Founders ISA Board of Directors J. Michael Hickey, 2nd Vice Chair - - PowerPoint PPT Presentation

The Evolving Cyber Threat

and what businesses can do about it

Larry Clinton, President

Direct 703/907-7028 lclinton@isalliance.org

Founders

ISA Board of Directors

Ken Silva, Chairman

CSO Verisgn

Ty Sagalow, Esq. 1st Vice Chair

President Product Development, AIG

• Angie Carfrae, VP Risk Management, Ceridian Corporation
• Tim McKnight, CSO, Northrop Grumman
• Jeff Brown, CISO/Director IT Infrastructure, Raytheon
• Paul Smocer, SVP/CIO, Mellon Financial
• Matt Broda, Chief Strategic Security, Nortel
• Marc-Anthony Signorino, Director Technology Policy, National

Association of Manufacturers

• Pradeep Khosla, Dean Carnegie Mellon School of Computer

Sciences

• Matt Flanagen, President, EIelctronic Industries Alliance
• J. Michael Hickey, 2nd Vice Chair

VP Government Affairs, Verizon

• Dr. M. Sagar Vidyasagar, Treasurer

Exec VP, Tata Consulting Services

Our Partners

Industry Affairs/Government Relations

The Old Web

Source: http://cm.bell-labs.com/who/ches/map/gallery/index.html

The Web Today

The Web is Inherently Insecure--- and getting more so

• The problems we see in cyber security are about

to get much worse because we continue to deploy base technologies that were developed 30 years ago when security was not an issue….TCP/IP was not designed to control power grids, financial networks and critical

• infrastructure. It will be used in future networks

(particularly wireless) but it lacks the basic security controls to properly protect the network.”

Source: Hancock, Cutter Technology Journal 06

The Earlier Threat:

Growth in vulnerabilities (CERT/cc)

4,129 2,437 171 345 311 262 417 1,090

500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500

1995 2002

The Earlier Threat:

Cyber incidents

1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 132 110,000 55,100 21,756 9,859 3,734 2,134 2,573 2,412 2,340 1,334 773 406 252 6

20000 40000 60000 80000 100000 120000

The Changing Threat

A fast-moving virus or worm pandemic is not the threat it was...

• 2002-2004 almost 100 medium-to-high risk

attacks (“Slammer”; “SoBig”).

• 2005, there were only 6
• 2006 and 2007……….. Zero

Faces of Attackers… Then

Chen-Ing Hau CIH Virus Joseph McElroy Hacked US Dept of Energy Jeffrey Lee Parson Blaster-B Copycat

Faces of Attackers… Now

Andrew Schwarmkoff Russian Mob Phisher Jay Echouafni Competitive DDoS Jeremy Jaynes $24M SPAM KING

The Changing Threat

• Today, attackers perpetrate fraud, gather

intelligence, or conduct blackmail

• Vulnerabilities are on client-side applications word,

spreadsheets, printers, etc.

• “The future threat landscape around the world will

be dictated by the soon-to-be-released Apple iPhone, Internet telephony and Internet video- sharing, and other Web-based innovations” (McAfee 2007)

The Threat Landscape is Changing

New Era Attacks

Organized criminals, corporate spies, disgruntled employees, terrorists Who: Kids, researchers, hackers, isolated criminals

Early Attacks

Why: Seeking fame & glory, use widespread attacks for maximum publicity Seeking profits, revenge, use targeted stealth attacks to avoid detection Risk Exposure: Downtime, business disruption, information loss, defacement Direct financial loss via theft and/or embezzlement, breach disclosure, IP compromised, business disruption, infrastructure failure

The Threat Landscape is Changing

New Era Attacks

Multilayer pre-emptive and behavioral systems Defense: Reactive AV signatures

Early Attacks

Recovery: Scan & remove System wide, sometimes impossible without re-image of system Type: Virus, worm, spyware Targeted malware, root kits, spear phishing, ransomware, denial of service, back door taps, trojans, IW

Newer Threats

• Designer malware: Malware designed for a specific

target or small set of targets

• Spear Phishing: Combines Phishing and social

engineering

• Ransomware: Malcode packs important files into

encrypted archive & deletes original then ransom is demanded

• RootKits: shielding technology to make malcode invisible

to the op system

Characteristics of the New Attackers

• Shift to profit motive
• Zero day exploits
• Increased investment and

innovation in malcode

• Increased use of stealth

techniques

Digital Growth?

