Founders ISA Board of Directors J. Michael Hickey, 2nd Vice Chair - PowerPoint PPT Presentation

The Evolving Cyber Threat and what businesses can do about it Larry Clinton, President Direct 703/907-7028 lclinton@isalliance.org

Founders

ISA Board of Directors J. Michael Hickey, 2nd Vice Chair Ken Silva, Chairman VP Government Affairs, Verizon CSO Verisgn Dr. M. Sagar Vidyasagar, Treasurer Ty Sagalow, Esq. 1st Vice Chair Exec VP, Tata Consulting Services President Product Development, AIG • Angie Carfrae, VP Risk Management, Ceridian Corporation • Tim McKnight, CSO, Northrop Grumman • Jeff Brown, CISO/Director IT Infrastructure, Raytheon • Paul Smocer, SVP/CIO, Mellon Financial • Matt Broda, Chief Strategic Security, Nortel • Marc-Anthony Signorino, Director Technology Policy, National Association of Manufacturers • Pradeep Khosla, Dean Carnegie Mellon School of Computer Sciences • Matt Flanagen, President, EIelctronic Industries Alliance

Our Partners

Industry Affairs/Government Relations

The Old Web

The Web Today Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Web is Inherently Insecure--- and getting more so • The problems we see in cyber security are about to get much worse because we continue to deploy base technologies that were developed 30 years ago when security was not an issue … .TCP/IP was not designed to control power grids, financial networks and critical infrastructure. It will be used in future networks (particularly wireless) but it lacks the basic security controls to properly protect the network.” Source: Hancock, Cutter Technology Journal 06

The Earlier Threat: Growth in vulnerabilities (CERT/cc) 4,500 4,129 4,000 3,500 3,000 2,437 2,500 2,000 1,090 1,500 1,000 417 345 500 311 262 171 0 1995 2002

The Earlier Threat: Cyber incidents 120000 110,000 100000 80000 55,100 60000 40000 21,756 20000 9,859 2,340 2,412 2,573 132 2,134 3,734 252 6 406 1,334 773 0 1992 1993 1994 1995 1996 1997 1988 1989 1990 1991 1998 1999 2000 2001 2002

The Changing Threat A fast-moving virus or worm pandemic is not the threat it was... • 2002-2004 almost 100 medium-to-high risk attacks (“Slammer”; “SoBig”). • 2005, there were only 6 • 2006 and 2007 ……… .. Zero

Faces of Attackers … Then Joseph McElroy Chen-Ing Hau Hacked US Dept of Energy CIH Virus Jeffrey Lee Parson Blaster-B Copycat

Faces of Attackers … Now Jay Echouafni Jeremy Jaynes Andrew Schwarmkoff Russian Mob Phisher Competitive DDoS $24M SPAM KING

The Changing Threat • Today, attackers perpetrate fraud , gather intelligence , or conduct blackmail • Vulnerabilities are on client-side applications word, spreadsheets, printers, etc. • “The future threat landscape around the world will be dictated by the soon-to-be-released Apple iPhone, Internet telephony and Internet video- sharing, and other Web-based innovations” (McAfee 2007)

The Threat Landscape is Changing Early Attacks New Era Attacks Organized criminals, corporate Who : Kids, researchers, spies, disgruntled employees, hackers, isolated terrorists criminals Why : Seeking fame & glory, Seeking profits, revenge, use use widespread attacks for targeted stealth attacks to avoid maximum publicity detection Direct financial loss via theft and/or Risk Exposure : Downtime, embezzlement, breach disclosure, IP business disruption, compromised, business disruption, information loss, defacement infrastructure failure

The Threat Landscape is Changing Early Attacks New Era Attacks Defense : Reactive AV Multilayer pre-emptive and signatures behavioral systems Recovery : Scan & remove System wide, sometimes impossible without re-image of system Type : Virus, worm, spyware Targeted malware, root kits, spear phishing, ransomware, denial of service, back door taps, trojans, IW

Newer Threats • Designer malware: Malware designed for a specific target or small set of targets • Spear Phishing: Combines Phishing and social engineering • Ransomware: Malcode packs important files into encrypted archive & deletes original then ransom is demanded • RootKits: shielding technology to make malcode invisible to the op system

