2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices

7/31/2019 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices

1/38

The Evolving ThreatTodays cyber security challenges andsolutions

Larry Clinton, President,

Internet Security Alliance


2/38

Sponsors


3/38

The Past


4/38

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Present


5/38

The earlier threat landscapen Human Agentsn Hackersn Disgruntled employeesn White collar criminalsn Organized crimen Terrorists

n Methods of Attackn Brute forcen Denial of Servicen Viruses & wormsn Back door taps & misappropriation,n Information Warfare (IW)

techniques

Exposures

n Information theft, loss &corruption

n Monetary theft & embezzlementn Critical infrastructure failuren Hacker adventures, e-graffiti/

defacement

n Business disruption

Representative Incidents

n Code Red, Nimda, Sircamn CD Universe extortion, e-Toys

Hactivist campaign,

n Love Bug, Melissa Virusesn SoBIG, SLAMMER


6/38


7/38

The earlier threat:cyber incidents

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002

132

110,000

55,100

21,756

9,8593,7342,1342,5732,4122,3401,3347734062526

0

20000

40000

60000

80000

100000

120000


8/38

The changing threat

n The fast-moving virus or wormpandemic is not the threat.

2002-2004 almost 100 medium-to-highrisk attacks (Slammer; SoBig).

2005, there were only 6

This year, 0.


9/38

The changing threat

n Today, attackers are motivated toperpetrate fraud, gather intelligence,or gain access to vulnerable systems.

nVulnerabilities are now on client-sidedevices and applications (word

processing, spreadsheet programs,printers, wireless devices) thatrequire some degree of userinteraction


10/38

Digital Growth?

nCompanies have built into theirbusiness models the efficiencies ofdigital technologies such as real time

tracking of supply lines, inventorymanagement and on-line commerce.The continued expansion of thedigital lifestyle is already built intoalmost every companys assumptionsfor growth.

---Stanford University Study, July 2006

Sure


11/38

Digital Defense?

n 29% of Senior Executivesacknowledged that they did notknow how many negative security

events they had in the past yearn 50% of Senior Executives said they

did not know how much money was

lost due to attacks

Source: PricewaterhouseCoopers survey of 7,000companies 9/06

Maybe Not


12/38

Digital Defense

n 23% of CTOs did not know if cyberlosses were covered by insurance ornot.

n 34% of CTOs thought their cyberlosses would be covered byinsurance----and were wrong.

nThe biggest network vulnerability inAmerican corporations are extraconnections added for seniorexecutives without proper security.

---Source: DHS Chief Economist Scott Borg

NOT

d &


13/38

Incidents & Losses2004-2006

136

86

34

0

20

40

60

80

100

120

140

2004 2005 2006

Average Number of Security

Incidents Per Participant

Percentage That Experienced

Losses as a Result

25

56

28

55

40

63

0

20

40

60

80

100

2004 2005 2006

financial operational

---Source: 2006 eCrime Survey,

conducted by U.S. Secret Service,

CSO Magazine, CERT/cc (CMU)


14/38

Economic Effects of Attacks

n 25% of our wealth---$3 trillion---istransmitted over the Internet daily

n FBI: Cyber crime cost business$26 billion (probably LOW estimate)

n Financial Institutions are generallyconsidered the safest---their losses

were up 450% in the last yearn There are more electronic financial

transactions than paper checks now,

1% of cyber crooks are caught.


15/38

Cyber Attacks Effect on StockPrice

nInvestigations into the stock priceimpact of cyber attacks show thatidentified target firms suffer losses of

one to five percent in the days afteran attack. For the average NYSEcorporation, price drops of thesemagnitudes translate into shareholderlosses between $50 and $200 million.

n Source: US Congressional ResearchService 2004


16/38

Indirect Economic Effects ofCyber Attacks

nWhile the tangible effects of asecurity incident can be measured interms of lost productivity and stafftime to recover and restore systems,

the intangible effects can be of anorder of magnitude larger. Intangibleeffects include the impact on an

organizations trust relationships,harm to its reputation, and loss ofeconomical and society confidence

n Source Carnegie Mellon CyLab 2007


17/38

Can it be stopped ?

n PricewaterhouseCoopers conducted 2International surveys (2004 & 2006)covering 15,000 corporations of all

types

nApx 25% of the companies surveyedwere found to have followedrecognized best practices for cybersecurity.

Yes!


18/38

Benefits of Best Practices

n Reduces the number of successfulattacks

n Reduces the amount of down-timesuffered from attacks

n Reduces the amount of money lostfrom attacks

n Reduces the motivation to complywith extortion threats


19/38

Senior Mgrs Best Practices

nCited in US NationalDraft Strategy toProtect Cyber Space(September 2002)

n Endorsed byTechNet for CEOSecurity Initiative(April 2003)

n Endorsed US IndiaBusiness Council

(April 2003)


20/38

ISALLIANCE BEST PRACTICES

nPractice #1: General ManagementnPractice #2: PolicynPractice #3: Risk ManagementnPractice #4: Security Architecture & DesignnPractice #5: User IssuesnPractice #6: System & Network ManagementnPractice #7: Authentication & AuthorizationnPractice #8: Monitor & AuditnPractice #9: Physical SecuritynPractice #10: Continuity Planning & Disaster

Recovery

P t f P ti i t Wh


21/38

Percentage of Participants WhoExperienced an Insider Incident

41 39

55

0

20

40

60

80

100

2004 2005 2006


22/38

Insider Incidents - 2006

Insiders committed more theft of IP & otherproprietary information and sabotage thanoutsiders

Total (%) Insider(%)

Outsider(%)

Theft of IP 30 63 45

Theft ofProprietary Info.

