I ran across a great article here the other day about a presentation at the Kiwicon in New Zealand. What really caught my eye was the asymmetry in terms of costs to the attacker and the attacked. The title of the article says that it takes about $3M in security infrastructure (software/hardware/people) to defend against an attacker who can spend $100K on the attack. 30 to 1. That’s huge.
Now of course most of us will hopefully never have to face an attacker with those kinds of resources (but it sure seems Sony was, though given the reports about their security, it probably wasn’t necessary to spend that much), but at a 30-1 ratio, it doesn’t take much from the attacker to make you have to spend a lot of resources to be safe.
It’s important to remember that security is really all about trade-offs. You accept a certain amount of risk for a certain amount of cost to security. Where the line is drawn will vary with each organization, but there is always a line because you can never get to absolute security (and if you try, the costs go up way more than the incremental security you get). But what this really means is that you should always have a clear target for your security level. You can’t just throw security solutions at your IT environment and expect the organization to be secure. If you don’t have the people to run and maintain the systems you put in place, they aren’t going to provide any extra security, just extra cost.
Given the asymmetry of the costs between what you have to spend for protection and the hackers out there have to spend to attack you, cost-effective, and ideally low-cost security solutions are extremely critical for any organization. GreenRADIUS was specifically designed with this in mind, to provide the most cost-effective solution for managing 2FA, to bring down the cost asymmetry to something closer to cost parity, and thereby take back the advantage.