• “Companies have built into their business

models the efficiencies of digital technologies such as real time tracking of supply lines, inventory management and on-line

• commerce. The continued expansion of the

digital lifestyle is already built into almost every company’s assumptions for growth.”

• --Stanford University Study, July 2006

Sure

Digital Defense?

• 29% of Senior Executives “acknowledged” that they did not

know how many negative security events they had in the past year

• 50% of Senior Executives said they did not know how much

money was lost due to attacks

Maybe Not

Source: PricewaterhouseCoopers survey of 7,000 companies 9/06

Digital Defense

• 23% of CTOs did not know if cyber losses

were covered by insurance.

• 34% of CTOs thought cyber losses would be

covered by insurance----and were wrong.

• “The biggest network vulnerability in

American corporations are extra connections added for senior executives without proper security.”

• --Source: DHS Chief Economist Scott Borg

Not So Much

Incidents & Losses

136 86 34 20 40 60 80 100 120 140 2004 2005 2006

Average Number of Security Incidents Per Participant Percentage That Experienced Losses as a Result

25 56 28 55 40 63 20 40 60 80 100 2004 2005 2006 financial

• perational
• --Source: 2006 eCrime Survey, conducted by U.S. Secret Service, CSO Magazine, CERT/cc (CMU)

Percentage of Participants Who Experienced an Insider Incident

41 39 55 20 40 60 80 100 2004 2005 2006

Insider Incidents - 2006

In 2006 insiders committed more theft of IP & proprietary information and sabotage than outsiders! Total (%) Insider (%) Outsider (%) Theft of IP 30 63 45 Theft of Proprietary Info. 36 56 49 Sabotage 33 49 41 Most common insider incidents in 2006 survey:

• rogue wireless access points (72%),
• theft of IP (64%),
• exposure of sensitive or confidential information (56%)

Economic Effects of Attacks

• 25% of our wealth---$3 trillion---is transmitted over

the Internet daily

• FBI: Cyber crime cost business

$26 billion (probably LOW estimate)

• Financial Institutions are generally considered the

safest---their losses were up 450% in the last year

• There are more electronic financial transfers than

paper checks now: Only 1% of cyber crooks are caught.

Cyber Attacks Effect Stock Price

“Investigations into the stock price impact of cyber attacks show that identified target firms suffer losses of one to five percent in the days after an attack. For the average NYSE corporation, price drops of these magnitudes translate into shareholder losses between $50 and $200 million.”

Source: US Congressional Research Service 2004

Indirect Economic Effects

“While the tangible effects of a security incident can be measured in terms of lost productivity and staff time to recover and restore systems, the intangible effects can be of an order of magnitude larger. Intangible effects include the impact on an

• rganizations trust relationships, harm to its

reputation, and loss of economical and society confidence”

Source Carnegie Mellon CyLab 2007

Can it be stopped ? Yes!

PricewaterhouseCoopers conducted 2 International surveys (2004 & 2006) covering 15,000 corporations

• f all types

Approximately 25% of these companies follow recognized “best practices” for cyber security

Benefits of Best Practices

• Reduces the number of successful attacks
• Reduces the amount of down-time

suffered from attacks

• Reduces the amount of money lost from

attacks

• Reduces the motivation to comply with

extortion threats

Source:PricewatterhouseCoopers 2006

Senior Managers Best Practices

• Cited in US National Draft Strategy

to Protect Cyber Space

• Endorsed by TechNet for CEO

Security Initiative

• Endorsed US India Business

Council

• Currently Being Updated

Available Best Practice Resources

#1: General Management #2: Policy #3: Risk Management #4: Security Architecture & Design #5: User Issues #6: System & Network Management #7: Authentication & Authorization #8: Monitor & Audit #9: Physical Security #10: Continuity Planning & Disaster Recovery

Best Practices for Insider Threat Prevention & Mitigation

#1: Institute periodic enterprise-wide risk assessments. #2: Institute periodic security awareness training for all employees. #3: Enforce separation of duties and least privilege. #4: Implement strict password and account management policies and practices. #5: Log, monitor, and audit employee online actions. #6: Use extra caution with system administrators and privileged users. #7: Actively defend against malicious code. #8: Use layered defense against remote attacks.

Best Practices for Insider Threat Prevention & Mitigation

#9: Monitor and respond to suspicious or disruptive behavior. #10: Deactivate computer access following termination. #11: Collect and save data for use in investigations. #12: Implement secure backup and recovery processes. #13: Clearly document threat controls.

