Global Information Security · 3 Security & Risk Management zIT Security is evolving into holistic...

1

Global Information Security& IT Security Personnel Development in

USA – trend and hurdles

2007/11/14

Prof. Howard A. Schmidt(ISC)2 Security Strategist

Former US White House Cyber Security Advisor

2

Security & Risk Management

Security spend as a whole, as a percent of IT budgets, may be leveling off but because (i) targeted, financially motivated attacks continue to rise; (ii) attacks are moving up the application stack; and (iii) new technology waves keep on coming -- there are still numerous emerging threat vectors which require increased spending in certain security sub-segments.

3

Security & Risk ManagementIT Security is evolving into holistic risk management within organizationsExternal, perimeter facing defenses are losing investment to internal, application and data-focused defenses and services based approachesRegulatory compliance is as a driver of security initiatives and here to stayNew products/protocols create new vectors (Wifi, bluetooth, RFID, VoIP, Virtualization, Remote Worker)Attacks becoming more organized, targeted and financially driven (phishing, pharming, key logging, man-in-the-middle, identity theft, botnets, data theft)Certain sub-segments of security are becoming commoditized, operationalized and embedded into existing O/S, apps, network, chips, etc. (with entrance of large players such as Microsoft, Cisco, IBM, Intel, EMC, Google, HP, Oracle)Consolidation of vendors will continue in the security space (convergence and integration of functionality, products, etc.)

4

Last 12 Months in ReviewMajor Events

Infrastructure providers expand into the IT security arenaIBM’s $1.1B acquisition of ISS in Aug-06 (Watchfire, Consul)Cisco’s $830M acquisition of Ironport in Jan-07 (Reactivity)Google’s $625M acquisition of Postini in Jul-07 (Greenborder)

Pure play security vendors augment and enhance differentiationEMC’s $2.1B acquisition of RSA in Jun-06 (Verid, Tablus)Check Point’s $625M acquisition of Pointsec Mobile Tech’sWebsense – PortAuthority & SurfControl; Secure Computing - CipherTrust; Verisign - Geotrust; McAfee - SafeBoot

Windows Vista releaseKernel access; security “enhancements”; inevitable vulnerabilities

Identity theft and data loss became even more of a public issueVA loses personal data of 26M vets / TJX loses 45.6M credit card #’s

PCI, FFIEC, GLBA, HIPAA, CA SB1386 continue to evolve at a rapid paceRootkits emerged as a serious threatVirtualization and infrastructure consolidation emerge as major trendData retention policies and litigation drive e-Discovery demand

5

Last 12 Months in ReviewCompliance Still Driving Security Spend

Compliance is now becoming a key tool for enterprises to evolve a broader view of their infrastructure, processes, and operations. According to the IT Policy and Compliance benchmark report in 2006, firms spend about 7-10% of overall IT budgets on compliance-related security spending. Regulatory compliance continues to be the top driver of IT security investments in 2007

Causes of Compliance DeficienciesTop Driver of IT Security Investment

6

Emerging ThreatsRecent Surveys

IT Security spend remains between 4 – 6% of IT budgetsMerrill Lynch CISO survey – 62% of CISO’s expect increased IT security spending in 2007, 34% flat and 4% decrease

7

Emerging ThreatsData Breach / Insider Threat

Insiders represent the biggest threat to confidential dataAccording to Gartner, insider threats are responsible for about 70% of security breaches. A majority of these breaches are unintentional in nature.

According to a study done by the Ponemon Institute, each data breach costs more than $182 per record – an average of $4.8 million per breach.According to a study done by the IT Policy Compliance Institute, about 20% of organizations suffer from 22 or more sensitive data losses annually.

Cause of Data Loss

8

WiFi is Pervasive

Laptops

Mobile Phones

Hot SpotsOther “computing” devices

Home Networks

WiFi is everywhere!