Characteristics of the New Attackers • Shift to profit motive • Zero day exploits • Increased investment and innovation in malcode • Increased use of stealth techniques

Digital Growth? Sure • “Companies have built into their business models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line commerce. The continued expansion of the digital lifestyle is already built into almost every company’s assumptions for growth.” ---Stanford University Study, July 2006

Maybe Not Digital Defense? • 29% of Senior Executives “acknowledged” that they did not know how many negative security events they had in the past year • 50% of Senior Executives said they did not know how much money was lost due to attacks Source: PricewaterhouseCoopers survey of 7,000 companies 9/06

Digital Defense Not So Much • 23% of CTOs did not know if cyber losses were covered by insurance. • 34% of CTOs thought cyber losses would be covered by insurance----and were wrong. • “The biggest network vulnerability in American corporations are extra connections added for senior executives without proper security.” ---Source: DHS Chief Economist Scott Borg

Incidents & Losses Average Number of Security Percentage That Experienced Incidents Per Participant Losses as a Result 136 140 100 120 80 100 86 63 60 56 55 80 40 60 40 28 25 34 40 20 20 0 0 2004 2005 2006 2004 2005 2006 financial operational ---Source: 2006 eCrime Survey, conducted by U.S. Secret Service, CSO Magazine, CERT/cc (CMU)

Percentage of Participants Who Experienced an Insider Incident 100 80 55 60 41 39 40 20 0 2004 2005 2006

Insider Incidents - 2006 Total (%) Insider (%) Outsider (%) Theft of IP 30 63 45 Theft of Proprietary Info. 36 56 49 Sabotage 33 49 41 Most common insider incidents in 2006 survey: • rogue wireless access points (72%), • theft of IP (64%), • exposure of sensitive or confidential information (56%) In 2006 insiders committed more theft of IP & proprietary information and sabotage than outsiders!

Economic Effects of Attacks • 25% of our wealth- --$3 trillion- --is transmitted over the Internet daily • FBI: Cyber crime cost business $26 billion (probably LOW estimate) • Financial Institutions are generally considered the safest---their losses were up 450% in the last year • There are more electronic financial transfers than paper checks now: Only 1% of cyber crooks are caught.

Cyber Attacks Effect Stock Price “Investigations into the stock price impact of cyber attacks show that identified target firms suffer losses of one to five percent in the days after an attack. For the average NYSE corporation, price drops of these magnitudes translate into shareholder losses between $50 and $200 million.” Source: US Congressional Research Service 2004

Indirect Economic Effects “While the tangible effects of a security incident can be measured in terms of lost productivity and staff time to recover and restore systems, the intangible effects can be of an order of magnitude larger. Intangible effects include the impact on an organizations trust relationships, harm to its reputation, and loss of economical and society confidence” Source Carnegie Mellon CyLab 2007

Can it be stopped ? Yes! PricewaterhouseCoopers conducted 2 International surveys (2004 & 2006) covering 15,000 corporations of all types Approximately 25% of these companies follow recognized “best practices” for cyber security

Benefits of Best Practices • Reduces the number of successful attacks • Reduces the amount of down-time suffered from attacks • Reduces the amount of money lost from attacks • Reduces the motivation to comply with extortion threats Source:PricewatterhouseCoopers 2006

Senior Managers Best Practices • Cited in US National Draft Strategy to Protect Cyber Space • Endorsed by TechNet for CEO Security Initiative • Endorsed US India Business Council • Currently Being Updated

Available Best Practice Resources #1: General Management #2: Policy #3: Risk Management #4: Security Architecture & Design #5: User Issues #6: System & Network Management #7: Authentication & Authorization #8: Monitor & Audit #9: Physical Security #10: Continuity Planning & Disaster Recovery

Best Practices for Insider Threat Prevention & Mitigation #1: Institute periodic enterprise-wide risk assessments. #2: Institute periodic security awareness training for all employees. #3: Enforce separation of duties and least privilege. #4: Implement strict password and account management policies and practices. #5: Log, monitor, and audit employee online actions. #6: Use extra caution with system administrators and privileged users. #7: Actively defend against malicious code. #8: Use layered defense against remote attacks.