Best Practices Model Contracts

Volume II: published June 2007with ANSI gives greater emphasis to standards-based information security

• controls. (www.isalliance.org)

Model Contract Clauses for Information Security Standards. This new book provides guidance on the contracting side

• f implementing prevailing international

information security standards, notably ISO 17799, BS 7799 and ISO 27001.

Volume I

Why Doesn’t Everyone Comply with Established Best Practices?

“Many organizations have found it difficult to provide a business case to justify security investments and are reluctant to invest beyond the minimum. One of the main reasons for this reluctance is that companies have been largely focused on direct expenses related to security and not the collateral benefits that can be realized”

• --Stanford University ‘06

Management is

• Improved Product Safety (38%)
• Improved Inventory management (14%)
• Increase in timeliness of shipping info (30%)

WRONG

A Stanford Global Supply Chain Management Forum Study clearly demonstrated that investments in security can provide business value and significant ROI through:

Security ROI

• Increase in supply chain information access (50%)
• Improved product handling (43%)
• Reduction in cargo delays (48%

reduction in inspections)

• Reduction in transit time (29%)
• Reduction in problem identification

time (30%)

• Higher customer satisfaction (26%)

Security, like Digital Technology, must be Integrated in the Business Plan

“Security is still viewed as a cost, not as something that could add strategic value and translate into revenue and savings. But if one digs into the results there is evidence that aligning security with enterprise business strategy reduces the number of successful attacks and financial loses as well as creates value as part of the business plan.”

PricewaterhoseCoopers, September 2006

How do we do that?

• We have a changing

technology environment

• We have a changing

business model

• We have a constantly

changing legal and regulatory environment

Business must take the lead.

• Security is an enterprise wide issue horizontally, vertically

and cross functionally throughout the organization

• Leaders are Accountable to the organization, stakeholders

and the community (it’s a shared resource/responsibility)

• Security must be viewed as a business requirement and

aligned with organizational strategic goals; business units don’t decide how much security they want

ISA/CMU:

Elements of Effective Security Governance

ISA/CMU:

Elements of Effective Security Governance

• Assess security based on risk - not tolerance to exposure,

compliance, liability, operational disruptions, financial needs or reputation

• Define security roles and responsibilities – draw clear lines of

delineation as to who does what and reports to who

• Address and enforce security in policy – include rewards and

recognition

ISA/CMU

Elements of Effective Security Governance

• Commit adequate security resources including authority and

time to build and maintain core competencies

• Expected staff awareness and training is reflected in job

descriptions and expressed as cultural norm

• Implement a life cycle system for software development,

acquisitions, operations and retirement

• Plan, define and manage clear security objectives – measure

results and integrate lessons learned into future plans

• Risk committee conducts regular reviews and integrates

digitalization into business plan---both positive and negative; Board Reviews and Audits

ISA/CMU

Elements of Effective Security Governance

Cyber Security is NOT an IT Problem

• Business
• Policy
• Legal
• Technology

BUS/OPERATIONAL LEGAL/REG TECH/R&D POLICY PROBLEM / ISSUE

Issues must simultaneously address all organization perspectives including:

ISAlliance

Integrated Business Security Program

• Outsourcing
• Risk Management
• Security Breech Notification
• Privacy
• Insider Threats
• Auditing
• Contractual Relationships (suppliers,

partners, sub-contractors, customers)

Weekly Webinar Series

Sample of Recent Webinars

On Privacy and Compliance with Application to Healthcare Anupam Datta, CyLab Research Scientist, CMU Psychological Profiling Software to Aid in Forensic Investigation, Insider Detection and Relationship Management Eric Shaw, Clinical Psychologist & Visiting Scientist, SEI, CERT Outsourcing Risk Management: Legal Considerations Jody Westby, CEO, Global Cyber Risk Privacy and Security, it isn't Either/Or, it's Both/And Jon Callas, PGP Corporation Software Assurance in the Software Supply Chain Bill Scherlis, Professor, School of Computer Science, Director,

ISRI and director of CMU's PhD Program in Software Engineering

Conclusions

• 1. Band-Aids (or patches) don’t cure –

Systemic treatments do

• 2. You need to stay ahead of the problem

just to keep up with the field

• 3. You are not in this alone, join the ISA

team

Larry Clinton President

Internet Security Alliance

lclinton@isalliance.org 703-907-7028 (O) 202-236-0001 (C)