9

Wireless Security Policy Elements

Access controlemployees/guests/outsiders

Ban rogue APsemployee/outsider installed

Wireless Policy Can Compromise Wired Policy

Encrypt wireless traffic

Protect mobile userson & off campus

Prevent employee access to external & ad-hoc networks

10

Wireless Security Policy Elements

At home – require WPA encryption on home APs. Traveling - restrict usage to a limited set of identified wireless ISPs. Require VPN connection in all cases.

In various locations (home, airports, hotels) – what connections are allowed, what security is required?

Mobile users/usage

Not allowed.Are employees allowed to use WLANs from neighboring companies/homes, hot spots, muni WiFi, etc.?

Accessing external wireless networks

Not allowed.APs installed by someone (employee, consultant, hacker) other than Corporate IT dept

Rogue APs

No outsider access. Guests/etc –provide password login to isolated VLAN with public Internet access.

Outsiders include guests/visitors, contractors, vendors/suppliers

Wireless access control

Policy/Recommendation

DetailsElement

You must enforce and monitor these policieswhether or not you have deployed wireless.

11

Diagram of an attackHacker finds wireless access, e.g.

Open APsRogue APsWEP encrypted APsAd-Hoc connections on Laptops

Or Hacker creates a wireless trapHoneypot AP, lures Users to attach

Hacker sniffs User IDs and Passwords

Hacker uses User IDs and Passwords to access systems on wired networkHacker uses system access to install malicious software

Capture payment card (& other) data, communicate data

12

Wireless Security in Retail

Wireless = the easiest attack vector for criminals to steal credit card data from retailers

No need to break & enter, No physical presence/risk,Simply sit in the building across the street and steal to your heart’s content

13

Wireless Security in Retail

Wireless creates three groups of attacks/threats:

Simply reading payment card transactions that are flying through the air (on a wireless link)

Most common threat perception, but smallest risk

Using wireless to gain access to the network & attacking the servers –bypassing the firewalls

The TJ Maxx example

Insiders (being paid by the bad guys) using wireless to send information out

Take a file of credit account information, log onto the neighbor’s wireless, use Hotmail to send the info to a “friend”Not yet publicly documented, but easy to envision

14

What is peer-to-peer file sharing?

15

Over 900 million searches a day – larger than Google

Over 15 billion files on Limewire alone

Over 450 million copies of filesharingsoftware

Over 20 million unique users a day

Over 65% of internet bandwidth

The WW P2P is large and rapidly growing

16

WW P2P user captured searches related to credit card

2006 credit card numbers2007 batch of credit cards2007 credit card numbersa&l credit cardaa credit card applicationabbey credit cardsabbey national credit cardad credit card authorizationapril credit card informationathens mba credit card paymentatw 4m credit card applicationaustins credit card infoauth card creditauthorization credit cardauthorization for credit cardauthorize net credit cardbank and credit card informatibank credit cardbank credit card informationbank credits cards passwordsbank numbers on credit cardsbank of america credit cardsbank of scotland credit cardbank staffs credit cards onlybarnabys credit card personalbibby chase credit cardbobs credit cardbonnie credit cardboost mobile credit card

card auth creditcard creditcard credit numberscarl credit cardcash credit card checkscathys visa credit card go onchase credit cardchase credit card infochase freedom credit cardcibc credit card vinceciti credit cardcompany credit cardsconfidential credit card appcorperate credit card logcredit and debit cardcredit card & online bankingcredit card acc numbers loginscredit card acct numberscredit card activitycredit card addresses phonecredit card agreementcredit card albert collinscredit card and personalcredit card ap infocredit card app pdfcredit card applicationcredit card approvedcredit card approvelcredit card aurthorization

credit card authcredit card auth ctvcredit card auth formcredit card auth form custcredit card authorisationcredit card authorisation julycredit card authorizationcredit card bank infocredit card bank numberscredit card batchescredit card billscredit card charge ctm costacredit card charge requestcredit card comm sept privatecredit card confirmationscredit card debitcredit card gateway ubccredit card holders listcredit card info on letterheadcredit card information hotelcredit card listcredit card logcredit card mastercard visacredit card merch copy srcredit card merchantcredit card merchant infocredit card names and numberscredit card number socialcredit card numbers and merchacredit card numbers personal