36 56 49

Sabotage 33 49 41

Most common insider incidents in 2006 survey:

rogue wireless access points (72%), theft of IP (64%), exposure of sensitive or confidential information (56%)


23/38

Insider Methods - 2006

0

20

40

60

80

100

CompromisedAccount

Sys.Admin.Access

RemoteAccess

SocialEngineering

Backdoors

PWCrackers

MaliciousCode

LogicBomb

% of

Organizations

ISA B t P ti f I id


24/38

ISA Best Practices for InsiderThreat Prevention & Mitigationn PRACTICE #1: Institute periodic enterprise-wide risk

assessments.

n PRACTICE #2: Institute periodic security awareness trainingfor all employees.

n PRACTICE #3: Enforce separation of duties and leastprivilege.

n PRACTICE #4: Implement strict password and accountmanagement policies and practices.

n PRACTICE #5: Log, monitor, and audit employee onlineactions.

n PRACTICE #6: Use extra caution with system administratorsand privileged users.n PRACTICE #7: Actively defend against malicious code.n PRACTICE #8: Use layered defense against remote attacks.

ISA B t P ti f I id


25/38

ISA Best Practices for InsiderThreat Prevention & Mitigationn

PRACTICE #9: Monitor and respond to suspiciousor disruptive behavior.

n PRACTICE #10: Deactivate computer accessfollowing termination.

n PRACTICE #11: Collect and save data for use ininvestigations.

n PRACTICE #12: Implement secure backup andrecovery processes.

n PRACTICE #13: Clearly document insider threatcontrols.

ISA B t P ti


26/38

ISA Best PracticesModel Contracts

Volume II: published June

2007with ANSI gives greater

emphasis to standards-based

information security controls.

(www.isalliance.org)

Model Contract Clauses for

Information Security

Standards. This new book

provides guidance on the

contracting side ofimplementing prevailing

international information

security standards, notably

ISO 17799, BS 7799 and

Volume I

Wh D t E C l


27/38

Why Doesnt Everyone Complywith the Best Practices?

nMany organizations have found itdifficult to provide a business case tojustify security investments and arereluctant to invest beyond the

minimum. One of the mainreasons for this reluctance is thatcompanies have been largelyfocused on direct expensesrelated to security and not thecollateral benefits that can berealized

---Stanford University 06


28/38


29/38

Theres More !!!

n Increase in supply chain informationaccess (50%)

n Improved product handling (43%)n Reduction in cargo delays (48%

reduction in inspections)

n Reduction in transit time (29%)n Reduction in problem identification

time (30%)

n Higher customer satisfaction (26%)

Security like Digital Technology


30/38

Security, like Digital Technologymust be Integrated in Bus Plan

nSecurity is still viewed as a cost, notas something that could add strategicvalue and translate into revenue andsavings. But if one digs into the

results there is evidence that aligningsecurity with enterprise businessstrategy reduces the number ofsuccessful attacks and financial losesas well as creates value as part of thebusiness plan.PricewaterhoseCoopers Sept 2006


31/38

So, how do we do that?

n We have a changing technologyenvironment

n We have a changing business modeln We have a constantly changing legal and

regulatory environment

Business must take the lead

Characteristics of Effective


32/38

Characteristics of EffectiveSecurity Governance

1. Security is an Enterprise Wide IssueHorizontally, vertically and cross

functionally throughout the org.

2. Leaders are AccountableTo the org., stakeholders and thecommunity (its a shared resource)

3. Viewed as a Business Requirement

Aligned w/organizational strategicgoals, business units dont decidehow much security they want


33/38

Effective Security Governance

4. Risk BasedHow much is based onTolerance for exposure compliance,

liability, operational disruptions,

financial or reputation5. Roles and Responsibilities Defined

Clear lines of delineation as to who

does what and reports to who6. Addressed and Enforced in Policy

Rewards and recognition included


34/38

Effective Security Governance

7. Adequate Recourses are CommittedIncluding authority and time to build

and maintain core competencies

8. Staff Aware and TrainedReflected in job descriptions andexpected as cultural norm

9. A Developmental Life Cycle

System software development,acquisitions, operations andretirement


35/38

Effective Security governance

10. Planned, Managed MeasuredClear objectives measured w/results

integrated into future plans

11. Reviewed and AuditedBoard audit and risk committees

conduct regular reviews and

integrates digitalization into businessplan---both positive and negative

Cyber Security is NOT an IT


36/38

Cyber Security is NOT an ITproblem

n Issues must be addressedsimultaneously from the:

n Legaln Businessn Technologyn

PolicyPerspectives

B

US/OPERAT

IONAL

LEGAL/REG

T

ECH/R&D

POLICY

PROBLEM /

ISSUE

ISAlliance Integrated Business


37/38

ISAlliance Integrated BusinessSecurity Program

n Outsourcingn Risk Managementn Security Breech Notificationn Privacyn Insider ThreatsnAuditingn Contractual Relationships (suppliers,

partners, sub-contractors, customers)


38/38

Larry Clinton

President

Internet Security [email protected]

703 907 7028 (O) 202 236 0001 (C)

2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices

Documents

Transcript of 2008 06 07 Larry Clinton Rochester Presentation About Evolving Threat and Best Practices