phpbb system full of holes?)

Anonymous said...

Randomly, aren't SSN's regulated information, s well?

Jeremiah Grossman said...

Uhmmm, you know I don't know for sure actually. Maybe someone else reading here know if it is, and if so, what type of regulation.