dads bank info credit carddavids credit card numbersdawns credit cardscredit card payment doccredit card payment recieptcredit card pin numberscredit card processingcredit card recieptscredit card statementscredit card statuscredit card stmtcredit card tan cust copy srcredit card tan merch copycredit card transactionscredit card visacredit card website accesscredit card wells fargo billcredit card with acccredit card with cv2 numberscredit cards banking onlinecredit cards merchant numberscredit cards numbers visacredit cards social securitycredit cards statement fo maycredit cards valids to visa cccredits cards passwords paypald&b credit card info

17

WW P2P user captured searches related to medicalcare office nbc healthmedicine mental health crc ofhospital recordsmental hospitalshospitalhospital letterheadhospital recordsniagara hospitalamerican medicalconnolly medical ups prostatedata entry medical billing faxdear medical insurance mydenial of medical insurancehendee w r medical imagingisilo medicalmedicalmedical claimsmedical exammedical historymedical passwordsmedical permissionmedical records certificationmedical releasemedical secretary cover lettermedicine medical passwordsauthorization for medicalauthorization for medical of cauthorization for medical of jauthorizationform medicalbasic medical formsbasic medical laboratory technbenny medical jack insurancebilling medical

billy connolly medical checkupbilly connoly medical checkcanada medical testcanadian medicalcanadian medical associationcanadian medical lawcaulfield general medicalcbt6 citc1 medical expensescertficat medicalcerticat medicalcertifica medicalcertificat medicalcharlee medical costscharlee medical costs on thechild medical examchild medical examschild medical release formcigna medical drcigna medical drsclassified medical recordscomplete medical examcomprehensive medicalcompudoc medicalcomputerize medicalcomputerize medical billing tucomputers in the medical officomputers medical doctorsconnelly medical check billyconnelly medical upsbilling medical august

dear medical assurance mydear medical insurance mydear medical my assurancedenial of medical insurancedental medical cross codingdetective medicaldigital files medical transdistributeur medicaldoctor - medical checkupdoctor fake medical by examdoctor medical examDoctors medical billingdoctors office medical examdoctors order medical doctordoctors orders medicaldoug medical billdoug stanhope medical pmsedimis medical software 3.9electronic medicalelectronic medical recordelectronic medical record osxelectronic medical record.pdfelectronic medical recordselectronic medical systemselectronics & bio medicalemt medical softwareforms medicalforms medical liability formforms medical officege medicalge medical syatemsmedical coding and billingmedical coding exam

letter for medical billsletter for medical bills drletter for medical bills etmcletter re medical bills 10thltr client medical reportltr hjh rosimah medicalltr medical body4lifeltr medical maternity portlandltr medical misc portlandltr orange medical head centerltr to valley medicallytec medical billingmedical investigationmedical journals passwordmedical .txtmedical abuce recordsmedical abusemedical abuse recordsmedical algoritmsmedical authorizationmedical authorization formmedical autorizationmedical benefitsmedical benefits plan chartmedical biliingmedical bilingmedical billmedical biller resumemedical billig softwaremedical billingmedical billing windows

18

How often are fraud / ID theft terms searched?

Source: Tiversa search monitoring for period Aug 16 – Aug 29, 2007

* Visa, Mastercard, Amex, Discover

• Credit Cards with cv2 numbers• April credit card information• Bank of America credit cards

• Credit reports• Credit score• Credit report barbara

• Citibank mastercard richard• Hacked visa credit cards• Discover card id number

19



* Quicken, Quickbooks

• Tax return irs & state checks• Tax returns efile doc• Lewis tax return

• Online account• Rapidshare premium accounts• Paypal account

• Quicken accounting• Quickbooks point of sale• Quickbooks crack

20



• cbt6 citc1 medical expenses• dear medical insurance my• hendee w r medical imaging

• Usernames passwords to bank• Online passwords• Passwords txt

• Equifax consumerdec• Annualcreditreport experian• Dougs credit report equifax in

* Equifax, Experian, Transunion

21

File Concentrators collect files from these searches…

File Concentrators collect & ‘concentrate’files of value

File Concentrators exhibit “suspicious intent”

Tiversa observes thousands of such individuals on the WW P2P

This Example: 92 separate files held by one individual

Citibank-Chicago.docCitibank.docCorporate - Amex Basic Corp Card Application.docCorporate - Amex Basic Corp Card Application2.docCredit card Wells fargo-06-04-05.docDatos para recibir transferencia CITI.docJP Chase Bank.docLa cancelacion de la tarjeta de Citibank Gold Card.docMorgan Stanley Job details.docMorgan Stanley on line account info.docN de Comercio American Express.docCitibank Evento 04.11.05.docNATV Paypal dispude BOA.docPNC Bank fax for home equity 1-10-03.docPNC Hamilton Passes Away 082003.docCitibank letter 2.docSENHAS DE E-MAIL boa.docState Farm Password.docStatus on delta amex.docSUBPOENA credit card.docTARJETA AMEX DE VT.docUnited Healthcare Login Information.docWachovia Bank online user id and passwords.docWells Fargo account.docWells Fargo Bank Arizona.docCITIBANK FONT.doc

Amex - Issueing Paperwork.xlsAmex Bank of Canada.docAMEX Buss Gold Card.xlsAMEX card Payment 2.docAMEX card Payment 3 in full.docAmex Card-decoded.docAmex information.docAmex Payment for May.docAMEX Position.docamex.docBank of America.docBANK OF AMERICA (1).docbank of america 2.docbank of america 6 14 04.docbank of america debi.docBank of America passwords.docwells fargo online agreement.docBank of America Stadium.docBank of America Visa card Authorization (Helen).docBANK OF AMERICA-b.docbank of america.docBank of America_82505..docBills (BofA Credit Card).docwellsfargo brokers first id and password.docCitibank (1).docCitibank (2).doccitibank (3).docCitibank Business card (1).docCitibank credit card payment confirmation.docCitibank Credit Card.doc

File Concentrator FilesBarclays Capital and JP Morgan Chase.docJP Morgan CorpFin WEST.docJP Morgan Fleming Educational Trust.docSERVICING AGREEMENT - JP Morgan _ Mexico_#977047_vDOC.DOCJP Morgan - Cebu Outsourcing & Security Assessment - Draft2.docJP MOrgan Contents_112105.docPropose Client rates.JP Morgan Chase.docEXPRESS ABSTRACT INVOICE(CHASE).docJP Morgan Chase Bank Paris - Finance.docCOST COMPARISON between Verus & JP Morgan Chase.docJP Morgan Chase Notes.docJP Morgan Annual Disclosure Statements June 27.docSystems Impact Document for Cardnet JP Morgan Chase EDIFACT .docNetVoice_JP Morgan.docauthorization JP Morgan.docChase accounts.docChase Credit Card Dispute.docChase credit card problem.docChase Manhattan Mortgage Corporation.docCHASE MASTER CARD LEDGER.xlsCHASE PASSWORD AND ID.docChase visa 4253.docchase-credit.docCHASE-PROGRAMA(1).xlsSwap Confidentiality revised JPMorgan Chase Bank.doc092105 BOA Credit Card Payment.doc6 02 03 bank of america.docAMERICAN EXPRESS CREDIT CARD.docAmerican Express Credit Cards 28.05.04.docAmerican Express for the Long Run By Matt Richey.docAmerican Express Password.docAMERICAN EXPRESS.doc

Citibank-Chicago.docCitibank.docCorporate - Amex Basic Corp Card Application.docCorporate - Amex Basic Corp Card Application2.docCredit card Wells fargo-06-04-05.docDatos para recibir transferencia CITI.docJP Chase Bank.docLa cancelacion de la tarjeta de Citibank Gold Card.docMorgan Stanley Job details.docMorgan Stanley on line account info.docN de Comercio American Express.docCitibank Evento 04.11.05.docNATV Paypal dispude BOA.docPNC Bank fax for home equity 1-10-03.docPNC Hamilton Passes Away 082003.docCitibank letter 2.docSENHAS DE E-MAIL boa.docState Farm Password.docStatus on delta amex.docSUBPOENA credit card.docTARJETA AMEX DE VT.docUnited Healthcare Login Information.docWachovia Bank online user id and passwords.docWells Fargo account.docWells Fargo Bank Arizona.docCITIBANK FONT.doc

Amex - Issueing Paperwork.xlsAmex Bank of Canada.docAMEX Buss Gold Card.xlsAMEX card Payment 2.docAMEX card Payment 3 in full.docAmex Card-decoded.docAmex information.docAmex Payment for May.docAMEX Position.docamex.docBank of America.docBANK OF AMERICA (1).docbank of america 2.docbank of america 6 14 04.docbank of america debi.docBank of America passwords.docwells fargo online agreement.docBank of America Stadium.docBank of America Visa card Authorization (Helen).docBANK OF AMERICA-b.docbank of america.docBank of America_82505..docBills (BofA Credit Card).docwellsfargo brokers first id and password.docCitibank (1).docCitibank (2).doccitibank (3).docCitibank Business card (1).docCitibank credit card payment confirmation.docCitibank Credit Card.doc

File Concentrator FilesBarclays Capital and JP Morgan Chase.docJP Morgan CorpFin WEST.docJP Morgan Fleming Educational Trust.docSERVICING AGREEMENT - JP Morgan _ Mexico_#977047_vDOC.DOCJP Morgan - Cebu Outsourcing & Security Assessment - Draft2.docJP MOrgan Contents_112105.docPropose Client rates.JP Morgan Chase.docEXPRESS ABSTRACT INVOICE(CHASE).docJP Morgan Chase Bank Paris - Finance.docCOST COMPARISON between Verus & JP Morgan Chase.docJP Morgan Chase Notes.docJP Morgan Annual Disclosure Statements June 27.docSystems Impact Document for Cardnet JP Morgan Chase EDIFACT .docNetVoice_JP Morgan.docauthorization JP Morgan.docChase accounts.docChase Credit Card Dispute.docChase credit card problem.docChase Manhattan Mortgage Corporation.docCHASE MASTER CARD LEDGER.xlsCHASE PASSWORD AND ID.docChase visa 4253.docchase-credit.docCHASE-PROGRAMA(1).xlsSwap Confidentiality revised JPMorgan Chase Bank.doc092105 BOA Credit Card Payment.doc6 02 03 bank of america.docAMERICAN EXPRESS CREDIT CARD.docAmerican Express Credit Cards 28.05.04.docAmerican Express for the Long Run By Matt Richey.docAmerican Express Password.docAMERICAN EXPRESS.doc

22

• Reston, VA

…share them…

File diffusion – Chase Credit Card Dispute.doc

• Cairo, Egypt• Cairo, Egypt

• Hayward, CA• Hayward, CA

• Valencia, Spain• Valencia, Spain

• Seoul, Republic of Korea

• Seoul, Republic of Korea

• Troy, MI• Troy, MI

• Charleston, WV• Charleston, WV

• Ljubljana, Slovenia• Ljubljana, Slovenia

• Birmingham, UK• Birmingham, UK

23

Application Security- Security is Not Quality!

Although a small (very small) number of security issues overlap with quality problems:

Both high quality and low quality software can have security issuesQuality is cumulative - 80-20 rule appliesSecurity is absolute - 20% of doors unlocked is not secureQuality problems are reported by end users, often with great detailsSecurity problems are found after the fact, often with little information to recreate

24

Development

Don’t focus on or understand

Security

Application Security Gap

Focus

• Functionality

• Usability

• Efficiency

• Time to Market

• Quality

Security

Don’t focus on or understand

application issues

RISKFocus

•Management of IT security risk

•Ensure integrity of business logic

•Tracking of IT activity

25

The application as designed.

The application as developed.

This is what your This is what your application is application is

designed to do.designed to do.

This is what your application was

supposed to do, but doesn’t!

Functionality bugs

This is what your application CAN do, but you’re not aware of.

Security flaws

The Result…

Software can be correct, even reliable, without being secure —

quality assurance alone does not ensure security

26

Security Department Structure

A slight increase in the percentage reporting into Exec management and a slight decrease in reporting into IT demonstrates the criticality of Info security in today’s environments

Security20%IT

29%

Finance1% Exec

Mgmt23%

Other20%

Ops7%

IS Professional Reports to…

Ultimate Accountability for Info Security…

Other8%

CRO2%

CTO6%

Board ofDirectors

6%

CIO29%

CEO19%

CISO13%

CSO11%

Compliance/legal2%

COO2%

CFO2%

Source: IDG 2006 Global Information Security Workforce Study

27

Information Security – Level of influence within Business Units & at Exec level

Influencehas/willslightly

decrease2%

Influencehas/will

significantlydecrease

1%

Influencehas/will

significantlyincrease

31%


increase37%

No change29%

In the past 12 months In the next 12 months

Influencehas/will

significantly decrease

2%

Influencehas/will

significantly increase

31%


increase40%

No change24%


decrease3%


28

Important Elements in Effectively Securing Infrastructure

37843865386638583852N

15%9%13%21%43%Management support of security policies

10%14%23%34%19%Users following security policy

9%10%40%22%19%Qualified security staff

18%45%14%15%8%Software solutions

48%22%10%9%11%Hardware solutions

Least Important

4th most important

3rd most important

2nd most important

Most Important

People including management are very important!!


29

Activities Identified as Consuming a Significant Portion of Security Professional’s Time

0% 25% 50%

Researching new technologies

Regulatory/compliance requirements

Implementing new technologies

Internal/political issues

Monitoring the network

Selling security to upper management

Inter-departmental activities/cooperation

Certification and accreditation (of info systems)

Managing information security staff

Gathering metrics to justify security spending

Patching systems

Remediating attacks and viruses

Physical security

Re-setting usernames or passwords

Other (specify)

Multiple responses allowed N = 3861

Not only technical but management aspects consuming their time!


30

Training for Information Security Professionals

Training willincrease

32%

Remain thesame53%

Training willdecrease

4%

Don't know11%

In 2007, training for information security professionals will…

If an increase is expected, the increase will be nearly 30%


31

Demand Areas for Training and Certification

0%

10%

20%

30%

40%

50%

60% Info security riskmanagement

Forensics

BC and DR planning

App/sys develsecurity

Securityadministration

Security mgmtpractices

Auditing

Access controlsys/methodology

Law, investigations,and ethics

ISO/IEC 17799

Top 10 responses displayed

N = 3763

Not one specific area but multiple knowledge/sill are required!!


32

Importance of Security Certifications

85% believe that security certifications are either somewhat important or very important when making hiring decisions for information security staff

Importance of Security Certifications when hiring security staff…

Somewhatunimportant

2%

Veryimportant

33%

Not at all2%Neither

11%

Somewhatimportant

52%

33% of respondents are responsible for making hiring decisions for Information security staff

Reasons to Hold Certifications…

Employee competence 67%Quality of work 59%Company policy 33%Regulatory requirement 27%Legal/due diligence 21%DoD Directive 8570.1 12%Other 5%

Mean = 4.13

N = 2653Source: IDG 2006 Global Information Security Workforce Study

33

Summary

IT security becoming integral part of the risk management and compliance of the organizationThreats becoming more complex and global

Wireless, ID Theft, Application securityInfluence of IT security has increased, and organization starts recognize “People” is the key!Not only technology but management aspects of knowledge and skills are required for IT security staff Education AND certification is considered very important to raise people and evaluate people

34

It's the People!

Global Information Security · 3 Security & Risk Management zIT Security is evolving into holistic...

Documents

Transcript of Global Information Security · 3 Security & Risk Management zIT Security is evolving into holistic...